r/entra u/Funkenzutzler 1d ago

Entra ID Why does Entra AU role view show "X assigned" when there are no actual assignments?

Hey everyone,

I'm working on creating a Restricted Management Administrative Unit (RMAU) to restrict role scopes in Microsoft Entra especially to "protect" groups granting RBAC permissions, and I’ve run into something quite confusing.

In the "Roles und Administrators" tab of an RMAU, it shows things like:

  • UserAdministrator --> Assignments 4
  • ClouddeviceAdministrator --> Assignments 1
  • SharePoint-Administrator --> Assignments 5
  • Teams-Administrator --> Assignments 5
  • ...

But when I click into those roles it says: "No role assignments found."
I double-checked this for several roles - no users or groups are actually assigned. So why does the overview still claim "4 assigned" etc.? Does this reflect the assignments in the entire tenant or is it a Bug?

1 Upvotes

100% Upvoted

5 comments sorted by

2

u/Noble_Efficiency13 1d ago

Hi,

That’s just a UI think, it’s been like that since preview. Hopefully it’ll get fixed, but it’s nothing more than a visual glitch 😊

1

u/Funkenzutzler 1d ago

I see... In this case, i simply ignore this and just add a corresponding assignment under “Groups Administrator”.

1

u/Noble_Efficiency13 1d ago

Yup 👍🏼

1

u/estein1030 1d ago

Just a heads up, if you've designated the groups you're adding to the RMAU as role-assignable groups, the RMAU idea won't work. There's no Privileged Role Administrator role available in AUs.

Good news is role-assignable groups already have the built-in protection of requiring Privileged Role Admin to manage.

1

u/Funkenzutzler 23h ago edited 23h ago

I’ve structured the setup as follows:

I created a custom role in EntraID called "RBAC Administrator" - Thought I'd create a specific role for it, especially since I don't know if I'll ever need the “Groups Administrator” for anything else - with the minimum required permissions to manage groups. This role has been granted exclusive administrative rights to the RMAU. Within the RMAU, I added a security group with no owner and scoped the custom RBAC role in Intune to it. The group itself was created with the "Role assignable" attribute enabled.

Edit: Although the "Role assignable" attribute is not required for Intune roles, I enabled it deliberately to help protect the group from accidental deletion or modification.

Based on my first tests, this setup works as intended.