Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Workflows by default, unless specified during creation, are managed by users with either the Lifecycle Workflows, or Global, administrator roles. As workflows grow and change to meet the needs of members of your organization, so does the need to limit who can manage them. With delegated workflow management, you can scope management of workflows using Administrative Units. When scoped, specific admins are only granted access to manage specific workflows. Scoping allows for greater security within your environment by following Microsoft's least privileged access guidelines by only giving access to specifically what's needed.
The following table shows the differences between the Lifecycle Workflows Administrator role, and the scoped workflow administrator role in terms of Lifecycle workflow capabilities:
| Capability | Lifecycle Workflows Administrator | Workflow Administrator |
|---|---|---|
| Create Workflow | Yes | No |
| Edit Workflow | Yes | Yes (only assigned workflows) |
| Custom Task Extensions | Yes | No |
| Delete Workflow | Yes | Yes (only assigned workflows) |
| Restore Workflow | Yes | Yes (only assigned workflows) |
| View workflow history | Yes | Yes (only assigned workflows) |
| Run Workflow on-demand | Yes | Yes (only assigned workflows) |
| Scope Workflows | Yes | No |
Prerequisites
Using this feature requires Microsoft Entra ID Governance or Microsoft Entra Suite licenses. To find the right license for your requirements, see Microsoft Entra ID Governance licensing fundamentals. You must also have at least one administrative unit within your tenant. For steps on creating an administrative unit, see Create an administrative unit.
Assign Lifecycle Workflows Administrator role to administrative unit
To delegate workflow management using administrative scopes, you must first assign the Lifecycle Workflows administrator role to the administrative unit. To do so, you'd follow these steps:
Tip
While the following steps walk you through setting the role for a specific user, you can set the role to a group within the administrative unit to delegate management within a scope to multiple users.
Sign in to the Microsoft Entra admin center as at least a Privileged Role Administrator.
Browse to Entra ID > Users.
On the users page, select the user you want to assign the admin scope to.
From the user overview page, select Assigned roles.
On the assigned roles page, select Add assignments.
On the add assignments page select the following:
Select role: Lifecycle Workflows Administrator
Scope type: Administrative unit
On the Selected scope pane, select the administrative unit where your workflow will be scoped to, and select Next.
On the Setting tab, you can set the assignment as either Eligible or Active.
Note
Assignment must be active to run for users in the administrative unit.
Select Save.
Add administrative scopes to a new workflow
To add an administrative scope to a new workflow, set the administrative scope during workflow creation by doing the following steps:
Sign in to the Microsoft Entra admin center as at least a Lifecycle Workflows Administrator.
Browse to ID Governance > Lifecycle workflows > Create a workflow.
On the Choose a workflow page, select the workflow template that you want to use.
On the Basics tab, enter a unique display name, description, and administrative scope for the workflow, and then select Next.
Finish setting the execution conditions, tasks, and create the workflow.
Note
You can assign up to five administrative scopes per workflow.
Edit the administrative scopes of an existing workflow using the Microsoft Entra admin center
With the role set for admins over the administrative unit, you must edit the workflow to be assigned within the scope of that administrative unit. To edit the properties of a workflow to be in an administrative unit's scope using the Microsoft Entra admin center, you do the following steps:
Sign in to the Microsoft Entra admin center as at least a Lifecycle Workflows Administrator.
Browse to ID Governance > Lifecycle workflows > workflows.
On the list of workflows page, select the workflow that you want to edit the administrative scopes of.
On the workflow overview page, select Administration Scope.
Tip
You can also select the Administration scope (Preview) card on the overview page to get to the administration scope page.
On the administration scope page, select Assign Administration scope.
From the administration scope pane, you can see the list of all administrative units in your tenant.
Select the administrative unit(s) you want to scope the workflow to.
Select Save.
Assign Lifecycle Workflows Administrator role to administrative unit programmatically
To assign Lifecycle workflow admins to an administrative unit scope via API, you must have the following information:
- Lifecycle Workflow admin role ID: 59d46f88-662b-457b-bceb-5c3809e5908f
- User ID for user you want to assign the scope
- ID of Admin Unit you want to assign
With this information, you can make the following API call:
POST https://graph.microsoft.com/v1.0/roleManagement/directory/roleAssignments
{
"@odata.type": "#microsoft.graph.unifiedRoleAssignment",
"principalId": "<Object ID of user>",
"roleDefinitionId": "59d46f88-662b-457b-bceb-5c3809e5908f",
"directoryScopeId": "/administrativeUnits/<Object ID of administrative unit>"
}
View the administrative scopes of a workflow using the Microsoft Entra admin center
When managing workflows, it's important to see what administrative scopes they fall under. This allows you to quickly see who can manage each specific workflow. To see the administrative scopes of a workflow, do the following steps:
Sign in to the Microsoft Entra admin center as at least a Lifecycle Workflows Administrator.
Browse to ID Governance > Lifecycle workflows > workflows.
On the workflow list screen, you can see the number of scopes assigned to the workflow under the Administration scope assigned column.
Select the number in the column to see the list of scopes assigned to that workflow.
Remove the administrative scopes of a workflow using the Microsoft Entra admin center
Administration scopes can be removed from a workflow at any time. To remove an administrative unit scope from a workflow, do the following steps:
Sign in to the Microsoft Entra admin center as at least a Lifecycle Workflows Administrator.
Browse to ID Governance > Lifecycle workflows > workflows.
On the list of workflows page, select the workflow that you want to remove an administrative scope from.
On the workflow overview page, select Properties.
Under properties, select Administrative Scope.
From the administrative scope pane, you can see the list of all administrative scopes of the workflow.
Select the administration scope you want to remove the workflow from.
Select Save.
Edit the administrative scopes of a workflow using Microsoft Graph
To edit the administrative scopes of a workflow via API using Microsoft Graph, see: Update workflow.
View the administrative scopes of a workflow using Microsoft Graph
To view the administrative scopes of a workflow via API using Microsoft Graph, see: Update workflow.
Remove the administrative scopes of a workflow using Microsoft Graph
To remove the administrative scopes of a workflow via API using Microsoft Graph, see: Update workflow.