Azure AD Roles are being overwritten by Microsoft 365 Roles

Question

If you add a user role from the Azure AD portal and then make changes to user roles using the Microsoft 365 portal, once you apply them they remove the roles given from Azure AD.

To test this:

1. From the Azure AD portal, add Application Administrator to a user (Directory Role).
2. Switch over to the Microsoft 365 portal and edit the users roles (User > Account blade > Roles).
3. Uncheck and check a role and save (you don't have to add or remove anything, just make a change so you can save)
   
4. Switch back to Azure portal - Application Admin is gone.

Not all roles in Azure AD are available in Microsoft 365 portal (this is understandable) but it seems that they take precedence over Azure AD (or the back-end command is doing a complete overwrite of permissions and not add)

Answer 1

Yup, I can confirm that. It seem that they don't "add" but "replace" all the roles, so anything not recognized by the O365 portal gets stripped. And it gets worse, if you have multiple roles assigned it switches to the "custom" mode and it might end up stripping roles such as GA. That's some proper QA I tell you :)

Let me ping few folks on this...

Answer 2

So they're working on fixing this, and some other related issues. It might take a while, given the scale of O365, but hopefully we will not get proper support for all AAD roles and multiple role assignments.