Forum Discussion
Hidden Group and Hidden Group Membership
Hi everyone!
I have come across a requirement where the client would like to use an excel spreadsheet, a service account and application registration to manage group membership for a confidential group.
They would like to create a group from which the members cannot leave, see other team members and cannot see the group itself.
Now, I have the concept of the flow with me but for the life of me, I cannot get around to finding/configuring a group that meets the requirement.
Have you guys come across this sort of scenario?
Group Configuration:
- Users should not be able to view the group
- Users should not be able to view members of the group
- Users should not be able to leave the group
Thanks in advance.
4 Replies
How about this:
- Excel Spreadsheet: Use an Excel spreadsheet to manage the group membership. You can create a list of members and their details in a hidden sheet. To hide a sheet, right-click on the sheet tab and select "Hide". To unhide it, right-click on any sheet tab and select "Unhide".
- Service Account: Use a service account to manage the group membership. This account can be used to run scripts or automation tasks that update the group membership based on the Excel spreadsheet.
- Application Registration: Register an application in your Azure Active Directory (AAD) to manage the group membership. This application can be granted the necessary permissions to read and update group memberships.
- Group Configuration:
- Hidden Group: To create a hidden group, you can use Azure Active Directory (AAD) to create a security group and set its visibility to "HiddenMembership". This will hide the group membership from non-members.
- Prevent Leaving the Group: To prevent users from leaving the group, you can use a combination of AAD policies and PowerShell scripts to enforce group membership. For example, you can create a script that periodically checks the group membership and re-adds any users who have left the group.
- Automation: Use PowerShell scripts or Azure Logic Apps to automate the process of updating group membership based on the Excel spreadsheet. These scripts can be scheduled to run at regular intervals to ensure that the group membership is always up-to-date.
Hidden and Private groups hide the members from non-members. However, I am looking for a solution in which the members of the group cannot see other members. As it is a confidential group. It is only necessary for grouping them but not for collaboration.
Hope you understand the requirement. ππ
aismMicrosoft
When "only necessary for grouping", you already have your excel, where they are grouped, right?
I am not kidding, when you don't need many of the default features of an AD or Entra ID group, then why not use a different group?
Your requirements can easily be fulfilled when you just manage the group in Excel, in a sharepoint list or in a database.
The question is, does this group need to be able do anything?
If e.g. the members of this group need to have access anywhere, then you could use your service account to run scripts for repeatedly check all the places, where the members should be granted access and ensure, only the group members are set there.
Please be aware, that depending where you grant access, users can sometimes see, who else has access.
To make it more weird and complex, just to fulfill the business requirement, you could create cyptic groups (e.g. named with just a guid), where each group has only one member of these group members and non members cannot see the members of these groups.
After this, you can either grant all these cryptic groups directly the permissions, wherever the group members should be granted access, or if nesting is allowed, you can put these cryptic groups into a parent group, where you can then grant access to the parent group.
This is not the usual way, how to use groups, but maybe this fits in your requirements.
