Forum Discussion
Introducing the Groups Admin Role
Today, we are thrilled to announce that the the Groups admin role in Azure Active Directory (Azure AD) is now generally available. This new Azure Active Directory role enables you to perform group management tasks for and Azure AD security groups without requiring Global administrator permissions.
Users with the Groups administrator role can use the Microsoft 365 Admin center, the Azure portal and other methods to create, edit, delete, and restore groups, and manage Office 365 Groups policies (example - creation, naming, and expiration policies).
Figure 1 - Managing Groups in the Microsoft 365 Admin center
Figure 2 - Managing Groups in the Azure portal
You can provision the Groups admin role using Azure AD PowerShell:
#Below steps need to be completed only once to install the Azure AD scripts
Install-Module -Name AzureAD
#Connect (use privileged role)
Connect-AzureAD
# Get the user to be assigned the role, replacing foo@contoso.com with the email address of the user
$roleMember = Get-AzureADUser -SearchString "foo@contoso.com"
# Enable the role for the tenant (skip this step if you have already enabled the role for your tenant). If you have already enabled the role, you will get an error (which you can ignore)
$newRole = Enable-AzureADDirectoryRole -RoleTemplateId "fdd7a751-b60b-444a-984c-02652fe8fa1c"
# Get the newly added role - replace the role template Id as per need
$newRole = Get-AzureADDirectoryRole -Filter "roleTemplateId eq 'fdd7a751-b60b-444a-984c-02652fe8fa1c'"
# Add the user to this role - copy the object Id from the output of the above command and use below
Add-AzureADDirectoryRoleMember -ObjectId $newRole.ObjectId -RefObjectId $roleMember.ObjectId
Limitations
There are a few limitations that we are looking to address soon:
- The admin role is designed mainly for Office 365 groups and cannot manage other group types like distribution groups, mail-enabled security groups or shared mailboxes.
- This role cannot be used to update a Group’s email address or modify external mail or mail delivery options in the Microsoft 365 admin center.
- You cannot use Exchange PowerShell cmdlets to manage Office 365 Groups.
- A Groups admin cannot manage audit logs, access reports, or guest settings.
We would love to hear your feedback or suggestions. Leave a comment here or reach out to us on user voice.