Enable External Users to manage group membership on Azure AD

Iron Contributor

Hi,

We have a requirement to allow some external Guest Users in our Azure AD to manage the membership of certain Groups in our Azure AD domain. The requirements are:

  • Only specified Guest Users can manage only specified groups
  • Ideally the changes they make are enacted immediately
  • A full audit trail of their changes is available

 

I am wondering if the "Ask a sponsor to review a guest's access to an application" option detailed on the "Manage guest access with Azure AD access reviews" page (see: https://docs.microsoft.com/en-gb/azure/active-directory/governance/manage-guest-access-with-access-r...) may meet this requirement?

  • Can you have an external Guest User as the sponsor?
  • Are they only able to enact changes based on be triggered with a review request, or can they initiate changes themselves?
  • Are the results of their Access Reviews immediately automatically enacted, or does this require review and implementation by a tenant admin?

 

Our other option is to code a control to provide this management, and use GraphAPI calls to make the membership changes. Would be very interested if anyone has any ideas on this, or if there are any other options we have overlooked to meet these requirements.

 

thankyou!!

0 Replies