Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Guest Inviter role - unexpected permissions

Silver Contributor

I added a user to the Guest Inviter role and was surprised to find out that they could also create Groups which is not what I was expecting. The docs state that this should not happen, https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-assign-admin-ro...

Has anyone else noticed this?

3 Replies

Hi Dean,

 

Yes, I'm now playing around with the B2B AAD feature and the "guest invitor" role for a standard user. First of all, I find it very strange that I delegate a task to a person in the environment, that now needs to navigate to Azure AD portal, which contains a lot of information I don't think this person should, or need to see. Why not a delegation page where this user can invite guests?
And yes this user is also able to create groups. At least, at first the button was highlighted, therefore should be active, so I tested it, but no! the user gets the 4 fields that need to be filled in for the group creation, but those are all greyed out.
Even more a reason to develop a separate environment to have delegated tasks done by limited administrators.

 

gr,

Ronald

@Dean Gross 

Hi Dean,

It is sad to see that this is still the case. There should be a dedicated UI for guest inviters. The role does still contain too many permissions.

-Thomas  

@Thomas Stensitzki I just verified this in my lab and when I have the AAD group settings to _not_ allow users to create security or M365 groups, the guest inviter role does _not_ provide that access.

JJStreicherBremerPFEAAS_0-1642790051931.png

 

I wonder if you could check your tenant settings under groups...general and verify that the sliders are set to "No" for both security and M365 group creation by users.
Thanks!
JJ (MSFT employee)