Guest Inviter role - unexpected permissions

%3CLINGO-SUB%20id%3D%22lingo-sub-284802%22%20slang%3D%22en-US%22%3ERe%3A%20Guest%20Inviter%20role%20-%20unexpected%20permissions%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-284802%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Dean%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYes%2C%20I'm%20now%20playing%20around%20with%20the%20B2B%20AAD%20feature%20and%20the%20%22guest%20invitor%22%20role%20for%20a%20standard%20user.%20First%20of%20all%2C%20I%20find%20it%20very%20strange%20that%20I%20delegate%20a%20task%20to%20a%20person%20in%20the%20environment%2C%20that%20now%20needs%20to%20navigate%20to%20Azure%20AD%20portal%2C%20which%20contains%20a%20lot%20of%20information%20I%20don't%20think%20this%20person%20should%2C%20or%20need%20to%20see.%20Why%20not%20a%20delegation%20page%20where%20this%20user%20can%20invite%20guests%3F%3CBR%20%2F%3EAnd%20yes%20this%20user%20is%20also%20able%20to%20create%20groups.%20At%20least%2C%20at%20first%20the%20button%20was%20highlighted%2C%20therefore%20should%20be%20active%2C%20so%20I%20tested%20it%2C%20but%20no!%20the%20user%20gets%20the%204%20fields%20that%20need%20to%20be%20filled%20in%20for%20the%20group%20creation%2C%20but%20those%20are%20all%20greyed%20out.%3CBR%20%2F%3EEven%20more%20a%20reason%20to%20develop%20a%20separate%20environment%20to%20have%20delegated%20tasks%20done%20by%20limited%20administrators.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Egr%2C%3C%2FP%3E%3CP%3ERonald%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-283766%22%20slang%3D%22en-US%22%3EGuest%20Inviter%20role%20-%20unexpected%20permissions%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-283766%22%20slang%3D%22en-US%22%3E%3CP%3EI%20added%20a%20user%20to%20the%20Guest%20Inviter%20role%20and%20was%20surprised%20to%20find%20out%20that%20they%20could%20also%20create%20Groups%20which%20is%20not%20what%20I%20was%20expecting.%20The%20docs%20state%20that%20this%20should%20not%20happen%2C%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fusers-groups-roles%2Fdirectory-assign-admin-roles%23available-roles%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fusers-groups-roles%2Fdirectory-assign-admin-roles%23available-roles%3C%2FA%3E%20.%26nbsp%3B%3C%2FP%3E%3CP%3EHas%20anyone%20else%20noticed%20this%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-283766%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EB2B%20collaboration%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Highlighted
Respected Contributor

I added a user to the Guest Inviter role and was surprised to find out that they could also create Groups which is not what I was expecting. The docs state that this should not happen, https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-assign-admin-ro...

Has anyone else noticed this?

1 Reply
Highlighted

Hi Dean,

 

Yes, I'm now playing around with the B2B AAD feature and the "guest invitor" role for a standard user. First of all, I find it very strange that I delegate a task to a person in the environment, that now needs to navigate to Azure AD portal, which contains a lot of information I don't think this person should, or need to see. Why not a delegation page where this user can invite guests?
And yes this user is also able to create groups. At least, at first the button was highlighted, therefore should be active, so I tested it, but no! the user gets the 4 fields that need to be filled in for the group creation, but those are all greyed out.
Even more a reason to develop a separate environment to have delegated tasks done by limited administrators.

 

gr,

Ronald