Forum Discussion

Punit1991's avatar
Punit1991
Copper Contributor
Aug 12, 2022

Azure Dynamic group precedence

My question is 
Suppose there is a user A who is added manually in some group lets say testers.
and we have given some access to that group.
now we create a dynamic  group where we have added all users of that company so those testers are also included as this is dynamic group and it has some sorts of permissions. So in this A user is present.
So my question is user A will get precedence for which group ? and why

  • LainRobertson's avatar
    LainRobertson
    Silver Contributor

    Punit1991 

     

    The answer depends on the application itself, not Azure.

     

    Generally, you break things up into two components when talking about security:

     

    1. Authentication: Who can "log into" the application;
    2. Authorisation: What can they do (if anything) after they've logged in.

     

    Your question focuses on the second part - authorisation, where Azure is more focused on the first part. So, while your User A is part of both groups, how your application treats that person is up to the application itself, not Azure.

     

    To provide a very generic answer on how many Microsoft applications and platforms are structured, User A would usually have the sum of both sets of rights (i.e. the union) unless one of those was a deny right (since denying access typically trumps allowing access in Microsoft systems.)

     

    But other vendors may not have adopted this model meaning you really need to put this question to whoever owns the application. You won't get a definitive answer here since it's not an Azure-specific question - unless you're talking about a particular first-party Microsoft Azure product/service (in which case if you tell us which one, perhaps we can be more specific.)

     

    The distinction between a manual group and a dynamic group has no bearing on this question since User A will simply be a member of both, which can only begin to mean something when looking at how the application handles authorisation. Azure doesn't inherently care whether you're in no groups or a thousand groups.

     

    Cheers,

    Lain

Resources