Can't view/edit dynamic membership rules for Azure AD 365 dynamic group I created. Error code 403

Brass Contributor

I recently created my first dynamic 365 group in Azure. Defined the membership rules, then set up an MS Team based on the group. Confirmed in Teams that the membership was as I'd expect. Went back to Azure and added a new criterion to the dynamic membership rules. Confirmed that this was reflected correctly in Teams. All good so far. I now need to change the dynamic membership rules again, but I'm denied access! I can't view the current rules or edit them. The error message says "No access", "Resource ID - not available", and "Error code 403".  One of my colleagues with full admin rights has tried to create a new dynamic 365 group and is unable to. Any ideas what's going on?? How do we troubleshoot this?

7 Replies

This error message is indicating that the current user does not have the required permissions to access the Azure AD dynamic group. To troubleshoot this, check if the user has been assigned the correct role in Azure AD. Make sure the user has at least the "Global administrator" role or the "Cloud device administrator" role.
If the user still doesn't have the necessary permissions, check if there are any Azure AD policy restrictions in place that could be blocking access. You can do this by navigating to the Azure AD portal, going to the "Azure Active Directory" section, policies in place that might be blocking the ability to edit the dynamic group rules.

@LynnProspect 

Seems related to permission issue, please check your IAM assignment

Could you be more specific, please - where in the Azure admin centre should I look?
If I look at Roles and administrators I see that I am definitely a global administrator. I logged into https://aad.portal.azure.com/ and clicked through to Azure Active Directory. I see the overview page for our tenant, but I can't see anything labelled "Access control (IAM)". Any chance you could upload a screenshot showing where to find it, please?

Try using a different account with administrative permissions to see if that resolves the issue or

Ensure that the Azure Active Directory service is functioning correctly and there are no known outages affecting the service.

Typing mistake, I was writing policies instead wrote IAM apologies

@LynnProspect 

Robina_0-1675694437761.png

Dynamic group memberships have not been updated due to system delays. We’re working to resolve the issue.