Sep 16 2016 03:56 AM
Sep 16 2016 03:56 AM
Can it really be true that a full blown global admin role is needed for 365 group management?
We have enabled the Azure AD policies to disable group creation for all but a few, hence we want certain admins to handle group creation until we get a proper lifecycle and governance model in place.
But at the same time we dont want to delegate higher rights than needed, eg. avoid assigning global admin just to manage groups.
Sep 17 2016 09:13 AM
You do not need to be a global administrator to create Office 365 Groups. However, you do need to be on the permitted list specified in the AAD policy for Office 365 Groups to create groups (https://thoughtsofanidlemind.com/2016/06/07/controlling-the-creation-of-office-365-groups-using-an-a...). The people on that list only need to have a valid Office 365 account.
However... some workloads do not yet respect the AAD policy... so it's wise to make sure that you also enable the old OWA mailbox policy block generally and assign an amended policy that allows users to create groups to those who need to do so.
In short, no admin permissions required - but admins have to set up the policy and apply that policy to ensure that the right thing is done.
Sep 18 2016 11:36 PM
thanks for the reply, however i might not have expressed myself good enough. :)
The lockdown of creation incl. an override group is in place, as is the OWA policy also.
What im after though is slightly different, namely i want a few select admins / service desks to be able to use the admin panel in O365 to create / manage groups.
I dont want to have them creating the group for end users using the "end user" way, but instead by using the Admin panel, to avoid having them also being part of the group by default after creation.
My logic assumed that "User Management" would include this type of groups, but my logic failed me big time apparently. ;)
From what i can gather so far this requires far too many admin rights, and I do not want to add more than absolutely nessesary to the Global Admin role.