Nov 07 2018
- last edited on
Jan 14 2022
I added a user to the Guest Inviter role and was surprised to find out that they could also create Groups which is not what I was expecting. The docs state that this should not happen, https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-assign-admin-ro... .
Has anyone else noticed this?
Nov 09 2018 12:53 PM
Yes, I'm now playing around with the B2B AAD feature and the "guest invitor" role for a standard user. First of all, I find it very strange that I delegate a task to a person in the environment, that now needs to navigate to Azure AD portal, which contains a lot of information I don't think this person should, or need to see. Why not a delegation page where this user can invite guests?
And yes this user is also able to create groups. At least, at first the button was highlighted, therefore should be active, so I tested it, but no! the user gets the 4 fields that need to be filled in for the group creation, but those are all greyed out.
Even more a reason to develop a separate environment to have delegated tasks done by limited administrators.
Jan 21 2022 10:34 AM
@Thomas Stensitzki I just verified this in my lab and when I have the AAD group settings to _not_ allow users to create security or M365 groups, the guest inviter role does _not_ provide that access.
I wonder if you could check your tenant settings under groups...general and verify that the sliders are set to "No" for both security and M365 group creation by users.
JJ (MSFT employee)