cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Office 365 Groups

Robert Bollinger
Iron Contributor

‎Mar 27 2018 02:13 PM - last edited on ‎Feb 06 2023 03:19 AM by

‎Mar 27 2018 02:13 PM - last edited on ‎Feb 06 2023 03:19 AM by

Office 365 Groups

Hey Guys, Simple question, is there a way to make it so a user who has Service Administrator permissions in Office 365 and (Recipients Role, Distribution Groups Role) in Exchange Online RBAC can modify group membership for Office 365 Groups? 

 

Here is the error the user is getting when trying to modify an Office 365 Group: 

 

 

 

Is there anyway to allow a user to modify group membership for Office 365 groups without granting user management role? 

 

Thanks, 

 

Robert

Preview file
15 KB
3,765 Views
0 Likes
14 Replies
Reply
14 Replies
Juan Carlos González Martín

‎Mar 27 2018 02:38 PM

‎Mar 27 2018 02:38 PM

Re: Office 365 Groups

Well, according to the error you are getting, you need to be at least EXO Administrator + User Administrator so I guess that User Role is not enough
0 Likes
Reply
Robert Bollinger

‎Mar 27 2018 02:42 PM

‎Mar 27 2018 02:42 PM

Re: Office 365 Groups

Right. If i add the user administrator role it works as expected. I just need to know if there is a way to make it so a non-admin (who has all the exchange role group permissions) can edit Office 365 Group membership.
0 Likes
Reply
best response confirmed by Robert Bollinger (Iron Contributor)
Vasil Michev

‎Mar 27 2018 11:40 PM

‎Mar 27 2018 11:40 PM

Solution

Re: Office 365 Groups

The problem is Groups are not Exchange objects, they are AAD objects. While you can certainly govern some settings via the ExO cmdlets, AAD remains the source of authority, thus the portal requires you to have the necessary permissions to run the corresponding AAD cmdlets/API calls.

 

That said, if you are OK with using the EAC or PowerShell, you can certainly use an Exchange admin (or non-admin with the relevant permissions) to manage them. All you need is to have the Mail Recipients role assigned.

0 Likes
Reply
Tony Redmond

‎Mar 28 2018 02:12 AM

‎Mar 28 2018 02:12 AM

Re: Office 365 Groups

another issue is that the Groups cmdlets do not support RBAC...

 

Still another is that the Groups membership model only differentiates between owners (who can add new members) and members (who cannot). Tenant admins override this restriction, but that doesn't help.

0 Likes
Reply
Robert Bollinger

‎Mar 28 2018 09:51 AM

‎Mar 28 2018 09:51 AM

Re: Office 365 Groups

Thanks for the clarification Tony. That's what I was looking for.
0 Likes
Reply
Robert Bollinger

‎Mar 28 2018 09:51 AM

‎Mar 28 2018 09:51 AM

Re: Office 365 Groups

Thanks for the clarification Vasil. That's what I was looking for.
0 Likes
Reply
Joshua Bines

‎Jan 20 2020 07:44 AM

‎Jan 20 2020 07:44 AM

Re: Office 365 Groups

@Tony Redmond nearly 2 years on, is that right O365 groups CMDlets still don't support RBAC? 

 

I have a Management Scope for allowing local site admins to update group membership for groups they are not owners of. Works like a dream for everything other than the O365 Groups. Sure is irritating... 

0 Likes
Reply
Tony Redmond

‎Jan 21 2020 05:41 AM

‎Jan 21 2020 05:41 AM

Re: Office 365 Groups

@Joshua Bines Yep. The Groups cmdlets seem to work well for tenant admins and the other admin roles that support groups, like the new Groups admin role. But they don't do scoping.

1 Like
Reply
Joshua Bines

‎Oct 02 2020 02:06 AM

‎Oct 02 2020 02:06 AM

Re: Office 365 Groups

@Tony Redmond I haven't tested this yet but I think this is now possible using AU https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/roles-admin-units-add-man...

0 Likes
Reply
Tony Redmond

‎Oct 02 2020 11:16 AM - edited ‎Oct 02 2020 11:22 AM

‎Oct 02 2020 11:16 AM - edited ‎Oct 02 2020 11:22 AM

Re: Office 365 Groups

@Joshua Bines I played with this a little but it didn't work as I expected.

 

1. Created AU

2. Added several accounts to AU

3. Created new Microsoft 365 group with those accounts as members and added it to AU.

4. Assigned one of the users as a Groups administrator for the AU.

5. Logged onto Azure AD portal for that user. They could update some group properties like the description and sensitivity label assignment, but they couldn't update group membership, which is what I think you're after.

 

Maybe this is a timing thing and I should wait to see if the permissions sort themselves out...  but I note that the documentation https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-administrative-... mentions membership management, so it should work.

User management

Permissions MS Graph/PowerShell Azure AD portal Microsoft 365 admin center
administrative unit-scoped management of user properties, passwords, licenses Supported Supported Supported
administrative unit-scoped blocking and unblocking of user sign-ins Supported Supported Supported
administrative unit-scoped management of user MFA credentials Supported Supported Not supported

Group management

Permissions MS Graph/PowerShell Azure AD portal Microsoft 365 admin center
administrative unit-scoped management of group properties and members Supported Supported Not supported
administrative unit-scoped management of group licensing Supported Supported Not supported
0 Likes
Reply
Tony Redmond

‎Oct 06 2020 07:04 AM

‎Oct 06 2020 07:04 AM

Re: Office 365 Groups

To bring everyone up to speed, I reported the problem I experienced to the Azure AD team and they found an issue that's now resolved. Group management via delegated admins works as expected. I'll document this and publish an article on Petri.com to report what I found.

0 Likes
Reply
Joshua Bines

‎Oct 06 2020 07:20 AM

‎Oct 06 2020 07:20 AM

Re: Office 365 Groups

Thank you Tony for the update and the investigation! I was wondering why this wasn't working in my tenant.
0 Likes
Reply
Tony Redmond

‎Oct 15 2020 05:10 AM

‎Oct 15 2020 05:10 AM

Re: Office 365 Groups

@Joshua Bines Here's the promised write-up: https://petri.com/azure-ad-administrative-units

1 Like
Reply
1 best response

Accepted Solutions
best response confirmed by Robert Bollinger (Iron Contributor)
Vasil Michev

‎Mar 27 2018 11:40 PM

‎Mar 27 2018 11:40 PM

Solution

Re: Office 365 Groups

The problem is Groups are not Exchange objects, they are AAD objects. While you can certainly govern some settings via the ExO cmdlets, AAD remains the source of authority, thus the portal requires you to have the necessary permissions to run the corresponding AAD cmdlets/API calls.

 

That said, if you are OK with using the EAC or PowerShell, you can certainly use an Exchange admin (or non-admin with the relevant permissions) to manage them. All you need is to have the Mail Recipients role assigned.

View solution in original post

0 Likes
Reply