Questions on Permissions management

%3CLINGO-SUB%20id%3D%22lingo-sub-908206%22%20slang%3D%22en-US%22%3EQuestions%20on%20Permissions%20management%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-908206%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Community%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOne%20of%20our%20customer%20who%20wants%20to%20use%20Teams%2FSharepoint%2FExchange%2C%20but%20they%20want%20to%20manage%20it%20from%201%20single%20point.%3C%2FP%3E%3CP%3EFor%20example%2C%20they%20have%203%20groups.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E-%20Management%3C%2FP%3E%3CP%3E-%20Team%20Lead%3C%2FP%3E%3CP%3E-%20Sales%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20when%20they%20make%201%20new%20user%20a%20member%20of%20%3CSTRONG%3EManagement%3C%2FSTRONG%3E%2C%20it%20should%20also%20get%20the%20rights%20from%20%3CSTRONG%3ETeam%20Lead%3C%2FSTRONG%3E%20and%20%3CSTRONG%3ESales%3C%2FSTRONG%3E.%3C%2FP%3E%3CP%3EAnd%20when%20we%20make%201%20new%20user%20a%20member%20of%20%3CSTRONG%3ETeam%20lead%3C%2FSTRONG%3E%2C%20it%20should%20also%20get%20the%20rights%20of%20%3CSTRONG%3ESales.%20%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3ESimilarly%20there%E2%80%99ll%20be%20%E2%80%98n%E2%80%99%20number%20of%20Groups%20to%20be%20managed.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECurrently%2C%20they%E2%80%99re%20using%20Office%20365%20Security%20Groups%20to%20achieve%20the%20same%2C%20but%20it%20limits%20the%20control%20only%20to%20SharePoint%20resources%20and%20%3CSTRONG%3E%3CEM%3Enot%20for%20Teams%20and%20Exchange%3C%2FEM%3E%3C%2FSTRONG%3E.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EQuestions%3C%2FSTRONG%3E%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3COL%3E%3CLI%3ECan%20we%20leverage%20Dynamic%20group%20membership%20type%20%2B%20Conditional%20Access%20to%20achieve%20this%20requirement%3F%3C%2FLI%3E%3CLI%3EAny%20other%20best%20practices%20would%20you%20recommend%3F%3C%2FLI%3E%3C%2FOL%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-908206%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EQuestions%20on%20Permissions%20management%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-908417%22%20slang%3D%22en-US%22%3ERe%3A%20Questions%20on%20Permissions%20management%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-908417%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F301435%22%20target%3D%22_blank%22%3E%40Newlife%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHi%2C%20can%20you%20explain%20what%20you%20mean%20by%20this%3A%20%22%3CSPAN%3ECurrently%2C%20they%E2%80%99re%20using%20Office%20365%20Security%20Groups%20to%20achieve%20the%20same%2C%20but%20it%20limits%20the%20control%20only%20to%20SharePoint%20resources%20and%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3E%3CEM%3Enot%20for%20Teams%20and%20Exchange%22%3C%2FEM%3E%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDo%20you%20mean%20control%20to%20sharepoint%20is%20limited%2C%20while%20control%20to%20teams%20and%20exchange%20is%20not%3F%26nbsp%3B%3C%2FP%3E%3CP%3EAnd%20what%20do%20you%20mean%20by%20control%3F%20Do%20you%20mean%20Sharepoint%2C%20Teams%2C%20and%20exchange%20administrator%20roles%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-909071%22%20slang%3D%22en-US%22%3ERe%3A%20Questions%20on%20Permissions%20management%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-909071%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F423813%22%20target%3D%22_blank%22%3E%40adejuwonadeboye%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you%20for%20your%20response.%20They've%20created%20Office%20365%20Security%20groups%20so%20that%20they%20can%20have%20specific%20users%20who%20can%20have%20an%20access%20to%20SharePoint%20resources.%20However%2C%20they%20will%20not%20have%20specific%20access%20to%20Teams%20and%20Exchange.%20Yes%2C%20I%20meant%20administrating%20SPO%2C%20EXO%20and%20Teams%20when%20my%20account%20is%20on%20different%20groups%20such%20as%20Management%2C%20Team%20Lead%20and%20Sales%20say%20for%20example.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-909214%22%20slang%3D%22en-US%22%3ERe%3A%20Questions%20on%20Permissions%20management%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-909214%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20cannot%20use%20groups%20to%20delegate%20access%20to%20the%20Office%20365%20admin%20roles.%20Meaning%20you%20will%20be%20limited%20to%20the%20workload-specific%20admin%20controls.%20This%20will%20work%20OK%20for%20Exchange%2C%20where%20you%20can%20delegate%20every%20action%20to%20a%20Group%20(nesting%20included)%2C%20but%20the%20other%20workloads%20are%20limited%20in%20this%20regards.%20It%20all%20boils%20down%20to%20which%20specific%20actions%20you%20want%20them%20to%20be%20able%20to%20perform.%20But%20you%20will%20probably%20end%20up%20having%20to%20look%20for%20a%20third-party%20%22admin%20portal%20replacement%22%20type%20of%20tool.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-909394%22%20slang%3D%22en-US%22%3ERe%3A%20Questions%20on%20Permissions%20management%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-909394%22%20slang%3D%22en-US%22%3EI%20think%20Vasil%20mis%20understood%20the%20ask%20%3B).%20You%20probably%20can%20duplicate%20the%20same%20utilizing%20the%20dynamic%20group%20membership%20feature%20provided%20by%20P1%20azure%20ad%20license.%20You%20should%20be%20able%20to%20setup%20rules%20to%20sync%20Attributes%20over%20to%20the%20365%20group%20that%20is%20providing%20access.%20%3CBR%20%2F%3E%3CBR%20%2F%3ESo%20if%20you%20used%20some%20kind%20of%20ad%20attribute%20to%20label%20a%20manager%20%3CBR%20%2F%3E%3CBR%20%2F%3EYou%20could%20have%203%20dynamic%20groups%20setup%20all%20with%20a%20rule%20looking%20for%20that%20tag.%20Sales%20would%20have%203%20checks%20using%20or%20statements%20so%20you%20can%20have%20all%203%20types%20I%E2%80%99m%20that%20group%20etc.%20%3CBR%20%2F%3E%3CBR%20%2F%3EAnyway.%20Hope%20this%20helps.%20%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fusers-groups-roles%2Fgroups-dynamic-membership%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fusers-groups-roles%2Fgroups-dynamic-membership%3C%2FA%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-909407%22%20slang%3D%22en-US%22%3ERe%3A%20Questions%20on%20Permissions%20management%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-909407%22%20slang%3D%22en-US%22%3EBut%20to%20follow%20up%20with%20Vasil%20comment.%20Similarly%20if%20you%20were%20referring%20to%20being%20owners%20of%20said%20content%20for%20administration%20of%20the%20groups%2C%20owners%20are%20still%20static%20lists%20of%20groups%20even%20when%20dynamic%20groups%20are%20used%20since%20those%20are%20only%20used%20for%20member%20role%20only.%20Which%20means%20the%20owners%20cannot%20be%20set%20dynamically.%20%3CBR%20%2F%3E%3CBR%20%2F%3ESo%20even%20this%20might%20not%20satisfy%20your%20requirement%20either.%3C%2FLINGO-BODY%3E
Highlighted
Frequent Contributor

Hi Community

 

One of our customer who wants to use Teams/Sharepoint/Exchange, but they want to manage it from 1 single point.

For example, they have 3 groups.

 

- Management

- Team Lead

- Sales

 

So when they make 1 new user a member of Management, it should also get the rights from Team Lead and Sales.

And when we make 1 new user a member of Team lead, it should also get the rights of Sales.

Similarly there’ll be ‘n’ number of Groups to be managed.

 

Currently, they’re using Office 365 Security Groups to achieve the same, but it limits the control only to SharePoint resources and not for Teams and Exchange.

 

Questions:

 

  1. Can we leverage Dynamic group membership type + Conditional Access to achieve this requirement?
  2. Any other best practices would you recommend?
5 Replies
Highlighted

@Newlife 

Hi, can you explain what you mean by this: "Currently, they’re using Office 365 Security Groups to achieve the same, but it limits the control only to SharePoint resources and not for Teams and Exchange"

 

Do you mean control to sharepoint is limited, while control to teams and exchange is not? 

And what do you mean by control? Do you mean Sharepoint, Teams, and exchange administrator roles?

Highlighted

@adejuwonadeboye 

 

Hi,

 

Thank you for your response. They've created Office 365 Security groups so that they can have specific users who can have an access to SharePoint resources. However, they will not have specific access to Teams and Exchange. Yes, I meant administrating SPO, EXO and Teams when my account is on different groups such as Management, Team Lead and Sales say for example. 

 

Highlighted

We cannot use groups to delegate access to the Office 365 admin roles. Meaning you will be limited to the workload-specific admin controls. This will work OK for Exchange, where you can delegate every action to a Group (nesting included), but the other workloads are limited in this regards. It all boils down to which specific actions you want them to be able to perform. But you will probably end up having to look for a third-party "admin portal replacement" type of tool.

Highlighted
I think Vasil mis understood the ask ;). You probably can duplicate the same utilizing the dynamic group membership feature provided by P1 azure ad license. You should be able to setup rules to sync Attributes over to the 365 group that is providing access.

So if you used some kind of ad attribute to label a manager

You could have 3 dynamic groups setup all with a rule looking for that tag. Sales would have 3 checks using or statements so you can have all 3 types I’m that group etc.

Anyway. Hope this helps.
https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/groups-dynamic-membership
Highlighted
But to follow up with Vasil comment. Similarly if you were referring to being owners of said content for administration of the groups, owners are still static lists of groups even when dynamic groups are used since those are only used for member role only. Which means the owners cannot be set dynamically.

So even this might not satisfy your requirement either.