Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Directory Roles needs to be provided to Group Owners to add team members from myapps.microsoft.com

Copper Contributor

Hi,

 

We are implementing Azure AD b2b collaboration. From 'Access Panel' which is myapps.microsoft.com view, Group Owners can add/delete users within the assigned group only. We have restricted any Guest User access to Azure portal by creating conditional access policy to hide the tenant information.

 

Our problem is that Group Owners can only add users from Access Panel if we provides directory roles of 'Guest Inviter' and 'User Administrator'. Without User Administrator role access panel view is throwing error. Is this is possible for Group Owners to add their users without the ‘User Administrator’ or with some other appropriate role?. It should be in this way only as we have already provided ‘Guest Inviter’ rights to group owners.

 

Please help.

 

Thanks in advance

Email - ankur.a.gupta@capgemini.com

8 Replies

Hello,

Being a group owner and having Guest Inviter Role should be enough from what I know.

Does the Group Owners have an AAD P1 license assigned ?

 

As the advanced group features requires all a P1 licence.

 

I just tested that in my demolab, with an user that is guest inviter and owner of an security group. Invitation from access panel worked fine in that case.

 

/Peter

Thanks Peter, my subscription has AAD premium license but I did not check by explicitly assigning these licenses to Group Owners, will check and get back to you if it works.

Thanks
Ankur

Hi,

 

Hi after assigning Guest Inviter role in AAD and P1 license, adding/sending guest invites from access panel did not work. Please help further.

 

/Ankur

Hi,

 

Hi after assigning Guest Inviter role in AAD and P1 license, adding/sending guest invites from access panel did not work. Please help further.

 

/Ankur

Hi,

do you have an specific error message, maybe also from the audit-logs of Azure AD ?

Can you provide the Azure Active Directory -> Organizational relationships - Settings ?

 

/Peter

Hi Peter,

 

At this point we don't have access to look at the organizational settings but yes we look into it and update. 

 

As of now the problem occurs while we try to add any users from Access Panel. Screen continuously refreshing and not saving any changes, without any error. We have attached the screenshots for the same.  Please refer the screenshot 'NotAbleToAddUsers' on which we are not able to add any users.

 

Thanks

Ankur

Hi Peter,

 

Attached is the External collaboration settings we have done in our Azure AD. If it helps to explain the problem better.

 

- Ankur

Hi,

 

I just tested it again, also with the domain restrictions you have in your settings and it works well.

So I assume that this is either tenant specific error to your or something in your client side.

 

I would open an support case

 

/Peter