We have a requirement to use the membership of an Azure AD group to drive access to an external cloud-provided system. Our ideal would be to enable the business owner of the external system (not an Azure AD admin) to manage this membership themselves, however Im not sure what would be the easiest/best way to achieve this.
Here are some possible solutions I have brainstormed - but there are a lot of assumptions in here, and I am probably missing possible options and/or pro's/con's for each option - could I ask people more familiar with this to look over and offer suggestions/corrections:
Use an Office 365 Group:-
requires that the membership of the Office 365 group equates to membership of an AzureAD group - is this true?
would allow use of the SharePoint "access request / invite" process for business owner to self-manage access.
Other potential benefits offered by Office 365 group - SharePoint site, shared mailbox, etc.
Create a react app hosted on SP site to enable business owner to manage membership of Azure group:-
Can I call GraphApi in an impersonated way so business owner will be able to add/remove users (dont really want to give the business owner any special priv's). I have read a bit around connecting to the GraphAPI from spfx - seems AADHttpClient/MSGraphClient aren't production-ready yet?
Should I call an Azure App that has been granted the appropriate permissions to manage the Azure AD? If so whats the best way to authenticate to and call that app from within spfx?
Clearly I have a lot more reading to do :) but thought I would drop this question in here early so I could get some wisdom from people with more experience