Introducing the Groups Admin Role

Microsoft

 

Today, we are thrilled to announce that the the Groups admin role in Azure Active Directory (Azure AD) is now generally available.  This new Azure Active Directory role enables you to perform group management tasks for and Azure AD security groups without requiring Global administrator permissions.


Users with the Groups administrator role can use the Microsoft 365 Admin center, the Azure portal and other methods to create, edit, delete, and restore groups, and manage Office 365 Groups policies (example - creation, naming, and expiration policies).

 

clipboard_image_2.png

Figure 1 - Managing Groups in the Microsoft 365 Admin center

 

clipboard_image_1.png

Figure 2 - Managing Groups in the Azure portal

 

You can provision the Groups admin role using Azure AD PowerShell:

#Below steps need to be completed only once to install the Azure AD scripts

Install-Module -Name AzureAD

 

#Connect (use privileged role)

Connect-AzureAD

 

# Get the user to be assigned the role, replacing foo@contoso.com with the email address of the user

$roleMember = Get-AzureADUser -SearchString "foo@contoso.com"

 

# Enable the role for the tenant (skip this step if you have already enabled the role for your tenant). If you have already enabled the role, you will get an error (which you can ignore)

$newRole = Enable-AzureADDirectoryRole -RoleTemplateId "fdd7a751-b60b-444a-984c-02652fe8fa1c"

 

# Get the newly added role - replace the role template Id as per need

$newRole = Get-AzureADDirectoryRole -Filter "roleTemplateId eq 'fdd7a751-b60b-444a-984c-02652fe8fa1c'"

 

# Add the user to this role - copy the object Id from the output of the above command and use below

Add-AzureADDirectoryRoleMember -ObjectId $newRole.ObjectId -RefObjectId $roleMember.ObjectId

 

Limitations

There are a few limitations that we are looking to address soon:

  1. The admin role is designed mainly for Office 365 groups and cannot manage other group types like distribution groups, mail-enabled security groups or shared mailboxes.
  2. This role cannot be used to update a Group’s email address or modify external mail or mail delivery options in the Microsoft 365 admin center.
  3. You cannot use Exchange PowerShell cmdlets to manage Office 365 Groups.
  4. A Groups admin cannot manage audit logs, access reports, or guest settings.

 

We would love to hear your feedback or suggestions. Leave a comment here or reach out to us on user voice.

 

 

 

 

 

 

 

 

 

 

 

 

0 Replies