Azure AD - 一些管理员的块组管理
[英]Azure AD - Block group managing for some admins
问题描述
Is there possible to block administrators from managing one group in Azure AD tenant?
是否可以阻止管理员管理 Azure AD 租户中的一个组?
Description, what i expect: I have a one group called "test.group" and for organisation purposes, only two administrators can managed that group (with global admin role).描述,我的期望:我有一个名为“test.group”的组,出于组织目的,只有两个管理员可以管理该组(具有全局管理员角色)。 The rest of admins (without global admin role) cannot managed membership or even edit that group. rest 管理员(没有全局管理员角色)无法管理成员资格,甚至无法编辑该组。 Is it possible?是否可以? (powershell or GUI?) (powershell 还是 GUI?)
I tried Administrative Units but it's pointless to do it only for one group.我试过行政单位,但只为一组做这件事毫无意义。 Unless, there is possible to remove directory roles only for AU scope.除非,只能为 AU scope 删除目录角色。
1 个解决方案
解决方案1
0 2022-09-29 04:08:04
Azure AD roles with permissions microsoft.directory/groups/* will apply to all groups: Global Administrators or Group Administrators will be able to manage any group. Azure 具有权限microsoft.directory/groups/*的 AD 角色将应用于所有组:全局管理员或组管理员将能够管理任何组。 You cannot remove, disable or deny such permissions on a per user or per group basis.您不能以每个用户或每个组为基础删除、禁用或拒绝此类权限。
Users without microsoft.directory/groups/* permissions won't be able to manage any groups unless they are made owners of the groups.没有microsoft.directory/groups/*权限的用户将无法管理任何组,除非他们成为组的所有者。 This is achievable out of the box for any member (non guest) user that creates a group.对于创建组的任何成员(非来宾)用户来说,这都是开箱即用的。 They will be added as the first owner.他们将被添加为第一所有者。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.