stackoom
  简体   繁体   中英

Azure AD - Block group managing for some admins

 原文  2022-09-05 13:50:57       azure-active-directory/ microsoft365

Question

Is there possible to block administrators from managing one group in Azure AD tenant?

Description, what i expect: I have a one group called "test.group" and for organisation purposes, only two administrators can managed that group (with global admin role). The rest of admins (without global admin role) cannot managed membership or even edit that group. Is it possible? (powershell or GUI?)

I tried Administrative Units but it's pointless to do it only for one group. Unless, there is possible to remove directory roles only for AU scope.

1 answers

solution1
 0  2022-09-29 04:08:04

Azure AD roles with permissions microsoft.directory/groups/* will apply to all groups: Global Administrators or Group Administrators will be able to manage any group. You cannot remove, disable or deny such permissions on a per user or per group basis.

Users without microsoft.directory/groups/* permissions won't be able to manage any groups unless they are made owners of the groups. This is achievable out of the box for any member (non guest) user that creates a group. They will be added as the first owner.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Unable to add Azure AD admin user to Enterprise Admins group Azure AD application only allowing admins Azure AD Assign Roles to Group When Was An Azure AD Group Created? Group name as claim in Azure AD Phantom Group Membership in Azure AD Azure ad group membership claims After user authentication from Azure AD, all claims(group details) are not coming, happening for some users Get Group membership of group in Azure AD with Powershell Azure AD Dynamic Group based on Group Membership
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM