Deep dive needed about Azure AD GROUP OWNERS

Luca Bovo lb82 1 Reputation point
2023-01-11T16:38:20.5466667+00:00

Hi all,

as stated in the issue topic, I'd need a deep dive about Azure AD GROUP OWNERS.

The doubt is very simple: is a USER who is OWNER of an Azure AD GROUP also implicitly considered a MEMBER?

Or does it need to be added explicitly also as a MEMBER to be considered as such?

The confusion is due to public available learning articles and sources that consider "OWNERSHIP implies MEMBERSHIP".

I've tried to search a clear statement in Microsoft Docs, but I did't find anything final:

"The owners are a set of users or service principals who are allowed to modify the group object",

"When a user creates a group, they're automatically added as an owner for that group. As an owner, they can manage properties of the group (such as the name) and manage group membership. An owner can also add or remove other owners. Unlike global administrators and user administrators, owners can manage only the groups that they own."

In the end, you can see that it's not stated clearly if an OWNER can be considered a MEMBER or not, so it would be useful if you could clarify it with technical details and update the documentation accordingly just to avoid misunderstanding and confusion with external public articles.

Thanks a lot for your kind cooperation,

Luca Bovo - beanTech

Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
12,765 questions
No comments
{count} votes

3 answers

Sort by: Most helpful
  1. TP 11,106 Reputation points
    2023-01-11T16:53:22.6766667+00:00

    Hi,

    An Owner isn't a group member unless they are added as a member. You can test this easily using the Azure portal/cli. For example, create a new group, add member(s), add owner(s), then check the list of members. You can open up Cloud Shell (Bash) from the portal if you wish, and enter below command to check membership:

    az ad group member list --group <objectId>

    Substitute <objectId> for the object Id of the group you want to check.

    Please Accept Answer if the above is useful.

    Thanks.

    -TP

    No comments

  2. Vasil Michev 62,161 Reputation points Microsoft MVP
    2023-01-12T06:16:24.16+00:00

    It depends on the group type. For Microsoft 365 Groups, an Owner must also be added as a Member. While previously it was possible to only have him listed as an Owner, Microsoft changed this behavior a while back.

    No comments

  3. Luca Bovo lb82 1 Reputation point
    2023-01-28T14:19:49.4+00:00

    Here is the answer, right from Microsoft employee Faith Moraa Ombongi:

    https://github.com/microsoftgraph/microsoft-graph-docs/issues/19833

    No, group ownership and membership are separate concepts.

    1. You must explicitly add a group member either through dynamic rules or explicit addition.
    2. A group owner can manage the settings of the group, ownership, + its membership (as per the screenshot you shared).
    3. Group membership doesn't imply automatic privileges to manage the group settings and membership.
    4. When calling the Create group API in delegated scenarios to create a Microsoft 365 group, an owner (the signed-in user) is automatically assigned to the Microsoft 365 group.
      • In all other scenarios (create security group in delegated scenarios or create any group in app-only scenarios), a group owner isn't automatically assigned and must be explicitly assigned.
    No comments