Deep dive needed about Azure AD GROUP OWNERS

Question

Hi all,

as stated in the issue topic, I'd need a deep dive about Azure AD GROUP OWNERS.

The doubt is very simple: is a USER who is OWNER of an Azure AD GROUP also implicitly considered a MEMBER?

Or does it need to be added explicitly also as a MEMBER to be considered as such?

The confusion is due to public available learning articles and sources that consider "OWNERSHIP implies MEMBERSHIP".

I've tried to search a clear statement in Microsoft Docs, but I did't find anything final:

• in this article https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/concept-learn-about-groups "Learn about groups and access rights in Azure Active Directory" it's only explained the basics of assigning rights to a group.
• in this one https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/how-to-manage-groups "Manage Azure Active Directory groups and group membership" it's explained the basics of managing groups and owners,
• only here https://learn.microsoft.com/en-us/graph/api/group-list-owners?view=graph-rest-1.0&tabs=http "List group owners" concerning Graph API, there is this interesting statement:

"The owners are a set of users or service principals who are allowed to modify the group object",

• also this one https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/users-default-permissions#group-owner-permissions "Group owner permissions" contains some interesting information:

"When a user creates a group, they're automatically added as an owner for that group. As an owner, they can manage properties of the group (such as the name) and manage group membership. An owner can also add or remove other owners. Unlike global administrators and user administrators, owners can manage only the groups that they own."

In the end, you can see that it's not stated clearly if an OWNER can be considered a MEMBER or not, so it would be useful if you could clarify it with technical details and update the documentation accordingly just to avoid misunderstanding and confusion with external public articles.

Thanks a lot for your kind cooperation,

Luca Bovo - beanTech

Answer 1

Hi,

An Owner isn't a group member unless they are added as a member. You can test this easily using the Azure portal/cli. For example, create a new group, add member(s), add owner(s), then check the list of members. You can open up Cloud Shell (Bash) from the portal if you wish, and enter below command to check membership:

az ad group member list --group <objectId>

Substitute <objectId> for the object Id of the group you want to check.

Please Accept Answer if the above is useful.

Thanks.

-TP

Answer 2

It depends on the group type. For Microsoft 365 Groups, an Owner must also be added as a Member. While previously it was possible to only have him listed as an Owner, Microsoft changed this behavior a while back.

Answer 3

Here is the answer, right from Microsoft employee Faith Moraa Ombongi:

https://github.com/microsoftgraph/microsoft-graph-docs/issues/19833

No, group ownership and membership are separate concepts.

1. You must explicitly add a group member either through dynamic rules or explicit addition.
2. A group owner can manage the settings of the group, ownership, + its membership (as per the screenshot you shared).
3. Group membership doesn't imply automatic privileges to manage the group settings and membership.
4. When calling the Create group API in delegated scenarios to create a Microsoft 365 group, an owner (the signed-in user) is automatically assigned to the Microsoft 365 group.
   • In all other scenarios (create security group in delegated scenarios or create any group in app-only scenarios), a group owner isn't automatically assigned and must be explicitly assigned.