This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(86.4, 41%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKG%3C/text%3E%3C/svg%3E)
Hi,
We stood up an Azure AD Domain Service, as a part of that, the AAD DC Administrators group was created in Azure Active Directory. We have a specific group of users that should be the only ones to have access to Azure AD DS, therefore, we want to ensure no one else has access to add or remove members in that group except for users in the global administrator role. Unfortunately, we have a couple of different teams that support group administration in Azure, but we want to make sure those teams can't modify the "AAD DC Administrators" group.
How can we lock this group down? In our on premise Active Directory, it equates to domain admins group, where we locked that down to only domain admins being able to modify. This is what we want to do in Azure Active Directory. How do I lock that group down so only global admins can modify?
Thanks in advance for any help!
Gina
Thats's not possible in Azure AD.
--
Please let us know if this answer was helpful to you. If so, please remember to mark it as the answer so that others in the community with similar questions can more easily find a solution.
That's what I was afraid of.
Any ideas how to monitor that group for activity then? I've heard of Azure Monitor (and see it is unavailable quite frequently). Wonder what the best/easiest way is to ensure that group isn't modified unless proper approvals are in place?