Lock down the "AAD DC Administrators" group in Azure Active Directory

Komoroske, Gina 371 Reputation points
2020-10-06T15:38:33.04+00:00

Hi,
We stood up an Azure AD Domain Service, as a part of that, the AAD DC Administrators group was created in Azure Active Directory. We have a specific group of users that should be the only ones to have access to Azure AD DS, therefore, we want to ensure no one else has access to add or remove members in that group except for users in the global administrator role. Unfortunately, we have a couple of different teams that support group administration in Azure, but we want to make sure those teams can't modify the "AAD DC Administrators" group.

How can we lock this group down? In our on premise Active Directory, it equates to domain admins group, where we locked that down to only domain admins being able to modify. This is what we want to do in Azure Active Directory. How do I lock that group down so only global admins can modify?

Thanks in advance for any help!
Gina

Microsoft Entra
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
18,636 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Alfredo Revilla (MSFT) 26,756 Reputation points
    2020-10-06T17:07:01.297+00:00

    Thats's not possible in Azure AD.

    --
    Please let us know if this answer was helpful to you. If so, please remember to mark it as the answer so that others in the community with similar questions can more easily find a solution.

    1 person found this answer helpful.