Through Azure Portal, the application should be allowed to add members on the specified security group resource and restricted from modifying other security groups.

Question

Steps Taken:

1.App Registrations done

2.Add permissions such as "GroupMember.ReadWrite.All","Directory.Write.Restricted".

Request: I kindly request your guidance and assistance in achieving this requirement. Specifically, I would appreciate information on the following:

Is there a specific Microsoft Graph API permission or Azure AD RBAC option that allows restriction of adding members to a specific security group resource?

If such a permission or option is not available, could you please provide recommendations or best practices for implementing the desired restriction within our application through Azure Portal?

Any documentation, code samples, or steps you can provide would be immensely helpful in resolving this issue. If there are any additional details or information required, please let me know, and I will be happy to provide them.

Thank you very much for your attention to this matter. I look forward to your assistance.

Answer 1

Thank you for asking this question on the Microsoft Q&A Platform.

You need to assign a role in Azure AD, not create an App Registration

There is a Built-in that can do those activities

If you want more granularity in permissions, you must create and assign a Custom Role (To create custom rules you require Azure AD Premium P1/P2) you can use as a baseline the built-in Group administrator role

Then, you Assign Azure AD roles to your selected group

Hope this helps!

---

Accept Answer and Upvote, if any of the above helped, this thread can help others in the community looking for remediation for similar issues.

NOTE: To answer you as quickly as possible, please mention me in your reply.