25,081 questions
They can, yes. In the future, you can refer to this article for the minimum role required for certain admin operation: https://learn.microsoft.com/en-us/azure/active-directory/roles/delegate-by-task#groups
Can an user with User Administrator role add an Azure AD Joined \ Registered device to a Group
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(99.2, 18%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
Shridhar Srinivasan
220
Reputation points
Can an user with User Administrator role add an Azure AD Joined \ Registered device to a Group
- The Group can be Security Group or Microsoft 365 Group
- Membership of the Group is set to Assigned
Microsoft Security | Microsoft Entra | Microsoft Entra ID
{count} votes
-
JamesTran-MSFT 36,906 Reputation points Microsoft Employee Moderator2023-08-07T16:41:18.9+00:00 I wanted to check in and see if you had any other questions or if you were able to resolve this issue?
If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.
If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.
-
Shridhar Srinivasan 220 Reputation points
2023-08-08T11:02:01.5766667+00:00 Thanks @JamesTran-MSFT for following up. Currently the discussion is still Open. Please check my discussion with @Vasil Michev
Sign in to comment
2 answers
Sort by: Most helpful
-
Vasil Michev 119.5K Reputation points MVP Volunteer Moderator2023-08-03T06:26:47.5333333+00:00 -
Shridhar Srinivasan 220 Reputation points
2023-08-03T06:35:36.91+00:00 Thanks @Vasil Michev for the quick response. It is a Very useful page. That section raised a further query.
I understand a "Cloud Device Administrator" can also add a Device. I don't see that listed in the "Additional roles" column.
-
Vasil Michev 119.5K Reputation points MVP Volunteer Moderator
2023-08-03T06:58:32.75+00:00 The Additional roles column doesn't always list all the individual roles that can be used. The documentation is a work in progress in this regard, but you can open an issue using the button at the bottom of the page and ask for an update.
-
Shridhar Srinivasan 220 Reputation points
2023-08-03T08:57:36.1433333+00:00 I will do that. Thanks.
Can you please confirm, that my understanding is right:
"Cloud Device Administrator" can also add a Device to the Group outlined in the query.
-
Vasil Michev 119.5K Reputation points MVP Volunteer Moderator
2023-08-03T09:45:47.02+00:00 Afaik no, as said role does not include the "microsoft.directory/groups/members/update" permission. Do note that a user might still be able to manage the membership of a given group if he's assigned as its owner, even without specific admin roles assigned.
-
Shridhar Srinivasan 220 Reputation points
2023-08-03T19:06:27.4433333+00:00 I am assuming you are a MS employee and making this request. Can you please check this out and confirm, if Cloud Device Administrator does have that permission.
Like you mentioned in an earlier comment, not necessary documentation is complete so "microsoft.directory/groups/members/update" permission not being listed for that role can be a miss.
Sign in to comment -
-
Harpreet Singh Matharoo 8,396 Reputation points Microsoft Employee Moderator2023-08-03T06:45:10.7333333+00:00 Hello @Shridhar Srinivasan ,
Thank you for reaching out. I would like to confirm that User Administrator can manage add and remove member from Azure AD Groups. With regards to adding device User Admininstrators can add or remove device from the group. However please note that Devices can only be added to Security Enabled groups as stated on following documentation link: https://learn.microsoft.com/en-us/mem/intune/fundamentals/groups-add
I hope this helps and hence would request you to please "Accept the answer" if the information helped you. This will help us and others in the community as well.
-
Harpreet Singh Matharoo 8,396 Reputation points Microsoft Employee Moderator
2023-08-03T09:04:42.7033333+00:00 @Srinivasan, Shridhar (Shridhar) ,
As mentioned in the documentation https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#cloud-device-administrator,
"Users in this role can enable, disable, and delete devices in Azure AD and read Windows 10 BitLocker keys (if present) in the Azure portal. The role does not grant permissions to manage any other properties on the device."
Add members option on the group would be disabled/greyed out for users with this role.
-
JamesTran-MSFT 36,906 Reputation points Microsoft Employee Moderator
2023-08-14T19:57:12.0266667+00:00 I wanted to check in and see if you had a chance to review @Harpreet Singh Matharoo 's answer and if this helped to resolve your issue?
If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.
If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.
Sign in to comment -