Group expiration page is accesible with direct role assigment for user

j prasad 31 Reputation points

When we assign global admin role to the user he can access group expiration .But,an Azure AD global admin role that is granted via a group they cannot access the Group Expriation settings. But if they are directly assigned the Azure AD role they can see the settings. 

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,295 questions
{count} vote

Accepted answer
  1. Shweta Mathur 26,976 Reputation points Microsoft Employee

    Hi @j prasad ,

    Thanks for reaching out.

    Your understanding is correct here.

    If a user is assigned the Global Administrator role directly, they will have access to the Group Expiration settings. However, if the Global Administrator role is granted via a group, they will not have access to the Group Expiration settings**.**

    This is because group-based permissions are evaluated differently than direct permissions. In the case of direct permissions, the user is granted the permission directly, without any intermediary group**.** This means that the user has permission regardless of any group membership.

    In the case of group-based permissions, the user is granted permission through membership in a group**.** This means that the user only has permission if they are a member of the group that has been granted the permission.

    When a user has both direct and group-based permissions, the more restrictive permission takes precedence.

    Hope this will help.



    Please remember to "Accept Answer" if answer helped you.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful