AzureAD group membership

Glenn Maxwell 11,841 Reputation points
2024-05-10T05:37:17.0433333+00:00

Hi All

In our hybrid environment, all users are initially created on-premises and then synced to Azure AD. I've created five security groups within Azure AD. Specifically, I've granted ownership of these five AD groups to a user, let's call them user1. My goal is to enable user1 to manage membership (add/remove members) solely for these five AD groups. Although user1 possesses owner permissions for these five Azure AD groups, user1 is unable to access the EntraID page while still retaining the ability to log in to the Azure portal.

can user1 add users to Azure AD group from powershell without providing any more access? will the below syntax work.(in the below syntax user1 will not know objectids of other users). Can user add/remove members from GUI?

az ad group owner list --group AzureADgroup1 --query '[].userprincipalName'
Add-AzureADGroupMember -ObjectId <group_object_id> -RefObjectId <user_object_id>
or
Add-AzADGroupMember -ObjectId <group_object_id> -MemberObjectId <user_object_id
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,728 questions
Windows Server PowerShell
Windows Server PowerShell
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.PowerShell: A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
5,576 questions
PowerShell
PowerShell
A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
2,681 questions
Microsoft Entra
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,476 questions
0 comments No comments
{count} votes

Accepted answer
  1. Deepanshukatara-6769 11,700 Reputation points
    2024-05-10T06:05:52.0533333+00:00

    Hi Glen,

    Yes, user1 should be able to add or remove members from Azure AD groups using PowerShell without needing additional permissions beyond being the owner of those groups. The syntax you provided seems mostly correct, but there are slight adjustments needed depending on whether you are using Azure CLI (az) or Azure PowerShell (Az module).

    For Azure CLI (az), the command to list group owners is:

    az ad group owner list --group MyGroupDisplayName
    
    
    

    Please check this for more https://learn.microsoft.com/en-us/cli/azure/ad/group/owner?view=azure-cli-latest

    Then, to add a member to the group, the command would be:

    az ad group member add --group <group_name_or_object_id> --member-id <user_object_id>
    
    
    

    Please check this for more info https://learn.microsoft.com/en-us/cli/azure/ad/group/member?view=azure-cli-latest

    For Azure PowerShell (Az module), the command to add a member to the group is:

    Add-AzADGroupMember -ObjectId <group_object_id> -MemberObjectId <user_object_id>
    
    
    

    Kindly accept answer ,if it helps , Thanks!


0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.