Access to Azure resources

Question

Hi!

I am a lawyer and know little about Microsoft Azure access management. I have a client who is accused by his employer of taking back access using this code: https://learn.microsoft.com/en-us/graph/api/group-post-owners?view=graph-rest-1.0&tabs=python

It is claimed that my client used this code to regain access after the employer had taken it from him. At the same time, the employer has shown that what my client has taken back is resources. So what he is accused of is taking back resources. As far as I understand, the code can only be used to give ownership of groups, and not membership of groups. The code can therefore not be used directly to gain access to resources.

Can anyone here confirm or deny my understanding?

Answer 1

So when you gain ownership of any group in Microsoft 365, you have the capability to add/remove members from the group and also modify other properties of the group.

It is a possibility that the group for which ownership was gained, was used to provide access to resources within Azure. For example, if I want that a certain group of users must be able to start a virtual machine in Azure, I will create a group in Azure AD/Entra ID and add it under Access management of that virtual machine with required role/permissions(permission to start or stop a virtual machine).

So, when someone gains the ownership of a group, they can add members to the group and ultimately acquire the access of all the resources wherever that group is used.