Share via

How to prevent Group Owners from deleting a group

Abdulkadir, Mohammed 20 Reputation points
2024-11-25T20:36:55.29+00:00

I have a group in Entra for managing users who do not have MFA. in this group I added our service desk membes (they have Helpdesk Admin roles in Azure) as owners to be able to add/remove members but one of them accidentally deleted that group. how do I prevent this fom happening?

I Have checked Entra admin center and no option to delegate permssions. I've also looked at resource locking but this is only tied to azure resource.

Thanks,

Microsoft Security | Microsoft Entra | Microsoft Entra ID
Microsoft Security | Intune | Other
0 comments
Accepted answer
  1. James Hamil 27,221 Reputation points Microsoft Employee Moderator
    2024-11-25T21:27:39.6133333+00:00

    Hi @Abdulkadir, Mohammed , for your situation I would use RBAC. You can create a custom role in Entra ID that has the necessary permissions to manage the group, but does not have the permission to delete the group. You can then assign this custom role to the service desk members who need to manage the group.

    Here's a high-level overview of how to accomplish this:

    1. Create a Custom Role:
      • Go to the Entra ID portal.
      • Navigate to "Roles and administrators" and click on "New custom role."
      • Provide a name and description for the custom role.
    2. Define Permissions:
      • In the "Permissions" tab, add the necessary permissions for managing group membership without including permissions for deleting the group. For example, you can include:
      • microsoft.directory/groups.security.assignedMembership/basic/update
      • microsoft.directory/groups.security.assignedMembership/create
      • microsoft.directory/groups.security.assignedMembership/delete
      • microsoft.directory/groups.security.assignedMembership/members/update
      • microsoft.directory/groups.security.assignedMembership/owners/update
      • Avoid adding permissions like microsoft.directory/groups/delete to prevent group deletion.
    3. Assign the Custom Role:
      • Once the custom role is created, navigate to the group you want to protect.
      • Assign the custom role to the service desk members or any other users who need to manage the group membership.
    4. Verify Role Assignment:
      • Verify that the users with the custom role can manage group membership but do not have the ability to delete the group.

    I would also look into Privileged Identity Management for greater control over resources.

    Please let me know if you have any questions and I can help you further.

    If this answer helps you please mark "Accept Answer" so other users can reference it.

    Thank you,

    James

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Thameur-BOURBITA 36,261 Reputation points Moderator
    2024-11-25T20:59:35.1966667+00:00

    Hi @[Abdulkadir, Mohammed]/users/na/?userid=613688d1-c13e-4faa-9dfb-8271d51030a9)

    I confirm that unfortunately there is no such similar feature protect a user or group (Cloud only) from deletion like in Active directory. You should reduce permission for help-desk group to avoid this kind of mistake

    Please don't forget to accept helpful answer

    1 person found this answer helpful.
    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.