Can I restrict who can edit Azure AD Security group membership?

Question

We have multiple administrators of various types in our tenant. Is it possible to limit who can modify a specific Security Group's membership? The security group is not configured for Azure AD Role assignment. In theory, this could be any Security group, but in this case I'm talking about the AAD DC Administrators group. I want to make sure that a very limited set of users are members of this group and that no other admins add themselves.

Thanks.

Answer 1

Hi @Jinseng • Thank you for reaching out.

Unfortunately, this is not possible as of now. Users with Global Administrator role or any other role that includes microsoft.directory/groups/members/update permission can update members of Security groups and Microsoft 365 groups, except role-assignable groups.

You can check Azure AD built-in roles document to see which roles include microsoft.directory/groups/members/update permission and update security group membership.

-----------------------------------------------------------------------------------------------------------

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Answer 2

Thanks for the confirmation. I was 99% sure that was the case, but it is a little disappointing. I really like the idea of using PIM to lock down a group, but it only works if the group is enabled for Azure AD Role assignment. That setting can only be enabled at group creation and is not set for the AAD DC Administrators group when enabling Azure AD Domain Services. It means anyone with User administrator (even first line support personnel) could add themselves to this group and gain Admin access to AADDS. We'll put in place paper policies and auditing checks.