Azure AD group membership permission only for one security group

GoodResource 376 Reputation points


I was wondering if there's any way we can provide permission to user in such way that they can update group membership only for one Azure group but shouldn't be able to update the rest.
I know we can create custom role with group membership update permission but that applies to all Azure groups.

Was wanting to know if it is possible only for one group and not the rest.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,849 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Clément BETACORNE 2,031 Reputation points


    I think you should explore self-service group because it will allow you to assign an owner and this owner will be able to manage members of this group "When security groups are created in the Azure portal or using Azure AD PowerShell, only the group's owners can update membership."


    2 people found this answer helpful.
    0 comments No comments

  2. Siva-kumar-selvaraj 15,566 Reputation points

    Hi @GoodResource , Thanks for reaching out.

    Yes, its possible when you assign user as Group owners. The Group owners can be users or service principals, and are able to manage the group including membership. Only existing group owners or group-managing administrators can assign group owners. Group owners aren't required to be members of the group.

    To learn more about Group owner, refer to this document. Hope this helps.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments No comments