Limited power User Admin for adding/removing users from a single user group?

David Broggy 6,101 Reputation points MVP
2022-07-01T14:39:19.27+00:00

Hi there,
Is it possible to give a user a limited variation of the Security Admin role for a single user group in Azure AD?
i.e. we have a vendor we want to mange adding/removing users from a single group in Azure AD and no other privileges.
If this would require a custom role the basic steps for creating such a role would be appreciated.
So they would need to:

  • import or create new users
  • add users to a specific group

Thanks!

Azure Role-based access control
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
879 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,491 Reputation points
    2022-07-07T02:26:23.413+00:00

    Hello @David Broggy , by default an Azure AD member user can create groups and be assigned to them as owner which will allow them to add or remove users as required. They can also invite guest users through External Identities.

    Now, in order to create users, you will need at least the User Administrator role which may be too powerful. Azure Privileged Identity Management can help you provide such role for a limited time only to a selected user pool.

    The most permission tight approach here is to develop an application that consumes the MS Graph API and allows the user to create users and optionally to delete them but nothing else. Also, this will allow you to enrich such management flows with actions such as automatic user to group member addition.

    Let us know if this answer was helpful to you or if you need additional assistance. If it was helpful, please remember to accept it and complete the quality survey so that others in the community with similar questions can more easily find a rated solution.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.