Azure Self Service Group Management
Free AWS Course for AWS Certified Cloud Practitioner (CLF-C01) Start Now!!
FREE Online Courses: Click for Success, Learn for Free - Start Now!
In Azure, the admins in an organization can develop and maintain their security groups or Office 365 groups in Microsoft Azure’s Active Directory with the help of self-service group management. Admins can quickly allocate the ownerships/rights to the users with the help self-service group management feature of Azure.
But remember, Azure’s Self-service group management must be disabled for the non-administrator users in an organization as these groups can provide access towards sensitive and private information or may disclose Azure’s Active Directory (AD) crucial configuration.
Self-service Group Membership Set By-defaults
In Azure’s Self-service only group owners have the ability to edit the membership information when the security groups are built by using Azure Portal or Azure Active Directory (AD) PowerShell.
All the users who are owner-approved or auto-approved will be able to join the security groups developed by Azure self-service available in the Access Panel and all Microsoft 365 groups.
While creating a group, an admin has to adjust the membership settings in the Access panel. They are as follows:
| Groups created in | Security group default behavior | Microsoft 365 group default behavior |
| Azure AD PowerShell |
| All users can join. |
| Azure portal |
| All users can join. |
| Access panel |
|
|
Self-service group management Scenarios
Delegated Group Management
Let us consider an example of an organization where there is an administrator who has the access to manage towards a SaaS programme. As we all know managing the access rights is a tedious job but the users will request the business owner to build a new group.
The administrator will accept the request and will grant a new group access for the programme. Further it will add all the users who already have the access to it.
Then, the business owner will add multiple users, who can use the programme automatically.
The business owner does not have to wait for the administrator to manage user access.
If an administrator is providing the same authority rights to a manager in an individual business group then that user/person will also get rights to manage access for the members in their owned groups.
But, remember the business owner and manager does not have the access to view or manage each other’s group membership.
The administrator will still be the king and will check who will get the access to the application and if required will also deny the access rights.
Self-Service Group Management
Let us consider an example here also, where two individual users want to set up their own SharePoint Online Sites. They also want to provide access to their team members.
To do so, the users can build a single group in Microsoft Azure Active Directory (AD) and then select SharePoint Online for providing access to their sites.
When a user requests the access, they go through the Access Panel and once they get approval from the group owners they will receive automatic access to SharePoint Online sites.
Further, if one of the group owners wants to specify that only specific people should use the SaaS application then they can also do it.
How to make a Group Available for User Self-Service in Azure?
Follow the below steps to make a group available for user self-service in Azure:
1: Log in to the Azure portal or Azure AD admin center with an account that has been assigned the directory’s Global Administrator or Privileged Role Administrator role.
2: Then go to Groups, then General Settings.
3: In the Access Panel, Set Owners can manage group membership requests to Yes.
4: Set the Access Panel’s Restrict user ability to access groups features to No.
5: Set Users can set security groups to Yes or No through Azure portals, APIs, and PowerShell.
6: See the following section, Group settings, for more details on this topic.
7: Set Users can set Microsoft 365 groups to Yes or No through Azure interfaces, APIs, and PowerShell.
Administrators can also use Owners in the Azure portal to assign members as group owners to its trusted users as it will provide more granular access and have control over self-service group management.
When users will be able to create groups, any user in your organization will be capable to create new groups and then add members to them as the default owner.
Individuals who can form their own organizations cannot be specified. Individuals can only be specified to designate another group member as the group owner.
Group Settings in Azure
The security and Microsoft 365 group settings allow you to manage who can create security and Microsoft 365 groups.
The table below can assist you in deciding which values to use.
| Setting | Value | Effect on your tenant |
| Security groups can be created via the Azure portals, API, or PowerShell. | Yes | Any user in your Azure AD organization can create new security groups and add members to them using Azure portals, APIs, and PowerShell. These new groups would be visible in the Access Panel to all other users. If the group’s rules allow it, other users can submit requests to join. |
| No | Users who are owners of security groups are unable to create new groups or alter existing ones. They may, however, manage those groups’ memberships and approve requests from other users to join them. | |
| Microsoft 365 groups can be created via Azure portals, APIs, or PowerShell. | Yes | Any user in your Azure AD organization can establish new Microsoft 365 groups and add members to them using Azure portals, APIs, and PowerShell. These new groups would be visible in the Access Panel to all other users. If the group’s rules allow it, other users can submit requests to join. |
| No | Users who are owners of Microsoft 365 groups are unable to create new groups or edit existing ones. They may, however, manage those groups’ memberships and approve requests from other users to join them. |
There are a few more details about these group options here.
- These changes may take up to 15 minutes to take effect.
- If you only want some of your users to be able to form groups, assign them a position like Groups Administrator.
- These choices are only available to users and have no impact on service principles.
- Set these settings to No if you have a service principal with group creation rights, for example, and the service principal will still be allowed to establish groups.
Conclusion
Thus, we are into the last phase of our article. And in this article, we have tried to cover all the detailed information about Azure’s Self Service Group. We hope you liked this article and gained valuable information.
We work very hard to provide you quality material
Could you take 15 seconds and share your happy experience on Google
