Mixing
Adding members to a Group as a Group Owner in Azure Portal for an Azure AD tenant
As a POC, I created a guest user, ex: 'OwnerABC@website.com' and made the user a Group Owner. According to the documentation and my group settings, I should be able to add members/modify changes with the group as the Group Owner, but I'm unable to do so. When I login as 'OwnerABC@website.com' in Azure Portal UI, I change to the correct tenant and I do not see any groups or users.
I also tried going to myapps.microsoft.com and I try adding a user. The search returns empty for any user I want to add to the group that I'm the owner of. It then gives me an unexpected error page.
enter image description here
What other privileges does the Group Owner need or is there somewhere else that a Group Owner, who is not a global administrator, need to go to make changes to the group?
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-manage-groups
azure azure-active-directory administration azure-ad-b2b asked Nov 20 '18 at 21:30
DimsumPandaDimsumPanda
134
add a comment |
As a POC, I created a guest user, ex: 'OwnerABC@website.com' and made the user a Group Owner. According to the documentation and my group settings, I should be able to add members/modify changes with the group as the Group Owner, but I'm unable to do so. When I login as 'OwnerABC@website.com' in Azure Portal UI, I change to the correct tenant and I do not see any groups or users.
I also tried going to myapps.microsoft.com and I try adding a user. The search returns empty for any user I want to add to the group that I'm the owner of. It then gives me an unexpected error page.
enter image description here
What other privileges does the Group Owner need or is there somewhere else that a Group Owner, who is not a global administrator, need to go to make changes to the group?
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-manage-groups
azure azure-active-directory administration azure-ad-b2b asked Nov 20 '18 at 21:30
DimsumPandaDimsumPanda
134
add a comment |
As a POC, I created a guest user, ex: 'OwnerABC@website.com' and made the user a Group Owner. According to the documentation and my group settings, I should be able to add members/modify changes with the group as the Group Owner, but I'm unable to do so. When I login as 'OwnerABC@website.com' in Azure Portal UI, I change to the correct tenant and I do not see any groups or users.
I also tried going to myapps.microsoft.com and I try adding a user. The search returns empty for any user I want to add to the group that I'm the owner of. It then gives me an unexpected error page.
enter image description here
What other privileges does the Group Owner need or is there somewhere else that a Group Owner, who is not a global administrator, need to go to make changes to the group?
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-manage-groups
azure azure-active-directory administration azure-ad-b2b asked Nov 20 '18 at 21:30
DimsumPandaDimsumPanda
134
As a POC, I created a guest user, ex: 'OwnerABC@website.com' and made the user a Group Owner. According to the documentation and my group settings, I should be able to add members/modify changes with the group as the Group Owner, but I'm unable to do so. When I login as 'OwnerABC@website.com' in Azure Portal UI, I change to the correct tenant and I do not see any groups or users.
I also tried going to myapps.microsoft.com and I try adding a user. The search returns empty for any user I want to add to the group that I'm the owner of. It then gives me an unexpected error page.
enter image description here
What other privileges does the Group Owner need or is there somewhere else that a Group Owner, who is not a global administrator, need to go to make changes to the group?
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-manage-groups
azure azure-active-directory administration azure-ad-b2b azure azure-active-directory administration azure-ad-b2b asked Nov 20 '18 at 21:30
DimsumPandaDimsumPanda
134
asked Nov 20 '18 at 21:30
DimsumPandaDimsumPanda
134
asked Nov 20 '18 at 21:30
DimsumPandaDimsumPanda
134
asked Nov 20 '18 at 21:30
DimsumPandaDimsumPanda
134
asked Nov 20 '18 at 21:30
DimsumPandaDimsumPanda
134
134
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
Most probably the "User Settings" for "External Users" in your Azure Active Directory is set to "Yes" for "Guest users permissions are limited" setting. When this setting is set to "Yes" by default Guest users aren't able to do certain tasks like enumerating users, groups and other directory resources.
See screenshots below for checking this setting and description.
Go to Azure Portal > Azure Active Directory > User Settings > Manage External Collaboration Settings (under External Users)
On clicking "Manage external collaboration settings" you should see
So now you have 2 possible ways to achieve what you're looking to do:
Change this setting to "No". Once you've changed the setting, try to login to Azure Portal as the external user OwnerABC@website.com again and you should be able to see other users. (Just give it a couple of minutes after changing the setting for this to reflect. It took a little time in my case at least)
As you can understand the setting above is generic and applies to all guest users in your directory. If you want to do something special only for this guest user, then don't change the setting and let it stay at "Yes", but assign an appropriate "Directory role" to user OwnerABC@website.com. This way only this guest user gets to see other users and not all other users.
Assigning a "Directory role" can be done by navigating to Azure AD > Users > Specific User (OwnerABC@website.com) > Directory role > Add role
answered Nov 20 '18 at 23:11
Rohit SaigalRohit Saigal
3,0972218
Ok! Thank you Rohit that worked! I opted for Option 2 since I still wanted to limit admin privileges. I added the directory role "Guest Inviter" and "User Administrator" to OwnerABC@website.com and the user can only add members to groups they are the Group Owner of (as expected). The only weird thing is that myapps.microsoft.com now throws an unexpected error everytime I go to "Group" but it works fine in Azure Portal now. Thanks!!
– DimsumPanda
Nov 21 '18 at 12:11
the myapps.microsoft.com seems to just be glitchy but seems to work now. One caveat I need to keep in mind is that the "User Administrator" role will allow OwnerABC@website.com to modify all users and not just the groups they are a part of.
– DimsumPanda
Nov 21 '18 at 12:39
@DimsumPanda you're welcome. I wasn't aware of the glitch with myapps.microsoft.com and had tried out Azure portal only. Your comment on "User Administrator" role makes sense.
– Rohit Saigal
Nov 22 '18 at 8:51
Actually, in case anyone reads this later. To limit the user, "Directory Readers" is probably the more appropriate directory role that the user will need.
– DimsumPanda
Nov 28 '18 at 19:57
add a comment |
Your Answer
StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53401856%2fadding-members-to-a-group-as-a-group-owner-in-azure-portal-for-an-azure-ad-tenan%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
Most probably the "User Settings" for "External Users" in your Azure Active Directory is set to "Yes" for "Guest users permissions are limited" setting. When this setting is set to "Yes" by default Guest users aren't able to do certain tasks like enumerating users, groups and other directory resources.
See screenshots below for checking this setting and description.
Go to Azure Portal > Azure Active Directory > User Settings > Manage External Collaboration Settings (under External Users)
On clicking "Manage external collaboration settings" you should see
So now you have 2 possible ways to achieve what you're looking to do:
Change this setting to "No". Once you've changed the setting, try to login to Azure Portal as the external user OwnerABC@website.com again and you should be able to see other users. (Just give it a couple of minutes after changing the setting for this to reflect. It took a little time in my case at least)
As you can understand the setting above is generic and applies to all guest users in your directory. If you want to do something special only for this guest user, then don't change the setting and let it stay at "Yes", but assign an appropriate "Directory role" to user OwnerABC@website.com. This way only this guest user gets to see other users and not all other users.
Assigning a "Directory role" can be done by navigating to Azure AD > Users > Specific User (OwnerABC@website.com) > Directory role > Add role
answered Nov 20 '18 at 23:11
Rohit SaigalRohit Saigal
3,0972218
Ok! Thank you Rohit that worked! I opted for Option 2 since I still wanted to limit admin privileges. I added the directory role "Guest Inviter" and "User Administrator" to OwnerABC@website.com and the user can only add members to groups they are the Group Owner of (as expected). The only weird thing is that myapps.microsoft.com now throws an unexpected error everytime I go to "Group" but it works fine in Azure Portal now. Thanks!!
– DimsumPanda
Nov 21 '18 at 12:11
the myapps.microsoft.com seems to just be glitchy but seems to work now. One caveat I need to keep in mind is that the "User Administrator" role will allow OwnerABC@website.com to modify all users and not just the groups they are a part of.
– DimsumPanda
Nov 21 '18 at 12:39
@DimsumPanda you're welcome. I wasn't aware of the glitch with myapps.microsoft.com and had tried out Azure portal only. Your comment on "User Administrator" role makes sense.
– Rohit Saigal
Nov 22 '18 at 8:51
Actually, in case anyone reads this later. To limit the user, "Directory Readers" is probably the more appropriate directory role that the user will need.
– DimsumPanda
Nov 28 '18 at 19:57
add a comment |
Most probably the "User Settings" for "External Users" in your Azure Active Directory is set to "Yes" for "Guest users permissions are limited" setting. When this setting is set to "Yes" by default Guest users aren't able to do certain tasks like enumerating users, groups and other directory resources.
See screenshots below for checking this setting and description.
Go to Azure Portal > Azure Active Directory > User Settings > Manage External Collaboration Settings (under External Users)
On clicking "Manage external collaboration settings" you should see
So now you have 2 possible ways to achieve what you're looking to do:
Change this setting to "No". Once you've changed the setting, try to login to Azure Portal as the external user OwnerABC@website.com again and you should be able to see other users. (Just give it a couple of minutes after changing the setting for this to reflect. It took a little time in my case at least)
As you can understand the setting above is generic and applies to all guest users in your directory. If you want to do something special only for this guest user, then don't change the setting and let it stay at "Yes", but assign an appropriate "Directory role" to user OwnerABC@website.com. This way only this guest user gets to see other users and not all other users.
Assigning a "Directory role" can be done by navigating to Azure AD > Users > Specific User (OwnerABC@website.com) > Directory role > Add role
answered Nov 20 '18 at 23:11
Rohit SaigalRohit Saigal
3,0972218
Ok! Thank you Rohit that worked! I opted for Option 2 since I still wanted to limit admin privileges. I added the directory role "Guest Inviter" and "User Administrator" to OwnerABC@website.com and the user can only add members to groups they are the Group Owner of (as expected). The only weird thing is that myapps.microsoft.com now throws an unexpected error everytime I go to "Group" but it works fine in Azure Portal now. Thanks!!
– DimsumPanda
Nov 21 '18 at 12:11
the myapps.microsoft.com seems to just be glitchy but seems to work now. One caveat I need to keep in mind is that the "User Administrator" role will allow OwnerABC@website.com to modify all users and not just the groups they are a part of.
– DimsumPanda
Nov 21 '18 at 12:39
@DimsumPanda you're welcome. I wasn't aware of the glitch with myapps.microsoft.com and had tried out Azure portal only. Your comment on "User Administrator" role makes sense.
– Rohit Saigal
Nov 22 '18 at 8:51
Actually, in case anyone reads this later. To limit the user, "Directory Readers" is probably the more appropriate directory role that the user will need.
– DimsumPanda
Nov 28 '18 at 19:57
add a comment |
Most probably the "User Settings" for "External Users" in your Azure Active Directory is set to "Yes" for "Guest users permissions are limited" setting. When this setting is set to "Yes" by default Guest users aren't able to do certain tasks like enumerating users, groups and other directory resources.
See screenshots below for checking this setting and description.
Go to Azure Portal > Azure Active Directory > User Settings > Manage External Collaboration Settings (under External Users)
On clicking "Manage external collaboration settings" you should see
So now you have 2 possible ways to achieve what you're looking to do:
Change this setting to "No". Once you've changed the setting, try to login to Azure Portal as the external user OwnerABC@website.com again and you should be able to see other users. (Just give it a couple of minutes after changing the setting for this to reflect. It took a little time in my case at least)
As you can understand the setting above is generic and applies to all guest users in your directory. If you want to do something special only for this guest user, then don't change the setting and let it stay at "Yes", but assign an appropriate "Directory role" to user OwnerABC@website.com. This way only this guest user gets to see other users and not all other users.
Assigning a "Directory role" can be done by navigating to Azure AD > Users > Specific User (OwnerABC@website.com) > Directory role > Add role
answered Nov 20 '18 at 23:11
Rohit SaigalRohit Saigal
3,0972218
Most probably the "User Settings" for "External Users" in your Azure Active Directory is set to "Yes" for "Guest users permissions are limited" setting. When this setting is set to "Yes" by default Guest users aren't able to do certain tasks like enumerating users, groups and other directory resources.
See screenshots below for checking this setting and description.
Go to Azure Portal > Azure Active Directory > User Settings > Manage External Collaboration Settings (under External Users)
On clicking "Manage external collaboration settings" you should see
So now you have 2 possible ways to achieve what you're looking to do:
Change this setting to "No". Once you've changed the setting, try to login to Azure Portal as the external user OwnerABC@website.com again and you should be able to see other users. (Just give it a couple of minutes after changing the setting for this to reflect. It took a little time in my case at least)
As you can understand the setting above is generic and applies to all guest users in your directory. If you want to do something special only for this guest user, then don't change the setting and let it stay at "Yes", but assign an appropriate "Directory role" to user OwnerABC@website.com. This way only this guest user gets to see other users and not all other users.
Assigning a "Directory role" can be done by navigating to Azure AD > Users > Specific User (OwnerABC@website.com) > Directory role > Add role
answered Nov 20 '18 at 23:11
Rohit SaigalRohit Saigal
3,0972218
edited Nov 20 '18 at 23:16
answered Nov 20 '18 at 23:11
Rohit SaigalRohit Saigal
3,0972218
answered Nov 20 '18 at 23:11
Rohit SaigalRohit Saigal
3,0972218
answered Nov 20 '18 at 23:11
Rohit SaigalRohit Saigal
3,0972218
3,0972218
Ok! Thank you Rohit that worked! I opted for Option 2 since I still wanted to limit admin privileges. I added the directory role "Guest Inviter" and "User Administrator" to OwnerABC@website.com and the user can only add members to groups they are the Group Owner of (as expected). The only weird thing is that myapps.microsoft.com now throws an unexpected error everytime I go to "Group" but it works fine in Azure Portal now. Thanks!!
– DimsumPanda
Nov 21 '18 at 12:11
the myapps.microsoft.com seems to just be glitchy but seems to work now. One caveat I need to keep in mind is that the "User Administrator" role will allow OwnerABC@website.com to modify all users and not just the groups they are a part of.
– DimsumPanda
Nov 21 '18 at 12:39
@DimsumPanda you're welcome. I wasn't aware of the glitch with myapps.microsoft.com and had tried out Azure portal only. Your comment on "User Administrator" role makes sense.
– Rohit Saigal
Nov 22 '18 at 8:51
Actually, in case anyone reads this later. To limit the user, "Directory Readers" is probably the more appropriate directory role that the user will need.
– DimsumPanda
Nov 28 '18 at 19:57
add a comment |
Ok! Thank you Rohit that worked! I opted for Option 2 since I still wanted to limit admin privileges. I added the directory role "Guest Inviter" and "User Administrator" to OwnerABC@website.com and the user can only add members to groups they are the Group Owner of (as expected). The only weird thing is that myapps.microsoft.com now throws an unexpected error everytime I go to "Group" but it works fine in Azure Portal now. Thanks!!
– DimsumPanda
Nov 21 '18 at 12:11
the myapps.microsoft.com seems to just be glitchy but seems to work now. One caveat I need to keep in mind is that the "User Administrator" role will allow OwnerABC@website.com to modify all users and not just the groups they are a part of.
– DimsumPanda
Nov 21 '18 at 12:39
@DimsumPanda you're welcome. I wasn't aware of the glitch with myapps.microsoft.com and had tried out Azure portal only. Your comment on "User Administrator" role makes sense.
– Rohit Saigal
Nov 22 '18 at 8:51
Actually, in case anyone reads this later. To limit the user, "Directory Readers" is probably the more appropriate directory role that the user will need.
– DimsumPanda
Nov 28 '18 at 19:57
Ok! Thank you Rohit that worked! I opted for Option 2 since I still wanted to limit admin privileges. I added the directory role "Guest Inviter" and "User Administrator" to OwnerABC@website.com and the user can only add members to groups they are the Group Owner of (as expected). The only weird thing is that myapps.microsoft.com now throws an unexpected error everytime I go to "Group" but it works fine in Azure Portal now. Thanks!!
– DimsumPanda
Nov 21 '18 at 12:11
Ok! Thank you Rohit that worked! I opted for Option 2 since I still wanted to limit admin privileges. I added the directory role "Guest Inviter" and "User Administrator" to OwnerABC@website.com and the user can only add members to groups they are the Group Owner of (as expected). The only weird thing is that myapps.microsoft.com now throws an unexpected error everytime I go to "Group" but it works fine in Azure Portal now. Thanks!!
– DimsumPanda
Nov 21 '18 at 12:11
the myapps.microsoft.com seems to just be glitchy but seems to work now. One caveat I need to keep in mind is that the "User Administrator" role will allow OwnerABC@website.com to modify all users and not just the groups they are a part of.
– DimsumPanda
Nov 21 '18 at 12:39
the myapps.microsoft.com seems to just be glitchy but seems to work now. One caveat I need to keep in mind is that the "User Administrator" role will allow OwnerABC@website.com to modify all users and not just the groups they are a part of.
– DimsumPanda
Nov 21 '18 at 12:39
@DimsumPanda you're welcome. I wasn't aware of the glitch with myapps.microsoft.com and had tried out Azure portal only. Your comment on "User Administrator" role makes sense.
– Rohit Saigal
Nov 22 '18 at 8:51
@DimsumPanda you're welcome. I wasn't aware of the glitch with myapps.microsoft.com and had tried out Azure portal only. Your comment on "User Administrator" role makes sense.
– Rohit Saigal
Nov 22 '18 at 8:51
Actually, in case anyone reads this later. To limit the user, "Directory Readers" is probably the more appropriate directory role that the user will need.
– DimsumPanda
Nov 28 '18 at 19:57
Actually, in case anyone reads this later. To limit the user, "Directory Readers" is probably the more appropriate directory role that the user will need.
– DimsumPanda
Nov 28 '18 at 19:57
add a comment |
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53401856%2fadding-members-to-a-group-as-a-group-owner-in-azure-portal-for-an-azure-ad-tenan%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
