4

As a POC, I created a guest user, ex: 'OwnerABC@website.com' and made the user a Group Owner. According to the documentation and my group settings, I should be able to add members/modify changes with the group as the Group Owner, but I'm unable to do so. When I login as 'OwnerABC@website.com' in Azure Portal UI, I change to the correct tenant and I do not see any groups or users.

I also tried going to myapps.microsoft.com and I try adding a user. The search returns empty for any user I want to add to the group that I'm the owner of. It then gives me an unexpected error page. enter image description here

What other privileges does the Group Owner need or is there somewhere else that a Group Owner, who is not a global administrator, need to go to make changes to the group?

https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-manage-groups

DimsumPanda
  • 43
  • 1
  • 5

1 Answers1

3

Most probably the "User Settings" for "External Users" in your Azure Active Directory is set to "Yes" for "Guest users permissions are limited" setting. When this setting is set to "Yes" by default Guest users aren't able to do certain tasks like enumerating users, groups and other directory resources.

See screenshots below for checking this setting and description.

Go to Azure Portal > Azure Active Directory > User Settings > Manage External Collaboration Settings (under External Users)

enter image description here

On clicking "Manage external collaboration settings" you should see

enter image description here

So now you have 2 possible ways to achieve what you're looking to do:

  1. Change this setting to "No". Once you've changed the setting, try to login to Azure Portal as the external user OwnerABC@website.com again and you should be able to see other users. (Just give it a couple of minutes after changing the setting for this to reflect. It took a little time in my case at least)

  2. As you can understand the setting above is generic and applies to all guest users in your directory. If you want to do something special only for this guest user, then don't change the setting and let it stay at "Yes", but assign an appropriate "Directory role" to user OwnerABC@website.com. This way only this guest user gets to see other users and not all other users.

    Assigning a "Directory role" can be done by navigating to Azure AD > Users > Specific User (OwnerABC@website.com) > Directory role > Add role

    enter image description here

Rohit Saigal
  • 9,317
  • 2
  • 20
  • 32
  • Ok! Thank you Rohit that worked! I opted for Option 2 since I still wanted to limit admin privileges. I added the directory role "Guest Inviter" and "User Administrator" to OwnerABC@website.com and the user can only add members to groups they are the Group Owner of (as expected). The only weird thing is that myapps.microsoft.com now throws an unexpected error everytime I go to "Group" but it works fine in Azure Portal now. Thanks!! – DimsumPanda Nov 21 '18 at 12:11
  • the myapps.microsoft.com seems to just be glitchy but seems to work now. One caveat I need to keep in mind is that the "User Administrator" role will allow OwnerABC@website.com to modify all users and not just the groups they are a part of. – DimsumPanda Nov 21 '18 at 12:39
  • @DimsumPanda you're welcome. I wasn't aware of the glitch with myapps.microsoft.com and had tried out Azure portal only. Your comment on "User Administrator" role makes sense. – Rohit Saigal Nov 22 '18 at 08:51
  • 1
    Actually, in case anyone reads this later. To limit the user, "Directory Readers" is probably the more appropriate directory role that the user will need. – DimsumPanda Nov 28 '18 at 19:57