0

Having some issues navigating Azure AD with this:

  1. I need a user to be an owner on a user group, but without modifying group settings.
  2. They need to be able to add and remove users to this group, and only this group, or another group (this is also allowed).
  3. This user manages a group of users that have contributor access on a subscription.

Any help is appreciated in setting this up.

user13696433
  • 93
  • 3
  • 11

1 Answers1

0

Azure Active Directory (Azure AD) groups are owned and managed by group owners. Group owners can be users or service principals, and are able to manage the group including membership. Only existing group owners or group-managing administrators can assign group owners. Group owners aren't required to be members of the group.

Try Using Service Principle to achieve your requirement:

Create Service Principal sp-test-lab-cloud-deployment-prod= bb3XXXXX-51d1-4b69-9f0a-26cba3XXXXX which has Owner rights at the root management group 'Stack Root Management Group'

Create auto workflow to assigning custom roles to AD groups and another Service Principal.

To create a new service principal(sp) with Azure CLi. Login with your Azure AD user. Then execute following command.

az ad sp create-for-rbac --name {appId} --password "{strong password}"

Output:

{
  "appId": "a487e0c1-82af-47d9-9a0b-af184eb87646d",
  "displayName": "MyDemoWebApp",
  "name": "http://MyDemoWebApp",
  "password": {strong password},
  "tenant": "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"
}

appId is your login user, password is login password.

Once SP is created, you also need give it Owner role, then you could manage your Azure resource and manage the group including membership.

az role assignment create --assignee <objectID> --role Owner

Reference: https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-accessmanagement-managing-group-owners

So Thread Reference on SP: What is Azure Service Principal?

SureshBabu
  • 418
  • 2
  • 9