Search code examples
azureazure-active-directoryadministrationazure-ad-b2b

Adding members to a Group as a Group Owner in Azure Portal for an Azure AD tenant

As a POC, I created a guest user, ex: 'OwnerABC@website.com' and made the user a Group Owner. According to the documentation and my group settings, I should be able to add members/modify changes with the group as the Group Owner, but I'm unable to do so. When I login as 'OwnerABC@website.com' in Azure Portal UI, I change to the correct tenant and I do not see any groups or users.

I also tried going to myapps.microsoft.com and I try adding a user. The search returns empty for any user I want to add to the group that I'm the owner of. It then gives me an unexpected error page. enter image description here

What other privileges does the Group Owner need or is there somewhere else that a Group Owner, who is not a global administrator, need to go to make changes to the group?

https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-manage-groups

Solution

  • Most probably the "User Settings" for "External Users" in your Azure Active Directory is set to "Yes" for "Guest users permissions are limited" setting. When this setting is set to "Yes" by default Guest users aren't able to do certain tasks like enumerating users, groups and other directory resources.

    See screenshots below for checking this setting and description.

    Go to Azure Portal > Azure Active Directory > User Settings > Manage External Collaboration Settings (under External Users)

    enter image description here

    On clicking "Manage external collaboration settings" you should see

    enter image description here

    So now you have 2 possible ways to achieve what you're looking to do:

    1. Change this setting to "No". Once you've changed the setting, try to login to Azure Portal as the external user OwnerABC@website.com again and you should be able to see other users. (Just give it a couple of minutes after changing the setting for this to reflect. It took a little time in my case at least)

    2. As you can understand the setting above is generic and applies to all guest users in your directory. If you want to do something special only for this guest user, then don't change the setting and let it stay at "Yes", but assign an appropriate "Directory role" to user OwnerABC@website.com. This way only this guest user gets to see other users and not all other users.

      Assigning a "Directory role" can be done by navigating to Azure AD > Users > Specific User (OwnerABC@website.com) > Directory role > Add role

      enter image description here