Export (0) Print
Expand All

Self-service group management for users

Published: April 3, 2014

Updated: June 16, 2014

Applies To: Azure


This topic describes self-service group management capabilities which are now available to users with Azure AD Premium via the Access Panel.

Tabs have been added to the Access Panel where users can now see, create and manage groups. For more information, see Manage your groups.

Self-service group management enables users to create and manage security groups in Microsoft Azure Active Directory (AD) and offers users the possibility to request security group memberships, which can subsequently be approved or denied by the owner of the group. By using self-service group management features, the day-to-day control of group membership can be delegated to people who understand the business context for that membership.

Self-service group management is currently comprised of two essential scenarios: delegated group management and self-service group management.

  • Delegated group management - take the example of an administrator who is managing access to a SaaS application that her company is using. Managing these access rights is becoming cumbersome, so this administrator asks the business owner to create a new group. The administrator now assigns access for the application to a new group that the business owner just created and puts all the people who currently have access to the application into this group. The business owner then can add more users, and those users are automatically provisioned to the application moments later. The business owner does not need to wait for the administrator to do the work but can manage access himself for his users. The administrator can do the same thing for an administrative assistant for a different business group, and both the business owner and this administrative assistant can now manage access for their users – without being able to touch or see each other’s users. The administrator can still see all users who have access to the application and block access rights if needed.

  • Self-service group management - take the example of two users who both have SharePoint Online sites that they set up independently, but they would really like to make it easy to give each other’s teams access. So they create one group in Azure AD, and in SharePoint Online each of them picks that same group to provide access to their sites. When someone wants access, they request it from the Access Panel, and after approval they get access to both SharePoint Online sites automatically. Later one of them decides that all people accessing his site should also get access to a particular SaaS application. He asks administrator of this SaaS application to add access rights for this application to his site. From then on, any requests that he approves will give access to the two SharePoint Online sites and also to this SaaS application.

Self-service group management is made available to your users through the Azure AD Access Panel. Tabs have been added to the Access Panel where users can now see, create and manage groups. For more information, see Manage your groups.

In the Azure Management Portal, on the Configure tab, set the Delegated group management switch to Enabled and then set the Users can create groups switch to Enabled.

When the Users can create groups switch is set to Enabled, all users in your directory are allowed to create new security groups and add members to these groups. Note that these new groups would also show up in the Access Panel for all other users, and that other users can create requests to join these groups if the policy setting on the group allows this. If this switch is set to Disabled, users cannot create groups and cannot change existing groups that they are an owner of, but they can still manage the memberships of those groups and approve requests from other users to join their groups.

This section provides further information about groups in the context of Azure AD and Office 365.




Is creating and managing groups a new, recently added functionality for Azure AD?

In Office 365, creating and managing groups has been available for some time.

Providing a user interface to creating and managing groups is a new, recently added feature in the Azure AD Management Portal (Group management) and now, with self-service group management, in the Access Panel (Manage your groups). However, the functionality of creating and managing groups in Azure AD via Windows PowerShell and Graph API has been available for some time (Manage Azure AD using Windows PowerShell).

All groups and group memberships in Office 365 are stored in Azure AD. There are limitations to editing certain types of groups from the Azure AD user interfaces. Also, Office 365 stores certain information about groups locally. For example, you cannot edit the members’ attribute of a distribution group via the Azure AD Management Portal or the Access Panel. These limitations might be removed in the future.

I can create and manage groups in Azure AD using Windows PowerShell. What further group management functionality will I have access to with Azure AD Premium?

Azure AD Premium offers delegated group management and self-service group management. In other words, Azure AD Premium enables people who cannot use Windows PowerShell (for example, information workers, group owner, and administrative assistants) to create and manage groups via the Access Panel.

In Azure AD Premium, assigning access for a group to a SaaS application simplifies the task of managing access to a SaaS application by managing the group memberships. Can Azure AD groups be managed through on-premises Forefront Identity Manager (FIM) with BHOLD Suite for role management?

  • It is possible to create an on-premises AD Group and manage the group memberships through on-premises Forefront Identity Manager (FIM) with BHOLD Suite for role management, and then use this group to assign users to SaaS applications in Azure AD.

  • Currently, only on-premises AD groups can be created and managed through FIM and/or BHOLD. There are future plans for directory synchronization process (Directory Sync Scenario) to function both ways: on-premises to cloud and cloud to on-premises. This will allow you to use on-premises tools like FIM and BHOLD to also manage groups created in Azure AD.

  • The directory synchronization mechanism will not support multiple masters for a group. Therefore groups must be managed either from Azure AD or by using an on-premises tool, like FIM, but not by using both at the same time.

See Also

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
© 2014 Microsoft