Hi I have question regarding the Device management in Azure AD. Suppose I have two group Group 1 & Group 2. Group 1 has Assigned membership & Group 2 has Dynamic Device membership assigned. The owner for Group 1 is User 1 which is Cloud Device administrator & Owner for Group 2 is User 2 which is User administrator. Now I have two device Device 1 which is AD Joined & Device 2 which is AD registered? Can I know if I User 2 can add Device 2 to Group 2 and any specific reason for the answer? Similarly can User 1 add both the devices to either group?

Hello @ChandreshModi-8300 , User 2 (User administrator) can update the membership of both the groups, regardless of whether he is owner of the group or not because User administrator role has the permission to update group membership. He can add users, devices, other groups to any group in Azure AD. Below is the permission that user administrator role has: microsoft.directory/groups/members/update - Update groups.members property in Azure Active Directory. On the other hand User1 (Cloud Device administrator) can add members to only Group1 as he is the owner of that group and he can add users, devices and other groups only to Group1. With Cloud Device administrator role, you can Delete/Disable/Enable devices in Azure Active Directory but you cannot Add/Remove Users in the directory. With User administrator role, you can Add/Remove users in Azure AD but cannot Delete/Disable/Enable the devices. Read more: Cloud Device Administrator permissions User Administrator permissions Please do not forget to " Accept the answer " wherever the information provided helps you. This will help others in the community as well.

Thanks @amanpreetsingh-msft ....This helps my understanding.

Azure AD Device Management

Accepted answer

AmanpreetSingh-MSFT 56,311 Reputation points

2020-06-29T08:15:54.31+00:00
Hello @ChandreshModi-8300,

User 2 (User administrator) can update the membership of both the groups, regardless of whether he is owner of the group or not because User administrator role has the permission to update group membership. He can add users, devices, other groups to any group in Azure AD. Below is the permission that user administrator role has:

microsoft.directory/groups/members/update - Update groups.members property in Azure Active Directory.

On the other hand User1 (Cloud Device administrator) can add members to only Group1 as he is the owner of that group and he can add users, devices and other groups only to Group1.

With Cloud Device administrator role, you can Delete/Disable/Enable devices in Azure Active Directory but you cannot Add/Remove Users in the directory.

With User administrator role, you can Add/Remove users in Azure AD but cannot Delete/Disable/Enable the devices.

Read more:
Cloud Device Administrator permissions
User Administrator permissions

Please do not forget to "Accept the answer" wherever the information provided helps you. This will help others in the community as well.
Please sign in to rate this answer.

9 people found this answer helpful.
AmanpreetSingh-MSFT 56,311 Reputation points

2020-07-02T15:10:15.343+00:00

Hello @Chandresh Modi Hope the above answer was helpful. Please Accept the answer if the information provided helped you. Feel free to tag me in your reply if you have any question.

swati singhvi 21 Reputation points

2021-02-25T04:18:20.087+00:00

continuing the above thread ....

As per the explanation given by you ,if the user2 is owner of both the group 1,group2

Will user 1 be able to add device 2 to group 1? Yes

Will user 2 able to add device 1 to group 1? Yes

Will user 2 be able to add device 2 to group 1? Yes

plz comment if my understanding is correct

David Monton Viña 21 Reputation points

2021-03-15T12:57:34.997+00:00

User 2 can't manually add or remove a member of a dynamic group.

https://learn.microsoft.com/es-es/azure/active-directory/enterprise-users/groups-dynamic-membership

If a user or device satisfies a rule on a group, they are added as a member of that group. If they no longer satisfy the rule, they are removed. You can't manually add or remove a member of a dynamic group.

VishnuSakhamuri 6 Reputation points

2021-11-16T19:57:25.653+00:00

When any attributes of a user or device change, the system evaluates all dynamic group rules in a directory to see if the change would trigger any group adds or removes. If a user or device satisfies a rule on a group, they are added as a member of that group. If they no longer satisfy the rule, they are removed. You can't manually add or remove a member of a dynamic group. https://learn.microsoft.com/en-us/azure/active-directory/enterprise-users/groups-dynamic-membership
@AmanpreetSingh-MSFT
Per this microsoft documentation User 2 cant do anything manually to add member of a dynamic group.

CloudUser 6 Reputation points

2022-10-11T11:37:08.867+00:00

Hello,
User administrator can't add or join devices. see it here. https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#user-administrator
Don't give wrong information.
Sign in to comment

Azure AD Device Management

1 additional answer