question

ChandreshModi-8300 avatar image
0 Votes"
ChandreshModi-8300 asked ·

Azure AD Device Management

Hi I have question regarding the Device management in Azure AD.

Suppose I have two group Group 1 & Group 2. Group 1 has Assigned membership & Group 2 has Dynamic Device membership assigned.

The owner for Group 1 is User 1 which is Cloud Device administrator & Owner for Group 2 is User 2 which is User administrator.

Now I have two device Device 1 which is AD Joined & Device 2 which is AD registered?

Can I know if I User 2 can add Device 2 to Group 2 and any specific reason for the answer?

Similarly can User 1 add both the devices to either group?

azure-active-directory
· 1
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

User1 (Cloud Device administrator) can add members to only Group1 as he is the owner of that group and he can add users, devices and other groups only to Group1.

User 2 (User administrator) can update the membership of any assigned group, regardless of whether he is owner of the group or not because User administrator role has the permission to update group membership. He can add users, devices, to any assigned group in Azure AD.
But User 2 can't manually add or remove a member of a dynamic group.

https://docs.microsoft.com/es-es/azure/active-directory/enterprise-users/groups-dynamic-membership


If a user or device satisfies a rule on a group, they are added as a member of that group. If they no longer satisfy the rule, they are removed. You can't manually add or remove a member of a dynamic group.

0 Votes 0 ·
amanpreetsingh-msft avatar image
3 Votes"
amanpreetsingh-msft answered ·

Hello @ChandreshModi-8300,


User 2 (User administrator) can update the membership of both the groups, regardless of whether he is owner of the group or not because User administrator role has the permission to update group membership. He can add users, devices, other groups to any group in Azure AD. Below is the permission that user administrator role has:


microsoft.directory/groups/members/update - Update groups.members property in Azure Active Directory.


On the other hand User1 (Cloud Device administrator) can add members to only Group1 as he is the owner of that group and he can add users, devices and other groups only to Group1.


With Cloud Device administrator role, you can Delete/Disable/Enable devices in Azure Active Directory but you cannot Add/Remove Users in the directory.


With User administrator role, you can Add/Remove users in Azure AD but cannot Delete/Disable/Enable the devices.


Read more:
Cloud Device Administrator permissions
User Administrator permissions




Please do not forget to "Accept the answer" wherever the information provided helps you. This will help others in the community as well.


· 3 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @ChandreshModi-8300 Hope the above answer was helpful. Please Accept the answer if the information provided helped you. Feel free to tag me in your reply if you have any question.

0 Votes 0 ·

continuing the above thread ....

As per the explanation given by you ,if the user2 is owner of both the group 1,group2

Will user 1 be able to add device 2 to group 1? Yes

Will user 2 able to add device 1 to group 1? Yes

Will user 2 be able to add device 2 to group 1? Yes

plz comment if my understanding is correct


0 Votes 0 ·

User 2 can't manually add or remove a member of a dynamic group.

https://docs.microsoft.com/es-es/azure/active-directory/enterprise-users/groups-dynamic-membership

If a user or device satisfies a rule on a group, they are added as a member of that group. If they no longer satisfy the rule, they are removed. You can't manually add or remove a member of a dynamic group.

0 Votes 0 ·
ChandreshModi-8300 avatar image
0 Votes"
ChandreshModi-8300 answered ·

Thanks @amanpreetsingh-msft ....This helps my understanding.



·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.