Azure AD simplifies the security group management process by providing self-service capability. By default, administrator manages the requests to add/remove someone from a group or bunch of groups but it is a repeated job that doesn’t create any value for the organization. Azure AD provides two ways to manage these groups, delegated group management and self-service group management.
Delegated group management: It allows administrator to delegate the group management task to the people who can take care of it. If administrator delegates group management task to user A and User A starts managing these groups membership and in the future Manager extends his team with new team members and wants to delegate the membership of new team members to another user B from extended team, administrator delegates user B to manage this group as well. Now, user A and user B both can manage the membership of their team members / peers independently but will not be able to vice-versa.
Self-service group management: It allows a user to create a new security group and manage its membership. This group owner can assign ownership to other users or can ask administrator to do same as well. In this scenario if one security group is being used by two different teams to assign access on one of the application and administrator wants to push a new application through the gallery, then it can be easily done by just adding to this group. Therefore, if any a new user will be added going forward then it will have access on new application as well.
Now, let’s have a look how to do it.
First, allow administrator to enable this feature. Login to https://portal.azure.com or https://aad.portal.azure.com . In my case, I am using https://aad.portal.azure.com
Go to the Users and groups.
Go to the Group settings.
In the General section of this window, enable self-service group management. You can also specify either security groups can be created or not and who can manage security groups. In my scenario, only members of SSGM group can manage the security groups.
Now, ask users to login to https://aad.portal.azure.com and allow them to manage their security groups.
Once login, go to the Users and groups.
Go to the All groups and click on +New group to create a new security group.
Fill the required details and add members.
Once, group is created then you can add members to this group any point in time.
You will notice if another user who has privilege to manage security groups and try to manage this group, he can’t add members or remove any one from this security group.
Once, owner of this security group or administrator allow this privilege user to manage this security group by adding him under owners.
Now, you can see that he can manage the membership of this security group.
You can do many more things gently with the capability of self-service group management. Therefore, play with it and share your experiences/queries through the comment box.