You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/active-directory/users-groups-roles/groups-self-service-management.md
+12-12Lines changed: 12 additions & 12 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -11,7 +11,7 @@ ms.service: active-directory
11
11
ms.workload: identity
12
12
ms.subservice: users-groups-roles
13
13
ms.topic: conceptual
14
-
ms.date: 03/18/2019
14
+
ms.date: 03/10/2020
15
15
ms.author: curtand
16
16
17
17
ms.reviewer: krbain
@@ -25,7 +25,7 @@ You can enable users to create and manage their own security groups or Office 36
25
25
26
26
## Self-service group membership defaults
27
27
28
-
When security groups are created in the Azure portal or using Azure AD PowerShell, only the group's owners can update membership. Security groups created in the [Access panel](https://account.activedirectory.windowsazure.com/r#/joinGroups) and all Office 365 groups are available to join for all users, whether owner-approved or auto-approved. In the Access panel, you can change membership options when you create the group.
28
+
When security groups are created in the Azure portal or using Azure AD PowerShell, only the group's owners can update membership. Security groups created by self-service in the [Access panel](https://account.activedirectory.windowsazure.com/r#/joinGroups) and all Office 365 groups are available to join for all users, whether owner-approved or auto-approved. In the Access panel, you can change membership options when you create the group.
29
29
30
30
Groups created in | Security group default behavior | Office 365 group default behavior
@@ -36,24 +36,24 @@ Groups created in | Security group default behavior | Office 365 group default b
36
36
## Self-service group management scenarios
37
37
38
38
***Delegated group management**
39
-
An example is an administrator who is managing access to a SaaS application that the company is using. Managing these access rights is becoming cumbersome, so this administrator asks the business owner to create a new group. The administrator assigns access for the application to the new group, and adds to the group all people already accessing the application. The business owner then can add more users, and those users are automatically provisioned to the application. The business owner doesn't need to wait for the administrator to manage access for users. If the administrator grants the same permission to a manager in a different business group, then that person can also manage access for their own group members. Neither the business owner nor the manager can view or manage each other’s group memberships. The administrator can still see all users who have access to the application and block access rights if needed.
39
+
An example is an administrator who is managing access to a SaaS application that the company is using. Managing these access rights is becoming cumbersome, so this administrator asks the business owner to create a new group. The administrator assigns access for the application to the new group, and adds to the group all people already accessing the application. The business owner then can add more users, and those users are automatically provisioned to the application. The business owner doesn't need to wait for the administrator to manage access for users. If the administrator grants the same permission to a manager in a different business group, then that person can also manage access for their own group members. Neither the business owner nor the manager can view or manage each other's group memberships. The administrator can still see all users who have access to the application and block access rights if needed.
40
40
***Self-service group management**
41
-
An example of this scenario is two users who both have SharePoint Online sites that they set up independently. They want to give each other’s teams access to their sites. To accomplish this, they can create one group in Azure AD, and in SharePoint Online each of them selects that group to provide access to their sites. When someone wants access, they request it from the Access Panel, and after approval they get access to both SharePoint Online sites automatically. Later, one of them decides that all people accessing the site should also get access to a particular SaaS application. The administrator of the SaaS application can add access rights for the application to the SharePoint Online site. From then on, any requests that get approved gives access to the two SharePoint Online sites and also to this SaaS application.
41
+
An example of this scenario is two users who both have SharePoint Online sites that they set up independently. They want to give each other's teams access to their sites. To accomplish this, they can create one group in Azure AD, and in SharePoint Online each of them selects that group to provide access to their sites. When someone wants access, they request it from the Access Panel, and after approval they get access to both SharePoint Online sites automatically. Later, one of them decides that all people accessing the site should also get access to a particular SaaS application. The administrator of the SaaS application can add access rights for the application to the SharePoint Online site. From then on, any requests that get approved gives access to the two SharePoint Online sites and also to this SaaS application.
42
42
43
43
## Make a group available for user self-service
44
44
45
45
1. Sign in to the [Azure AD admin center](https://aad.portal.azure.com) with an account that's a global admin for the directory.
46
-
2. Select **Users and groups**, and then select **Group settings**.
47
-
3. Set **Self-service group management enabled** to **Yes**.
48
-
4. Set **Users can create security groups** or **Users can create Office 365 groups** to **Yes**.
49
-
* When these settings are enabled, all users in your directory are allowed to create new security groups and add members to these groups. These new groups would also show up in the Access Panel for all other users. If the policy setting on the group allows it, other users can create requests to join these groups.
50
-
* When these settings are disabled, users can't create groups and can't change existing groups for which they are an owner. However, they can still manage the memberships of those groups and approve requests from other users to join their groups.
46
+
1. Select **Groups**, and then select **General** settings.
47
+
1. Set **Owners can manage group membership requests in the Access Panel** to **Yes**.
48
+
1. Set **Restrict access to Groups in the Access Panel** to **No**.
49
+
1. If you set **Users can create security groups in Azure portals** or **Users can create Office 365 groups in Azure portals** to
51
50
52
-
You can also use **Users who can manage security groups** and **Users who can manage Office 365 groups** to achieve more granular access control over self-service group management for your users. When **Users can create groups** is enabled, all users in your tenant are allowed to create new groups and add members to these groups. You can't specify individuals who can create their own groups. You can specify individuals only for making another group member a group owner.
51
+
-**Yes**: All users in your Azure AD organization are allowed to create new security groups and add members to these groups. These new groups would also show up in the Access Panel for all other users. If the policy setting on the group allows it, other users can create requests to join these groups
52
+
-**No**: Users can't create groups and can't change existing groups for which they are an owner. However, they can still manage the memberships of those groups and approve requests from other users to join their groups.
53
53
54
-
By setting **Users who can use self-service for security groups** and **Users who can manage Office 365 groups** to **Yes**, you enable all users in your tenant to create new groups.
54
+
You can also use **Owners who can assign members as group owners in Azure portals** and **Owners who can assign members as group owners in Azure portals** to achieve more granular access control over self-service group management for your users.
55
55
56
-
You can also use **Group that can manage security groups** or **Group that can manage Office 365 groups** to specify a single group whose members can use self-service.
56
+
When users can create groups, all users in your organization are allowed to create new groups and then can, as the default owner, add members to these groups. You can't specify individuals who can create their own groups. You can specify individuals only for making another group member a group owner.
0 commit comments