You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/active-directory/users-groups-roles/directory-assign-admin-roles.md
+27Lines changed: 27 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -234,6 +234,10 @@ Users in this role can read settings and administrative information across Micro
234
234
> These features are currently in development.
235
235
>
236
236
237
+
### [Group Administrator](#group-administrator)
238
+
239
+
Users in this role can create/manage groups and its settings like naming and expiration policies. It is important to understand that assigning a user to this role gives them the ability to manage all groups in the tenant across various workloads like Teams, SharePoint, Yammer in addition to Outlook. Also the user will be able to manage the various groups settings across various admin portals like Microsoft Admin Center, Azure Portal, as well as workload specific ones like Teams and SharePoint Admin Centers.
240
+
237
241
### [Guest Inviter](#guest-inviter-permissions)
238
242
239
243
Users in this role can manage Azure Active Directory B2B guest user invitations when the **Members can invite** user setting is set to No. More information about B2B collaboration at [About Azure AD B2B collaboration](https://docs.microsoft.com/azure/active-directory/active-directory-b2b-what-is-azure-ad-b2b). It does not include any other permissions.
@@ -1058,6 +1062,28 @@ Can read everything that a Global Administrator can, but not edit anything.
| microsoft.office365.webPortal/allEntities/standard/read | Read standard properties on all resources in microsoft.office365.webPortal. |
1060
1064
1065
+
### Group Administrator
1066
+
Can manage all aspects of groups and group settings like naming and expiration policies
1067
+
1068
+
|**Actions**|**Description**|
1069
+
| --- | --- |
1070
+
| microsoft.directory/groups/basic/read | Read standard properties on Groups in Azure Active Directory. |
1071
+
| microsoft.directory/groups/basic/update | Update basic properties on groups in Azure Active Directory. |
1072
+
| microsoft.directory/groups/create | Create groups in Azure Active Directory. |
1073
+
| microsoft.directory/groups/createAsOwner | Create groups in Azure Active Directory. Creator is added as the first owner, and the created object counts against the creator's 250 created objects quota. |
1074
+
| microsoft.directory/groups/delete | Delete groups in Azure Active Directory. |
1075
+
| microsoft.directory/groups/hiddenMembers/read | Read groups.hiddenMembers property in Azure Active Directory. |
1076
+
| microsoft.directory/groups/members/update | Update groups.members property in Azure Active Directory. |
1077
+
| microsoft.directory/groups/owners/update | Update groups.owners property in Azure Active Directory. |
1078
+
| microsoft.directory/groups/restore | Restore groups in Azure Active Directory. |
1079
+
| microsoft.directory/groups/settings/update | Update groups.settings property in Azure Active Directory. |
1080
+
| microsoft.azure.serviceHealth/allEntities/allTasks | Read and configure Azure Service Health. |
1081
+
| microsoft.azure.supportTickets/allEntities/allTasks | Create and manage Azure support tickets. |
1082
+
| microsoft.office365.messageCenter/messages/read | Read messages in microsoft.office365.messageCenter. |
1083
+
| microsoft.office365.serviceHealth/allEntities/allTasks | Read and configure Office 365 Service Health. |
1084
+
| microsoft.office365.supportTickets/allEntities/allTasks | Create and manage Office 365 support tickets. |
0 commit comments