Using the Groups Admin Role

The Problem of Day-to-Day Group Management

The GroupCreationAllowedGroupId setting in the Azure Active Directory policy for groups allows tenants to dictate which users can create new Office 365 Groups using clients like Outlook and OWA or apps like Teams, Planner, and Yammer. Tenant administrators and holders of administrative roles like Teams service administrator or User account administrator are not constrained by group creation restrictions imposed by the policy.

However, being allowed to create new groups by policy does nothing to allow the people who created groups to perform day-to-day management of the same groups thereafter, so this work had to be done by tenant administrators. The situation is acceptable in small tenants but becomes more problematic as the number of groups grows.

The Groups Admin Role

The Groups admin role is designed to solve the problem. Introduced in November 2019, this is a standard Office 365 administrative role which can be assigned to user accounts through the Microsoft 365 Admin Center, Azure Active Directory portal (where the role is called Groups Administrator), or PowerShell. To assign the role through the Microsoft 365 Admin Center, select an account, then Manage roles. The Groups Admin role is not one of the default roles shown, so click Show all by category and you’ll find the role under Collaboration (Figure 1).

 Assigning the Groups Admin role through the Microsoft 365 Admin Center
Figure 1: Assigning the Groups Admin role through the Microsoft 365 Admin Center

What The Groups Admin Role Does

When assigned, the Groups Admin role allows the holder to manage the following Office 365 Groups actions:

  • Create, edit, delete, and restore Office 365 groups and Azure Active Directory security groups.
  • Create, edit, and delete group creation, expiration, and naming policies.

Groups admins can manage groups and group policies through administrative interfaces such as the Microsoft 365 Admin Center or PowerShell. Holding the role does not allow groups admins to create new groups through client interfaces like OWA. If you want Groups admins to be able to create groups everywhere, you must add them to the group defined to control group creation in the Azure Active Directory Groups policy.

Matching Groups Creation with Groups Management

Because the Groups admin role is new, it’s possible that tenants who already control group creation by policy might want the same set of users to be members of the group allowed to create new groups and hold the Groups admin role. This is easily done with PowerShell. The script below:

  • Checks if group creation is controlled by policy.
  • If yes, fetches the members of the group allowed to create new groups.
  • Assigns the Groups admin role to each member.
  • Lists the current holders of the Groups admin role.

Of course, you could also do the reverse and add the users who hold the Groups admin role to the group allowed to create new groups. All a matter of a few lines of PowerShell code.


The Office 365 for IT Pros eBook includes many suggestions for group management. It’s one of the areas we keep a close eye on.

Advertisements

One Reply to “Using the Groups Admin Role”

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.