/
how-to-manage-groups.yml
246 lines (200 loc) · 15.1 KB
/
how-to-manage-groups.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
### YamlMime:HowTo
---
metadata:
title: How to manage groups
description: Instructions about how to create and update Microsoft Entra groups, such as membership and settings.
author: shlipsey3
ms.author: sarahlipsey
manager: amycolannino
ms.date: 01/05/2024
ms.service: entra
ms.subservice: fundamentals
ms.topic: how-to
ms.custom:
- ge-structured-content-pilot
title: |
Manage Microsoft Entra groups and group membership
introduction: |
Microsoft Entra groups are used to manage users that all need the same access and permissions to resources, such as potentially restricted apps and services. Instead of adding special permissions to individual users, you create a group that applies the special permissions to every member of that group.
This article covers basic group scenarios where a single group is added to a single resource and users are added as members to that group. For more complex scenarios like dynamic memberships and rule creation, see the [Microsoft Entra user management documentation](~/identity/users/index.yml).
Before adding groups and members, [learn about groups and membership types](concept-learn-about-groups.md) to help you decide which options to use when you create a group.
procedureSection:
- title: |
Create a basic group and add members
summary: |
[!INCLUDE [portal updates](~/includes/portal-update.md)]
You can create a basic group and add your members at the same time using the Microsoft Entra admin center. Microsoft Entra roles that can manage groups include **Groups Administrator**, **User Administrator**, **Privileged Role Administrator**, or **Global Administrator**. Review the [appropriate Microsoft Entra roles for managing groups](~/identity/role-based-access-control/delegate-by-task.md#groups)
To create a basic group and add members:
steps:
- |
Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Groups Administrator](~/identity/role-based-access-control/permissions-reference.md#groups-administrator).
- |
Browse to **Identity** > **Groups** > **All groups**.
- |
Select **New group**.
:::image type="content" source="media/how-to-manage-groups/new-group.png" alt-text="Screenshot of the 'Microsoft Entra groups' page with 'New group' option highlighted.":::
- |
Select a **Group type**. For more information on group types, see the [learn about groups and membership types](concept-learn-about-groups.md) article.
- Selecting the **Microsoft 365** Group type enables the **Group email address** option.
- |
Enter a **Group name.** Choose a name that you'll remember and that makes sense for the group. A check will be performed to determine if the name is already in use. If the name is already in use, you'll be asked to change the name of your group.
- The name of the group can't start with a space. Starting the name with a space prevents the group from appearing as an option for steps such as adding role assignments to group members.
- |
**Group email address**: Only available for Microsoft 365 group types. Enter an email address manually or use the email address built from the Group name you provided.
- |
**Group description.** Add an optional description to your group.
- |
Switch the **Microsoft Entra roles can be assigned to the group** setting to yes to use this group to assign Microsoft Entra roles to members.
- This option is only available with P1 or P2 licenses.
- You must have the **Privileged Role Administrator** or **Global Administrator** role.
- Enabling this option automatically selects **Assigned** as the Membership type.
- The ability to add roles while creating the group is added to the process.
- [Learn more about role-assignable groups](~/identity/role-based-access-control/groups-create-eligible.md).
- |
Select a **Membership type.** For more information on membership types, see the [learn about groups and membership types](concept-learn-about-groups.md) article.
- |
Optionally add **Owners** or **Members**. Members and owners can be added after creating your group.
1. Select the link under **Owners** or **Members** to populate a list of every user in your directory.
1. Choose users from the list and then select the **Select** button at the bottom of the window.
:::image type="content" source="media/how-to-manage-groups/add-members.png" alt-text="Screenshot of selecting members for your group during the group creation process.":::
- |
Select **Create**. Your group is created and ready for you to manage other settings.
### Turn off group welcome email
A welcome notification is sent to all users when they're added to a new Microsoft 365 group, regardless of the membership type. When an attribute of a user or device changes, all dynamic group rules in the organization are processed for potential membership changes. Users who are added then also receive the welcome notification. You can turn off this behavior in [Exchange PowerShell](/powershell/module/exchange/set-unifiedgroup).
- title: |
Add members or owners of a group
summary: |
Members and owners can be added from existing groups. The process is the same for members and owners. You'll need the **Groups Administrator** or **User Administrator** role to add members and owners.
Need to add multiple members at one time? Learn about the [add members in bulk](~/identity/users/groups-bulk-import-members.md) option.
steps:
- |
Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Groups Administrator](~/identity/role-based-access-control/permissions-reference.md#groups-administrator).
- |
Browse to **Identity** > **Groups** > **All groups**.
- |
Select the group you need to manage.
- |
Select either **Members** or **Owners**.
:::image type="content" source="media/how-to-manage-groups/groups-members-owners.png" alt-text="Screenshot of the Group overview page with Members and Owners menu options highlighted.":::
- |
Select **+ Add** (members or owners).
- |
Scroll through the list or enter a name in the search box. You can choose multiple names at one time. When you're ready, select the **Select** button.
The **Group Overview** page updates to show the number of members who are now added to the group.
- title: |
Remove members or owners of a group
summary: |
Members and owners can removed from existing groups. The process is the same for members and owners. You'll need the **Groups Administrator** or **User Administrator** role to remove members and owners.
steps:
- |
Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Groups Administrator](~/identity/role-based-access-control/permissions-reference.md#groups-administrator).
- |
Browse to **Identity** > **Groups** > **All groups**.
- |
Select the group you need to manage.
- |
Select either **Members** or **Owners**.
- |
Check the box next to a name from the list and select the **Remove** button.
:::image type="content" source="media/how-to-manage-groups/groups-remove-member.png" alt-text="Screenshot of group members with a name selected and the Remove button highlighted.":::
- title: |
Edit group settings
summary: |
You can edit a group's name, description, or membership type. You'll need the **Groups Administrator** or **User Administrator** role to edit a group's settings.
To edit your group settings:
steps:
- |
Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Groups Administrator](~/identity/role-based-access-control/permissions-reference.md#groups-administrator).
- |
Browse to **Identity** > **Groups** > **All groups**.
- |
Scroll through the list or enter a group name in the search box. Select the group you need to manage.
- |
Select **Properties** from the side menu.
:::image type="content" source="media/how-to-manage-groups/groups-overview.png" alt-text="Screenshot of the Group overview page with Properties menu option highlighted.":::
- |
Update the **General settings** information as needed, including:
- **Group name.** Edit the existing group name.
- **Group description.** Edit the existing group description.
- **Group type.** You can't change the type of group after it's been created. To change the **Group type**, you must delete the group and create a new one.
- **Membership type.** Change the membership type. If you enabled the **Microsoft Entra roles can be assigned to the group** option, you can't change the membership type. For more info about the available membership types, see the [learn about groups and membership types](concept-learn-about-groups.md) article.
- **Object ID.** You can't change the Object ID, but you can copy it to use in your PowerShell commands for the group. For more info about using PowerShell cmdlets, see [Microsoft Entra cmdlets for configuring group settings](~/identity/users/groups-settings-v2-cmdlets.md).
- title: |
Add a group to another group
summary: |
For the security group type, you can add an existing group to another group (also known as nested groups). Depending on the group membership types, you can add a group as a member of another group, just like a user, which applies settings like access permissions and roles to nested groups. But for nested groups, Entra doesn't apply assigned membership to shared resources and applications.
You'll need the **Groups Administrator** or **User Administrator** role to edit group membership. For more info about security groups, see [What to know before creating a group](concept-learn-about-groups.md#what-to-know-before-creating-a-group).
We currently don't support:
- Adding groups to a group synced with on-premises Active Directory.
- Adding security groups to Microsoft 365 groups.
- Adding Microsoft 365 groups to security groups or other Microsoft 365 groups.
- Assigned membership to shared resources and apps for nested security groups.
- Applying licenses to nested security groups.
- Adding distribution groups in nesting scenarios.
- Adding security groups as members of mail-enabled security groups.
- Adding groups as members of a role-assignable group.
steps:
- |
Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Groups Administrator](~/identity/role-based-access-control/permissions-reference.md#groups-administrator).
- |
Browse to **Identity** > **Groups** > **All groups**.
- |
On the **All groups** page, search for and select the group you want to become a member of another group.
>[!Note]
>You only can add your group as a member to one other group at a time. Wildcard characters aren't supported in the **Select Group** search box.
- |
On the group Overview page, select **Group memberships** from the side menu.
- |
Select **+ Add memberships**.
- |
Locate the group you want your group to be a member of and choose **Select**.
For this exercise, we're adding "MDM policy - West" to the "MDM policy - All org" group. The "MDM - policy - West" group will have the same access as the "MDM policy - All org" group.
:::image type="content" source="media/how-to-manage-groups/nested-groups-selected.png" alt-text="Screenshot of making a group the member of another group with Group membership from the side menu and 'Add membership' option highlighted.":::
Now you can review the "MDM policy - West - Group memberships" page to see the group and member relationship.
For a more detailed view of the group and member relationship, select the parent group name (MDM policy - All org) and take a look at the "MDM policy - West" page details.
- title: |
Remove a group from another group
summary: |
For the security group type, you can add an existing group to another group (also known as nested groups). Depending on the group membership types, you can add a group as a member of another group, just like a user, which applies settings like access permissions and roles to nested groups. But for nested groups, Entra doesn't apply assigned membership to shared resources and applications.
You'll need the **Groups Administrator** or **User Administrator** role to edit group membership. For more info about security groups, see [What to know before creating a group](concept-learn-about-groups.md#what-to-know-before-creating-a-group).
You can remove an existing Security group from another Security group; however, removing the group also removes any inherited access for its members.
steps:
- |
On the **All groups** page, search for and select the group you need to remove as a member of another group.
- |
On the group Overview page, select **Group memberships**.
- |
Select the parent group from the **Group memberships** page.
- |
Select **Remove**.
For this exercise, we're now going to remove "MDM policy - West" from the "MDM policy - All org" group.
:::image type="content" source="media/how-to-manage-groups/remove-nested-group.png" alt-text="Screenshot of the 'Group membership' page showing both the member and the group details with 'Remove membership' option highlighted.":::
- title: |
Delete a group
summary: |
You can delete a group for any number of reasons, but typically it will be because you:
- Choose the incorrect **Group type** option.
- Created a duplicate group by mistake.
- No longer need the group.
steps:
- |
Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Groups Administrator](~/identity/role-based-access-control/permissions-reference.md#groups-administrator).
- |
Browse to **Identity** > **Groups** > **All groups**.
- |
Search for and select the group you want to delete.
- |
Select **Delete**.
relatedContent:
- text: Learn about groups and assigning access rights to groups
url: concept-learn-about-groups.md
- text: Learn about groups and assigning access rights to groups
url: concept-learn-about-groups.md
- text: Manage groups using PowerShell commands
url: ~/identity/users/groups-settings-v2-cmdlets.md
# - text: Manage dynamic rules for users in a group
# url: ~/identity/users/groups-create-rule.md
# - text: Scenarios, limitations, and known issues using groups to manage licensing in Microsoft Entra ID
# url: ~/identity/users/licensing-group-advanced.md#limitations-and-known-issues
# - text: Associate or add an Azure subscription to Microsoft Entra ID
# url: ./how-subscriptions-associated-directory.yml