Groups on Azure AD
The group management has been implemented in Azure AD, this feature allows easier administration of access to resources. These may be local (resources present in the Azure Active Directory) or external (SharePoint site, SAAS application,…). Access to a resource can be done in several ways:
- Direct assignment : the owner of the resource gives access to the resource. This weighted solution daily administration.
- Belonging to the Group : in order to facilitate the management of rights of access to a resource, it is possible to add a security group to a resource. Users are added to these groups and thereby recover access to the resource.
- Based on a rule : the resource owner has the ability to create a rule that will define the users who have access to the resource dynamically. For this, it is necessary to use the attributes of the users and to set a value. When the attribute of the user has the correct value, access to the resource is granted.
- External authority: access is granted to a group synchronized by an external (Active Directory for example). So the the resource is accessed from the on-premise directory.
How to implement groups in Azure
In order to implement groups in Azure, go to the Azure AD database, and then click groups tab. Click Add a group.
Enter the name of the Group and a description, and then click Validate.
The group is present in Azure.
Click the Group and in members, click Add members.
Select users and then validate the selection.
The users have been properly added to the group.
Before you can delegate operation to a group, it is necessary to proceed with the activation of the feature.
In the portal Azure, select the Azure AD, then click on the configure tab.
In group management, enable the setting groups with delegation management by clicking Yes.
Select the setting users can create security groups by clicking Yes. Click Save to commit the change. Select the group which must be delegated, and then click on the owners tab. Click the link add owners.
Select a user with no rights administrator then confirm your choice.
The user is present in the list of owners.
Using a Web browser, go to the URL http://myapps.microsoft.com.
Enter the account owner of the group in the fields, and then click Connect.
In the window that appears, click groups.
Click the group that appears, the user has the possibility to see the members of the group but also to modify. The user has the possibility to change the group because he is the owner. Click on Edit and then in the drop-down list Group Policy, select This group requires owner approval. Click on Update. So, it’s very easy to delegate the management of these groups to one or more users. Make the creation of the Group G-Twitter and add a different owner of the previous group.
Go back to the http://myapps.microsoft.com URL, log in with the account owner of the Group G-Twitter.
Only the group to which the user is a member appears.
In the drop-down list select All to view all Azure Active Directory groups.
Click on the Group G-Facebook, properties appears. Click on Join group in order to send the request to the owner of the group.
Enter the desired justification then click on Request.
Click approvals and then select My Requests in the list box. The demand appears.
sign you then sign up as a firstname.lastname@example.org. Click approvals and select the application for approval. Click Approve to approve the request
Click on Yes to validate the approval. By reconnecting with the user User3@inyourcloud.fr, you can see that the user is now member of the group.
Users can more easily seek access to an application.