In Azure AD, groups are meant to act as simple containers for multiple identities so that you can easily assign them to resources instead of giving access to individual objects in your tenant. Once a group has been created, you often want to decide which services it should have access to and what permissions should be assigned to it. In this section, we will cover the process of managing them by giving a group a role assignment.
To get ready, you will need a group that you can manage. If you do not have one, please go back to the Creating groups section and set one up.
Now, we will take a look at how to manage groups. Follow these steps:
- When you click on your group, you will gain access to all its settings and configuration details:
From this screen, you will be able to perform the following activities:
- Change the group name, its description, or its membership type by using the Properties button
- Manage members
- Manage owners (if you create an Office 365 group and assign it an expiration time, an owner will be notified before a group is expired)
- Assign a group to other groups
- Check which applications, licenses, and Azure resources a group is assigned to
- Since this is a newly created group, we do not have any assignments. To assign a group to a resource, you will have to go to it and access its Access control (IAM) blade.
All Azure resources have the aforementioned blade displayed right after the overview section. In the following screenshot, you can see it in the Azure Storage resource:
- To assign a group to it, you will have to click on the + Add button and select the Add role assignment option:
- In the displayed form, you can select a role and the assignment target. Since we want to assign a role to a group, the value of the Assign access to field should be set to Azure AD user, group, or service principal:
- You will have to find a group you are searching for and click on it to see it as a Selected member:
- Once you are ready, you can click on the Save button and wait a moment until the assignment is created.
Congratulations – your group is now assigned to a resource and can perform the activities allowed by its role permissions!
Groups are quite simple to manage as they have limited possibilities when it comes to giving them identity. However, since they act as containers, they simplify access management. By assigning a group to a resource with a specific role, all the members of a group are given immediate access to it based on the role’s permissions. This means that you can control access to a specific service in Azure with a certain level of granularity using groups.
Remember that, in many ways, groups behave like a simple identity. This means that you can assign them the very same set of roles as you would do for a user and you do not need any special functionality to do so.
In this section, you learned how to manage a group in an Azure AD tenant. The important thing here is to remember the value that groups bring to your directory – you can be more productive and manage access with ease (as you do not have to track all the users assigned to resources).
In fact, using groups is the only way to ensure that you have things under control – when you have hundreds or thousands of users inside your directory, managing all of them individually would be really tiresome.
In the next section, we will cover roles in Azure Active Directory. This will help you understand how to configure access properly.