As you probably already know, last week we released the GA version of Azure AD Premium. That release included some really great new delegated group management capabilities for end users. These capabilities make it easy for employees to add, delete, and manage the membership of security groups directly in Azure AD in the cloud.
You can use these groups to assign access to SaaS applications using AD Premium, or to manage access to SharePoint Online or OneDrive.
To help you get started using this new feature, let me introduce Rob de Jong, a senior program manager on the Active Directory team. He'll walk you through these new capabilities and the employee experience.
To try out the delegated group management features you need to be an Azure AD Premium subscriber, or have a tenant you opted into the Azure AD Premium preview prior to April 2nd. If that is you, you can sign in to the Windows Azure Management Portal, and click on Active Directory in the left navigation bar, then enable the Delegated Group management features for your end users in the directory. To do so, just sign in to the Windows Azure Management Portal at https://manage.windowsazure.com, open your directory, and on the CONFIGURE tab, set PREMIUM FEATURES to be ENABLED.
Alex Simons (twitter: @Alex_A_Simons)
Director of Program Management
Active Directory Team
Hi there –
I'm Rob de Jong, Senior PM on the AD team, writing to introduce you to the preview of the Delegated Group Management capabilities we've recently introduced for end users to create and manage security groups.
Active Directory: Delegated Group Management
This week we released Delegated Management as part of Azure Active Directory Premium. Delegated Group Management enables users to create and manage security groups in Windows Azure Active Directory, and Self Service Group Management offers users the possibility to request for membership of a security group, which can subsequently be approved or denied by the owner of the group. This feature is made available through the WAAD Access Panel.
Before walking you through the experiences, let's first look at how users are helped by using these new feature. We'll look at these two scenarios:
Delegated Group Management
Meet Alice. Alice is the admin who is managing access to Box, a SaaS application that her company is using. Alice is the global administrator of Contoso's directory, and Contoso is using Azure AD Premium to assign users with access to SaaS apps that they need. But managing these access rights is becoming cumbersome, with many joiners and leavers, so she asks Bob, the business owner, to create a new security group. Alice now assigns access to Box to then new group Bob just created and she puts all the people who currently have access to Box in the group. Bob then can add more users, and those users are automatically provisioned to Box moments later. Bob does not need to wait for Alice to do the work but can manage access himself for his users.
Alice can still see all users who have access to Box and block access rights if needed.
Self Service Group Management
Carol manages a SharePoint Online site for her team. She often gets requests, by email or phone, from people to get access to her site. So she decides create a group in AAD, and in SharePoint Online pick that same group to provide access to their sites. When someone wants access, they request membership to the group from the Access Panel, and after approval they get access to the SharePoint Online site automatically. Later Carol decides that all people accessing her site should also get access to Box and to a folder on OneDrive, so she adds access for the group to the OneDrive folder and asks Alice, the administrator, to add Box access rights to her site. From that moment on, any requests that Carol approves will not only give access to the SharePoint Online site but also to the Box application and the OneDrive folder.
Group Management Experiences
To see how you can use these new features, let's take a closer look at them.
Create a Security Group
To create a new security group, open the WAAD Access Panel at http://myapps.microsoft.com and click on the Groups tab. You will see all groups that are present in your directory, represented as tiles:
Fig 1: Groups shown in the Access Panel
To create a new security group, click on the tile labeled "Create a Group". A dialog will appear where you can enter the name of the new group you want to create and where you can optionally enter a description:
Fig 2: Adding a new Group in the Access Panel
To add members to the group, click on a group and then click on the "Add Members" tile. A pop up will be shown where you can select users from your directory to be added as members to the group. After selecting the members you want to add, click on "Add" and the users will get added:
Fig 3: Adding members to a group
Bob did just that and added Jane to the Sales Team group, and she can now access the Sales Team SharePoint Online site:
Fig 4: Jane now has access to the Sales Team SharePoint Online site
Also, the group was given access to the Sales Team documents on OneDrive:
Fig 5: Jane can see Sales Team documents on OneDrive
And the Admin has assigned access for the group to the Box SaaS application:
Fig 6: Admin enables access to the Box SaaS application for the Sales Team group
So the next time Jane goes to the Access Panel she sees the Box application showing up for her, because she is now a member of the group that is assigned to Box:
Fig 7: Jane can now use the Box application
Bob is pretty happy about how this works and decides that all users should be able to make a request to join the Sales Team group, so Bob gets to approve their requests. To accomplish this, Bob changes the Group Join policy on the Sales Team group to "by Approval".
Fig 8: Bob sets the Group Policy on his group to "by Approval"
Karen wants to become a member of the Sales Team group too, so she finds the group on the Access Panel and clicks it:
Fig 9: Karen searches and finds Bob's Sales Team group on the Access Panel
Karen then clicks the "Join" tile to request membership for this group, and she sees that Bob gets to approve this request as he is the owner of the group:
Fig 10: Karen requests to join Bob's Sales Team group
Bob receives a notification of the request and clicks on the link in the email to action the request:
Fig 11: Bob receives an email notification of the request Karen made
Bob's browser opens to the Approval tab in the Access Panel, where he sees the outstanding requests, waiting for his approval. He selects the request Karen made and approves the request.
Fig12: Bob approves Karen's request to join his Sales Team group
Karen is now a member of Bob's Sales Team group and can access the Box application and the OneDrive folder of the Sales Team.
We hope you like these features that enable users to manage groups in Azure Active Directory. Let us know what you think! If there is anything you would like to add or change, like or dislike – please let us know by posting in our forum on TechNet. We're constantly evolving the group management capabilities in Azure Active Directory so stay tuned for updates!
Hi, As an IAM consultant, doing a lot of FIM, I like what I see. You guys are doing some awesome stuff! 1) Are there any plans to implement dynamic groups? (based on attributes such as Company or Department)2) Dirsync: I've seen some info about the password write-back feature being available for TAP (preview customers or whatever you call them on Azure) soon. Will there be write-back for groups too?
Hi Marius, thanks for your support!Both features that you are asking about are on our radar. -Rob
Does this feature (delegated group management) work with Outlook when using 365 as it does when using Outlook OP?