Microsoft Entra ID · Remaining Built-in Roles

Groups Administrator

Can create and manage all aspects of groups and group settings like naming and expiration policies, and manage group membership and ownership.

Scope: Full group lifecycle management including creation, membership, settings, and policies

Permissions

  • Group Licensing - Assign licenses to groups
  • Group Management - Create groups of all types
  • Group Management - Delete groups of all types
  • Group Membership - Read hidden group members
  • Group Membership - Update group membership
  • Group Ownership - Update group owners
  • Group Recovery - Restore deleted groups
  • Group Settings - Update group settings
  • Group Properties - Update basic group properties
  • Group Settings - Manage group settings
  • Group Templates - Read group setting templates
  • Service Health - Manage Azure service health
  • Support Tickets - Create and manage support tickets
  • M365 Health - Manage M365 service health
  • M365 Support - Create M365 support tickets
  • Naming Policy - Configure group naming policies
  • Expiration Policy - Set group expiration policies
  • Dynamic Groups - Configure dynamic group membership rules

Common use cases

  • Group lifecycle management and governance
  • Dynamic group rule configuration
  • Group-based licensing administration
  • Microsoft 365 group governance
  • Group naming policy enforcement
  • Group expiration policy management
  • Security group administration
  • Distribution group management
  • Self-service group management oversight
  • Group-based access package configuration

Best practices

  • Implement group naming conventions
  • Set appropriate group expiration policies
  • Use dynamic groups for automated membership
  • Review group ownership regularly
  • Document group purposes and owners
  • Use sensitivity labels for group classification
  • Monitor for orphaned groups
  • Consider group creation restrictions
  • Use access packages for group-based access
  • Coordinate with Teams/SharePoint admins for M365 groups

Security considerations

  • Group membership affects access to resources
  • Dynamic group rules can grant broad access
  • Hidden membership groups need special handling
  • Monitor for privilege escalation via groups
  • Review group-based licensing impact
  • Alert on sensitive group membership changes
  • Consider PIM for elevated access

Official Microsoft Learn documentation →

Open the interactive RBACMap →