Microsoft Entra ID · Remaining Built-in Roles

Groups Administrator

Can create and manage all aspects of groups and group settings like naming and expiration policies, and manage group membership and ownership.

Scope: Full group lifecycle management including creation, membership, settings, and policies

Permissions

  • Group Licensing - Assign licenses to groups
  • Group Management - Create groups of all types
  • Group Management - Delete groups of all types
  • Group Membership - Read hidden group members
  • Group Membership - Update group membership
  • Group Ownership - Update group owners
  • Group Recovery - Restore deleted groups
  • Group Settings - Update group settings
  • Group Properties - Update basic group properties
  • Group Settings - Manage group settings
  • Group Templates - Read group setting templates
  • Service Health - Manage Azure service health
  • Support Tickets - Create and manage support tickets
  • M365 Health - Manage M365 service health
  • M365 Support - Create M365 support tickets
  • Naming Policy - Configure group naming policies
  • Expiration Policy - Set group expiration policies
  • Dynamic Groups - Configure dynamic group membership rules

Common use cases

  • Group lifecycle management and governance
  • Dynamic group rule configuration
  • Group-based licensing administration
  • Microsoft 365 group governance
  • Group naming policy enforcement
  • Group expiration policy management
  • Security group administration
  • Distribution group management
  • Self-service group management oversight
  • Group-based access package configuration

Best practices

  • Implement group naming conventions
  • Set appropriate group expiration policies
  • Use dynamic groups for automated membership
  • Review group ownership regularly
  • Document group purposes and owners
  • Use sensitivity labels for group classification
  • Monitor for orphaned groups
  • Consider group creation restrictions
  • Use access packages for group-based access
  • Coordinate with Teams/SharePoint admins for M365 groups

Security considerations

  • Group membership affects access to resources
  • Dynamic group rules can grant broad access
  • Hidden membership groups need special handling
  • Monitor for privilege escalation via groups
  • Review group-based licensing impact
  • Alert on sensitive group membership changes
  • Consider PIM for elevated access

Common questions

When should I assign the Groups Administrator role?

Assign Groups Administrator when you need to: Group lifecycle management and governance; Dynamic group rule configuration; Group-based licensing administration; Microsoft 365 group governance; and Group naming policy enforcement. It is part of Microsoft Entra ID and should be granted as a least-privilege alternative to broader roles like Global Administrator.

What can someone with the Groups Administrator role do?

The Groups Administrator role grants permissions including: Group Licensing - Assign licenses to groups; Group Management - Create groups of all types; Group Management - Delete groups of all types; Group Membership - Read hidden group members; Group Membership - Update group membership; and Group Ownership - Update group owners. See the Permissions section above for the full list.

What are the security risks of the Groups Administrator role?

Key considerations when assigning Groups Administrator: Group membership affects access to resources; Dynamic group rules can grant broad access; Hidden membership groups need special handling; and Monitor for privilege escalation via groups. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.

Official Microsoft Learn documentation →

Open the interactive RBACMap →