Deleting groups is a straightforward process; however, you need to perform this action with caution because deleting a group in production may cause serious repercussions on access management. Some scenarios where you will need to delete a group include the following:

  • You selected the wrong group type while creating the group. This selection cannot be modified after creation; the only option is to delete the group and re-create the group with the right type.
  • You have a duplicate group.
  • You no longer need the group in your environment.

If you want to delete a group, you can navigate to Azure Active Directory ➢ Groups ➢ All Groups and open the group you want to delete. Clicking the Delete button as shown in Figure 1.6 will delete the group.

FIGURE 1.6 Deleting group

Updating details in a group is no different than updating the user properties. You can add or remove users any time from security groups or Microsoft 365 groups with an assigned membership type. However, in dynamic membership groups, you cannot manually add or remove users. The member management is completely managed by dynamic rules that you create. Azure gives you the option to modify the dynamic rules of your existing group without the need to re-create the group.

Now that are familiar with the user and group accounts in Azure AD, we will talk about the roles in Azure AD.

Azure AD Roles

Azure AD roles are used to manage the permissions that can be assigned to users. You can assign roles to users so they can perform certain actions such as resetting user passwords, assigning, or removing licenses, adding, or removing users, etc.

More than 50+ built-in roles are available in Azure AD so you can follow the principle of least privilege and assign users the permission that they need to complete the tasks given to them. Azure AD roles make sure that the users are not over-privileged or under-privileged with the permissions given to them. For example, if you want to give a user the permission to create/manage groups, create/manage groups settings such as naming and expiration policies, and view groups activity and audit reports, then Groups Administrator is the right role that can be assigned to the user.

Here is the complete list of roles available in Azure AD:

https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference

You can assign roles to the users from the Users ➢ Assigned Roles blade. At the time of authoring this book, assigning roles to groups is in preview. If you would like to know more about this preview feature, refer to this document:

https://docs.microsoft.com/en-us/azure/active-directory/roles/groups-concept

We will cover more about Azure AD roles when we discuss role-based access control in Chapter 2, “Compliance and Cloud Governance.”

We talked about managing users and groups and assigning roles to them. In an enterprise environment, not only users but devices used by users need to be managed and monitored. Azure AD Join helps you to make sure that the devices used by the users follow the organizational standards. Let’s discuss Azure AD Join.