🔐 Recipe · Entra ID & Identity

Identify Administrators with Group Management Permissions in Entra ID

Audit directory role assignments to discover who can create, modify, or manage group memberships in your tenant

Complexity

Intermediate

Impact

security + compliance + access-review + privileged-access

Context

Why This Matters

In Microsoft Entra ID (formerly Azure AD), the ability to manage group memberships is not limited to a single role. Several built-in directory roles carry this privilege — most notably Global Administrator, Privileged Role Administrator, User Administrator, Groups Administrator, and Directory Writers. Owners of individual groups can also manage membership for their own groups.

Regularly auditing who holds these roles is a core part of privileged access hygiene. Group memberships frequently drive access to SharePoint sites, Teams, license assignments, Conditional Access exclusions, and application permissions — so anyone who can modify group membership can effectively escalate access across your tenant.

Run this recipe during quarterly access reviews, after organizational changes, before compliance audits (SOC 2, ISO 27001, HIPAA), or whenever you suspect unnecessary privilege sprawl.

Expected Outcomes

After completing this recipe you will have:

A full inventory of users assigned to directory roles that grant group management permissions
Identification of each role holder's assignment type (permanent vs. eligible via PIM)
A CSV/report suitable for access review sign-off
Visibility into service principals and groups that also hold these roles
A baseline to compare against in future audits

Risks & Considerations

Cautions

Read-only audit. This recipe does not modify role assignments. Removing a Global Administrator without a backup break-glass account can lock you out of your tenant.
PIM eligibility matters. Standard /directoryRoles/{id}/members returns only active assignments. Users eligible via Privileged Identity Management are invisible unless you query the PIM endpoints.
Group-based and nested assignments. Roles can be assigned to groups; enumerate group members to see the effective admin list.
Custom roles and admin units. If your org uses custom roles or administrative-unit-scoped assignments, additional queries are required.
Group owners also manage membership for their groups. Don't forget them in your threat model.

Required Permissions

Permission	Why It's Needed
RoleManagement.Read.Directory	Read directory role definitions and role assignments (including PIM eligibility)
Directory.Read.All	Resolve principal IDs to user, group, and service principal details
PrivilegedAccess.Read.AzureAD	Optional — read PIM eligible role assignments

The fastest way to get this done — just ask Dex. Copy the prompt below and paste it into your Dex conversation.

For IT Admins

Paste into Dex CoAdmin

List all administrators in our Entra ID tenant who have permissions to manage group memberships. Include holders of Global Administrator, Privileged Role Administrator, User Administrator, Groups Administrator, and Directory Writers roles. Show both active and PIM-eligible assignments, and expand any group-based role assignments into their member users. Export the results as a CSV.

Try in Dex CoAdmin