Entra ID accounts can view their groups as group members at myaccount.microsoft.com/groups and manage the groups as owners.
Administrators can disable this possibility in Entra ID. The groups self-service is inactive for accounts without an admin role in this configuration.
The system informs normal user accounts that the functionality is not enabled.
A tests confirms the restriction in Entra ID does not apply to accounts with one of the admin roles:
- Global Administrator
- Groups Administrator
- User Administrator
- …
As a simulation, I use Group-based Role Assignments to assign the admin role Groups Administrator. Alex Wilber is a member of the group and is assigned the Admin role via the group.
Alex still cannot access My Groups self-service. The self-service is still inactive for his account.
In the second test, I try a direct assignment of the Groups Administrator role. Alex Wilber has been assigned the role with both types.
Interestingly, groups self-service works for Alex Wilber with the direct assignment. If I remove the direct assignment, Alex can no longer access My Groups.
I also tried the scenario with User Administrator. Same result, but only if the role is assigned via group-based role assignments.
Therefore, My Groups self-service does not support group-based role assignments. The admin role must be assigned directly to an account.
Admin roles activated via Privileged Identity Management (PIM) are not affected by this. My Groups self-service works even if the role is assigned with group-based role assignments and activated via PIM.
