English / Microsoft Entra

Missing permissions to validate a dynamic Entra ID group

29. December 2024

To validate the membership of a dynamic Entra ID group the documentation specifies the required permissions.

To evaluate the rule for dynamic membership groups, the administrator must be at least a Groups Administrator.

In the Entra ID Admin roles documentation, the permission for Groups Administrator is mentioned.

microsoft.directory/groups/dynamicMembershipRule/update
Update the dynamic membership rule on Security groups and Microsoft 365 groups, excluding role-assignable groups

A search shows the permission is active in five roles:

  • Directory Writers
  • Groups Administrator
  • Intune Administrator
  • User Administrator
  • Windows 365 Administrator

One of my test accounts is assigned the Intune Administrator role.

  • The account belongs to a role group that has been assigned the Intune Administrator role. As a result, the account inherits the role through this group.
  • The role was assigned to the group as an Active Assignment, meaning it will remain permanently active for a specified period of time.
Rolle Intune Administrator wurde über Rollengruppe zugewiesen
Intune Administrator role was assigned via a role group

My colleague Alex Wilber created a new dynamic Entra ID group in Intune and wants to perform a membership validation for an account. Intune will indicate that the account does not have permissions to validate.

Insufficient privileges to update the membership rule for the group. Make sure you have the right permissions.
The evaluation could not be performed, this user does not have appropriate permissions. Please contact your administrator to request permissions.

Fehlende Berechtigung zur Validierung einer dynamischen Gruppe
Missing permissions to validate a dynamic group

The cause is the assignment of the Intune Admin role via a role group in Active Assignment status.
In practice, this is the same problem as in my post from October about a missing Group Administrator role. Some permissions in Entra do not support role groups. In the current case, the leading cause is the Active Assignment in combination with a role group.

Read:  My Groups in Microsoft 365 shows “This functionality is not enabled” for admin accounts

There are two ways to solve this:

  1. You change the assignment from Active Assignment to Eligible Assignment. Alex Wilber uses Privileged Identity Management (PIM) in that case, his account requires an Entra ID P2 license. The validation works for a dynamic group after activating the Intune Admin role.
  2. You directly assign the Intune Admin role to the account (in Active Assignment status). Alex Wilber can validate a dynamic group after a direct assignment.

In both cases, the validation works with the Intune Administrator role.

Validierung mit Intune Administrator Rolle durchgeführt
Validation with Intune Administrator role

Tags:

Share
Avatar photo

Tobias Asböck

Tobias is a Senior System Engineer with around ten years of professional experience with Microsoft 365 products such as SharePoint Online, OneDrive for Business, Teams Collaboration, Entra ID, Information Protection, Universal Print, and Microsoft 365 Licensing. He also has 15+ years of experience planning, administering, and operating SharePoint Server environments. Tobias is a PowerShell Scripter with certifications for Microsoft 365 products. In his spare time, Tobias is busy with updates in the Microsoft 365 world or on the road with his road bike and other sports activities. If you have additional questions, please contact me via LinkedIn or [email protected].

Leave a Reply

Your email address will not be published. Required fields are marked *