search

microsoft / coe-starter-kit

Other
751 stars 223 forks source link

[CoE Starter Kit - QUESTION] Unable to make SA-account owner of Maker Group #7973

Closed Saxsma closed 7 months ago

Saxsma commented 7 months ago

Does this question already exist in our backlog?

What is your question?

I've asked our infra team to create three groups adviced by Microsoft (Admin, Maker and User persona). Now I have issue with de 'Add maker to group' Flow.

First version the admin made a Windows AD Group and had it synced to Azure AD. It was not possible to make the SA-account owner of this group.

Second version he broke the sync and created the Group directly into Azure AD. Now it was possible to make the SA-account owner of this group, but it was not Mail enabled.

Third version, he removed the second version Group and created it once more, but now in M365 Admin Center (Mail enabled Security Group). Now it was possible to make the SA-account owner in M365 Admin Center.

Problem with the third version is that when you look it up in Azure AD, it shows 0 owners. And like in the first version, I get this error message:

2024-04-02 17_25_20-Power Apps _ Solutions - Center of Excellence - Core Components — Mozilla Firefo

Please help me with this, what type of Group should be created and where?

What solution are you experiencing the issue with?

Core

What solution version are you using?

No response

What app or flow are you having the issue with?

No response

What method are you using to get inventory and telemetry?

None

AB#2719

Jenefer-Monroe commented 7 months ago

Hello. You must be an owner of a group to add to it.

Saxsma commented 7 months ago

Hi Jenefer,

Thanks for your quick response. I'm aware of that, but my collegue (who is Group Admistrator and Exchange Administrator) was able to add a owner in EAC, but in Azure that option is grayed out for him. I'll send two screenshots to show you what I mean:

In Azure: Azure 0 owners-I Azure 0 owners-II

In EAC: 2024-04-03 15_23_22-Active groups - Exchange admin center — Mozilla Firefox

Jenefer-Monroe commented 7 months ago

I'm sorry I'm not really sure. I dont think that the O365 connector works with groups that are in sync with on prem services. Which is what I think you are saying.

Unfortunately what you are hitting are limitations with that connector and not with the kit. My suggestion is to create a flow outside of the context of the kit to make sure the group you create is accessible. via the connector to add members. And if not try the simple Microsoft 365 group which is what most people use.

Saxsma commented 7 months ago

Hi Jenefer, I was not intending to deny what you say, you should be sure because what you said is true. Nevertheless I'm searching for what is going wrong here. The persona groups should be M365, this is even stated in the MS guidelines for the role-out of CoE. I will disguss this with my collegue tomorrow. By the way, the on-prem groups shown are not in use at this point, they should be deleted. What I was pointing at was the cloud-based grouup which begins with sg (for Security Group).

I'll keep you posted on this matter. I hope I'll have a M365 group created soon, then I'll reconfigure CoE to be pointed to that Object ID.

Jenefer-Monroe commented 7 months ago

Great please do let me know!

Jenefer-Monroe commented 7 months ago

closing out as no further action for starter kit team