Hello All -
As we know Office 365 (which includes exchange online) supports 3 types of groups:-
- Pure security groups
- Pure Distribution groups
- Mail enabled security groups (combination of security and distribution groups)
I am trying to add members to these groups using minimum privileges. i.e
- To add a member to pure a security group, I use 'Add-MsolGroupMember' cmdlet using a user who has only 'User Management' (min privilege required) role.
- To add a member to a pure distribution group, I use 'Add-DistributionGroupMember' cmdlet using a user who is only 'Recipient Management' (min privilege) role.
However to a add a member to Mail enabled security groups, we have to use 'Add-DistributionGroupMember' cmdlet only as 'Add-MsolGroupMember' does not support this.
Now with Add-DistributionGroupMember' cmdlet a admin user who is just part of recipient admin role cannot do this :(
Even a user who is part of 'Organization Management' role also cannot do this. I get below error
You don't have sufficient permissions. This operation can only be performed by a manager of the group.
My question is why is this ? I mean why only group owner can do this task? If we compare with on-premise AD and Exchange, a user who is just part of 'Accounts Operator' was able to add members to both pure security and mail enabled security groups. But here Windows Azure powershell cmdlet does not support this and exchange cmdlet says only group owner can add.
This is big restriction right ? For applications which want to do automated management, they cannot ask owner details of each mail enabled security groups.
Is there something I am missing ? Please clarify