0

As stated in this article from microsoft on group naming policies, selected administrators are exempted and able to override any given naming policy. In my case I have registered an app that is used to run azure functions creating unified groups through the graph api. I want to override the naming policy when using the app but I can't find a way to make it happen. Any ideas?

Fred
  • 33
  • 4

1 Answers1

0

The application you registered will have a service principal in Azure AD. Your application performs the actions under the service principal's identity.

You can assign the exempted roles to the service principal object of your application and then your application should be exempted as well.

You can find the role ID using this command : Get-AzureADDirectoryRole | Where-Object {$_.displayName -eq 'Helpdesk Administrator'}

You can find the object ID of the service principal either by searching directly under enterprise applications or through PS using this command: Get-AzureADServicePrincipal -searchstring (your enterprise application name)

Finally, you can assign the role to your application using this command: Add-AzureADDirectoryRoleMember -ObjectId $AADRole.ObjectId -RefObjectId $service princiapl.ObjectId

Hope this helps.

ManojReddy-MSFT
  • 316
  • 1
  • 3
  • This is really great information on how to set directory role to the service principal. However, the problem is still there. I gave the role "Directory Writer" to my app which should be enough for overriding naming policies. Still when creating groups using this app and the graph API, I get an error saying that the name does not meet requierments of the group naming policy. Is there something else that needs to be done? – Fred Oct 14 '19 at 08:24
  • Company Administrator, however, seem to do the trick... But this is really high permissions to have. The documentation published by microsoft states that Directory Writer should be sufficent for overriding the policy. What do you think? – Fred Oct 14 '19 at 08:51
  • Can you check if a user with Directory Writer is able to bypass the group naming policy? – ManojReddy-MSFT Oct 15 '19 at 04:40