The ZPM application uses the Microsoft Graph API to modify group memberships. The minimum required Graph permission for this operation is GroupMember.ReadWrite.All.
For security-conscious customers who strictly follow the principle of least privilege, this permission is too broad because it allows the application to change user membership in any group. An alternative and more targeted approach is to assign the application as an owner only of the groups it is allowed to modify. This restricts the application to modifying only those selected groups.
Assign the Application (Service Principal) as an Owner of the Group
- Navigate to Entra Group Management (aka.ms/ad/groups)
- Select the group you would like the ZIRO Platform to Manage memberhips for (ex. “Users with Teams Phone”)
- Navigate to the owners and assign the Application (Service Principal) as the owner of the groups
The ZIRO Platform will now allow this group to be added to the “Write” group:
Allowing users in the 360 view to modify a user’s memebership via the group tile:
