AzureAD Protected Groups
Please provide the ability to have protected AzureAD groups which would have similar functionality to the Active Directory protect against accidental deletion function.
We've had a scenario were one of our service desk engineers deleted an AzureAD group by accident, this particular group was used as part of SCIM provisioning therefore all the users were deactivated from the downstream application.
This could potentially be tied into a custom role permission which would only have edit / modify permissions on groups
Michael Poutre commented
I'm unsure if this would be related, but there should be a way to restrict specific roles from managing specific groups in any way. The only workaround we currently have is synchronizing a group from Active Directory as AzureAD does not offer granular scopes for administrator roles
The product team is working on fine-tuned custom roles for groups to separate read and write permissions, which will help address this issue.