Groups can be added to the Team Server to assign permissions to groups of users. Groups can be added manually, but also via import by means of an external identity provider. Group import via an identity provider is part of the Team Server configuration, and is usually performed by application administrators.
When using Azure AD, groups (and users) are defined by Azure AD, so they are imported in the Team Server. If you wish, you can still manually add groups to the Team Server, but these can only contain manually added users, not imported users.
When using Active Directory or a SAML-based identity provider, you need to manually add groups to the Team Server. With SAML you can define user memberships for these groups in SAML in order to add members to the groups. With Active Directory, you can manually add members to these groups after users have been imported via synchronization. With Active Directory and SAML, groups can have a mix of external (imported) and internal users.
When groups are added, they can be assigned one or more roles for the Team Server. The role determines the permissions in the Team Server, in HoriZZon, and for Team Platform-related work in Enterprise Studio for the users in the group. The role also determines which information in the Team Server and in HoriZZon is visible to the users in the group.
Administrator or System Administrator: Manually create groups and add users to them.
System Administrator: Assign the System Administrator role to a group.