diff --git a/tests/common/auth_test.go b/tests/common/auth_test.go
index 9a0631a11e0..78b97fc9cff 100644
--- a/tests/common/auth_test.go
+++ b/tests/common/auth_test.go
@@ -32,8 +32,11 @@ var defaultAuthToken = fmt.Sprintf("jwt,pub-key=%s,priv-key=%s,sign-method=RS256
 	mustAbsPath("../fixtures/server.crt"), mustAbsPath("../fixtures/server.key.insecure"))
 
 const (
-	PermissionDenied     = "etcdserver: permission denied"
-	AuthenticationFailed = "etcdserver: authentication failed, invalid user ID or password"
+	PermissionDenied      = "etcdserver: permission denied"
+	AuthenticationFailed  = "etcdserver: authentication failed, invalid user ID or password"
+	InvalidAuthManagement = "etcdserver: invalid auth management"
+
+	testPeerURL = "http://localhost:20011"
 )
 
 func TestAuthEnable(t *testing.T) {
@@ -565,6 +568,67 @@ func TestAuthLeaseGrantLeases(t *testing.T) {
 	}
 }
 
+func TestAuthMemberAdd(t *testing.T) {
+	testRunner.BeforeTest(t)
+	ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
+	defer cancel()
+	clus := testRunner.NewCluster(ctx, t, config.WithClusterConfig(config.ClusterConfig{ClusterSize: 1}))
+	defer clus.Close()
+	cc := testutils.MustClient(clus.Client())
+	testutils.ExecuteUntil(ctx, t, func() {
+		require.NoErrorf(t, setupAuth(cc, []authRole{testRole}, []authUser{rootUser, testUser}), "failed to enable auth")
+		rootAuthClient := testutils.MustClient(clus.Client(WithAuth(rootUserName, rootPassword)))
+		testUserAuthClient := testutils.MustClient(clus.Client(WithAuth(testUserName, testPassword)))
+		_, err := testUserAuthClient.MemberAdd(ctx, "newmember", []string{testPeerURL})
+		require.ErrorContains(t, err, PermissionDenied)
+		_, err = rootAuthClient.MemberAdd(ctx, "newmember", []string{testPeerURL})
+		require.NoError(t, err)
+	})
+}
+
+func TestAuthMemberRemove(t *testing.T) {
+	testRunner.BeforeTest(t)
+	ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
+	defer cancel()
+	clusterSize := 2
+	clus := testRunner.NewCluster(ctx, t, config.WithClusterConfig(config.ClusterConfig{ClusterSize: clusterSize}))
+	defer clus.Close()
+	cc := testutils.MustClient(clus.Client())
+	testutils.ExecuteUntil(ctx, t, func() {
+		require.NoErrorf(t, setupAuth(cc, []authRole{testRole}, []authUser{rootUser, testUser}), "failed to enable auth")
+		rootAuthClient := testutils.MustClient(clus.Client(WithAuth(rootUserName, rootPassword)))
+		testUserAuthClient := testutils.MustClient(clus.Client(WithAuth(testUserName, testPassword)))
+
+		memberId, clusterId := memberToRemove(ctx, t, rootAuthClient, clusterSize)
+
+		// ordinary user cannot remove a member
+		_, err := testUserAuthClient.MemberRemove(ctx, memberId)
+		require.ErrorContains(t, err, PermissionDenied)
+
+		// root can remove a member
+		removeResp, err := rootAuthClient.MemberRemove(ctx, memberId)
+		require.NoError(t, err, "MemberRemove failed")
+		require.Equal(t, removeResp.Header.ClusterId, clusterId)
+	})
+}
+
+func TestAuthTestInvalidMgmt(t *testing.T) {
+	testRunner.BeforeTest(t)
+	ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
+	defer cancel()
+	clus := testRunner.NewCluster(ctx, t, config.WithClusterConfig(config.ClusterConfig{ClusterSize: 1}))
+	defer clus.Close()
+	cc := testutils.MustClient(clus.Client())
+	testutils.ExecuteUntil(ctx, t, func() {
+		require.NoErrorf(t, setupAuth(cc, []authRole{}, []authUser{rootUser}), "failed to enable auth")
+		rootAuthClient := testutils.MustClient(clus.Client(WithAuth(rootUserName, rootPassword)))
+		_, err := rootAuthClient.UserDelete(ctx, rootUserName)
+		require.ErrorContains(t, err, InvalidAuthManagement)
+		_, err = rootAuthClient.UserRevokeRole(ctx, rootUserName, rootRoleName)
+		require.ErrorContains(t, err, InvalidAuthManagement)
+	})
+}
+
 func mustAbsPath(path string) string {
 	abs, err := filepath.Abs(path)
 	if err != nil {
diff --git a/tests/e2e/ctl_v3_auth_test.go b/tests/e2e/ctl_v3_auth_test.go
index 1d86bc6360b..d0de934df28 100644
--- a/tests/e2e/ctl_v3_auth_test.go
+++ b/tests/e2e/ctl_v3_auth_test.go
@@ -27,12 +27,7 @@ import (
 	"go.etcd.io/etcd/tests/v3/framework/e2e"
 )
 
-func TestCtlV3AuthMemberAdd(t *testing.T) { testCtl(t, authTestMemberAdd) }
-func TestCtlV3AuthMemberRemove(t *testing.T) {
-	testCtl(t, authTestMemberRemove, withQuorum(), withDisableStrictReconfig())
-}
 func TestCtlV3AuthMemberUpdate(t *testing.T) { testCtl(t, authTestMemberUpdate) }
-func TestCtlV3AuthInvalidMgmt(t *testing.T)  { testCtl(t, authTestInvalidMgmt) }
 func TestCtlV3AuthFromKeyPerm(t *testing.T)  { testCtl(t, authTestFromKeyPerm) }
 func TestCtlV3AuthAndWatch(t *testing.T)     { testCtl(t, authTestWatch) }
 func TestCtlV3AuthAndWatchJWT(t *testing.T)  { testCtl(t, authTestWatch, withCfg(*e2e.NewConfigJWT())) }
@@ -96,51 +91,6 @@ func authSetupTestUser(cx ctlCtx) {
 	}
 }
 
-func authTestMemberAdd(cx ctlCtx) {
-	if err := authEnable(cx); err != nil {
-		cx.t.Fatal(err)
-	}
-
-	cx.user, cx.pass = "root", "root"
-	authSetupTestUser(cx)
-
-	peerURL := fmt.Sprintf("http://localhost:%d", e2e.EtcdProcessBasePort+11)
-	// ordinary user cannot add a new member
-	cx.user, cx.pass = "test-user", "pass"
-	if err := ctlV3MemberAdd(cx, peerURL, false); err == nil {
-		cx.t.Fatalf("ordinary user must not be allowed to add a member")
-	}
-
-	// root can add a new member
-	cx.user, cx.pass = "root", "root"
-	if err := ctlV3MemberAdd(cx, peerURL, false); err != nil {
-		cx.t.Fatal(err)
-	}
-}
-
-func authTestMemberRemove(cx ctlCtx) {
-	if err := authEnable(cx); err != nil {
-		cx.t.Fatal(err)
-	}
-
-	cx.user, cx.pass = "root", "root"
-	authSetupTestUser(cx)
-
-	ep, memIDToRemove, clusterID := cx.memberToRemove()
-
-	// ordinary user cannot remove a member
-	cx.user, cx.pass = "test-user", "pass"
-	if err := ctlV3MemberRemove(cx, ep, memIDToRemove, clusterID); err == nil {
-		cx.t.Fatalf("ordinary user must not be allowed to remove a member")
-	}
-
-	// root can remove a member
-	cx.user, cx.pass = "root", "root"
-	if err := ctlV3MemberRemove(cx, ep, memIDToRemove, clusterID); err != nil {
-		cx.t.Fatal(err)
-	}
-}
-
 func authTestMemberUpdate(cx ctlCtx) {
 	if err := authEnable(cx); err != nil {
 		cx.t.Fatal(err)
@@ -202,20 +152,6 @@ func authTestCertCN(cx ctlCtx) {
 	require.ErrorContains(cx.t, err, "permission denied")
 }
 
-func authTestInvalidMgmt(cx ctlCtx) {
-	if err := authEnable(cx); err != nil {
-		cx.t.Fatal(err)
-	}
-
-	if err := ctlV3Role(cx, []string{"delete", "root"}, "Error: etcdserver: invalid auth management"); err == nil {
-		cx.t.Fatal("deleting the role root must not be allowed")
-	}
-
-	if err := ctlV3User(cx, []string{"revoke-role", "root", "root"}, "Error: etcdserver: invalid auth management", []string{}); err == nil {
-		cx.t.Fatal("revoking the role root from the user root must not be allowed")
-	}
-}
-
 func authTestFromKeyPerm(cx ctlCtx) {
 	if err := authEnable(cx); err != nil {
 		cx.t.Fatal(err)