Enterprise Mobility and Security Blog


Howdy folks,

Happy Monday! Hope you all had a great weekend.

Today’s news is about a cool new feature of Azure AD Premium we just released in preview, Attribute Based Dynamic Group Membership.

Many customers have asked for this capability in order to more fully automation the business processes they manage using Azure AD. As one example, many of our customers use Workday as their cloud HR system. One of the things they want to do is make sure every employee in their Customer Service department is automatically provisioned into ServiceNow and can sign in to that cloud service seamlessly to access their customer support tickets. This entire flow can now be automated using our automated provisioning flow and our new Attribute Based Dynamic Group Membership.

Rob De Jong is the Senior Program Manager in my team who owns our group management features. He has written up a nice guest blog post and a short video below with more details on how this all works and how you can try it out.

I hope you’ll find this new set of capabilities useful. And as always, we would love to receive any feedback or suggestions you have!

Best Regards

Alex Simons (Twitter: @Alex_A_Simons)

Director of Program Management

Microsoft Identity and Security Division


Hello everyone,

I’m Rob De Jong and I’m excited to tell you about our newest preview features Attribute Based Dynamic Group Membership.

We all know that the easiest way to manage access for large numbers of users is to put them into groups, and then manage access by those groups. That way, when a new user is added, they just need to get dropped in the right groups, and magic happens

Until now, that group membership was a manual thing that had to be done for each user. Today, I’m excited to announce the preview release of Dynamic Membership for Groups, the first step in our efforts to support Attribute Based Access Management in Azure Active Directory. With this feature you can now specify a rule on a security group that will automatically manage the membership of that group based on user’s attribute values. Dynamic membership enables you to define a group using single attribute rules, such as “All users where Department equals Sales”, or you can configure complex rules including logical operators to combine clauses, such as in “All users where Department equals Sales or Marketing and Job title contains Manager”. A typical scenario would then give this group access to some SharePoint sites, or automatically assign them Office 365 licenses.

When first configuring a rule for a group, all users in your directory are scanned to find which users satisfy the rule you provided, and all matching users are added as members to the group. Subsequent changes to user’s attributes, such as when a user changes job titles or departments, or when a new users joins, will trigger a re-evaluation of the rule and the outcome of that evaluation will be reflected in the user’s group memberships.

Learn More and Get Started

You can learn more about Dynamic Membership for Groups by watching this short video or reading the documentation here.

Or, you could just go ahead and configure a rule to manage memberships on a security group in the Azure AD Admin Portal. Just create a new security group and in the group’s Configure tab, enable Dynamic Memberships, then configure a rule for the group, as shown here:

Please note that dynamic memberships for groups is an AAD Premium feature, so your user needs to have an AAD Premium license assigned to configure rules on a group. Also note that to enable the dynamic rules evaluation you need to enable the “Delegated Groups Management” feature in the directory configure page.

If you have any questions or feedback, we’d love to hear from you, just head on over to our MSDN Azure AD discussion forum.

Thank you!

Rob De Jong