Dynamic Group Membership in Azure Active Directory (Part 1)
In Part 1 of this series, I will cover Creating and Assigning Licenses and Applications to a Dynamic User Group in this blog post.
One of my favorite new features in Azure Active Directory is Dynamic Group Membership. In these blog posts, I will describe the different types of Dynamic Groups that you can create, then assign these Groups to Applications and Licenses. If a user or device satisfies a rule on a group, they are added as a member of that group. If they no longer satisfy the rule, they are removed. This is very useful for dynamically provisioning Users into the proper group where they will automatically get the assigned Licenses and Applications based on attributes. Example: A Sales Person gets a new role in the Marketing Department... once that persons title, department or company attribute is changed, they will automatically be removed from the Sales Group(s) and the associated Licenses and Applications, then automatically join to the Marketing Group(s) based on title, department or company and be assigned appropriate Marketing Licenses and Applications.
I will first create a Dynamic User Group:
I selected Bedrock Users to go along with the Flintstones theme. The following options are available for Membership Type:
- Dynamic Device
- Dynamic User
I for this section, I selected Dynamic User under Membership Type. For my dynamic query, I selected the following:
Add users where: city equals Bedrock
Now, all users (Local Active Directory and Azure Active Directory) who have City defined as Bedrock will automatically be added to this group. I choose the city attribute, but you could choose many different attributes, including 16 custom attributes. In another demo, I created an attribute on my local Active Directory called LSU Fan, configured Azure AD Connect to sync that attribute, then gave certain applications access to Users if they had a Yes value. Some of the popular attributes are the following:
- Company Name
- User Type
- Postal Code
- Office Name
I used Equals in my Bedrock Users Group, but you are able to use any of the following supported expression rule operators:
Here is a screen shot of Fred Flintstone User Profile showing where Bedrock is defined in City attribute:
Now, all the Flintstones and Rubbles are members of the Dynamic Group.
Now that my group is dynamically populated, I can assign Licenses and Applications to the group.
In the caption below, I assigned Enterprise Mobility + Security E5 License to the Bedrock Users Group.
In the screen shot below, I assigned Bedrock Users access to the Box Enterprise Application:
Now, any User that is created or modified and has Bedrock listed under City will automatically get Enterprise Mobility + Security E5 License and access to Box Enterprise Application.
You can also create a group containing all direct reports of a manager. When the manager's direct reports change in the future, the group's membership will be adjusted automatically.
For the rule to work, make sure the Manager ID property is set correctly on users in your tenant. You can check the current value for a user on their Profile tab.
Under Dynamic membership rules, I created an Advanced rule - Direct Reports for "65ebb1eb-7bf9-49f7-9750-ae1e04471a1a" - now, all of Fred Flintstones Direct Reports will automatically be added to this group. If someone switches Managers, they will automatically be removed from this Group.
Fred Flintstones Object ID is 65ebb1eb-7bf9-49f7-9750-ae1e04471a1a and Barney Rubble has his Manager ID populated with Fred's Object ID. This can be set on Local Active Directory using Active Directory Users and Computers: User - Organization Tab - Manager Name. Then the Manager ID will be populated in Azure with the next AD Connect Sync. If this is a cloud only account, then Manager ID will have to be populated manually. Direct Reports is not listed as an attribute in the drop list but does work and is supported - https://docs.microsoft.com/en-us/azure/active-directory/active-directory-groups-dynamic-membership-azure-portal
The Dynamic Group feature is an Azure Active Directory Premium feature which is included with Enterprise Mobility + Security Suite and Microsoft 365 Suite.
You can create a dynamic group for devices or users, but you cannot create a rule that contains both user and device objects.
This is the conclusion of Part 1 of 2 Blog Posts on Dynamic Group Membership in Azure Active Directory.
Next, I will create Part 2 to cover creating Dynamic Device Groups and using Advanced Dynamic Membership Rules - https://blogs.technet.microsoft.com/pauljones/2017/08/29/dynamic-group-membership-in-azure-active-directory-part-2/.