The Magic of Dynamic Groups


One request that we commonly hear from our customers is that they want to simplify the management of resource access and policy assignments for their end users. Today, you may be spending time manually updating group memberships or reassigning resource access when an employee moves to a new location, gets a new device, or has a new job title. As long as these attributes are syncing to Azure AD, we can automate this process using dynamic groups in Azure AD!

 

Today we will cover the basics of dynamic groups and how to implement them for common scenarios we hear from customers.

What are Dynamic Groups?

Simply put, dynamic groups are automatically populated groups based on user or device attributes in Azure AD. For example, if you want a group of all your users in Chicago, you could create a dynamic group with a rule for users in that city. When a user's attributes change, they will be automatically added or removed from a dynamic group. In our example, if Mary lived in Chicago and then moved to Phoenix, once the city attribute changes she will be automatically removed from the Chicago group!

 

Admins have two options when creating dynamic groups: dynamic device groups or dynamic user groups. It's important to note that you can't create a dynamic group that has both user and device objects. Additionally, this feature does require AADP P1 licensing.

 

Dynamic groups become more powerful when you combine them with the other EMS features, such as group-based licensing, conditional access, and Intune. When you use dynamic groups for policy or license assignments, you ensure that your users will get the appropriate access and policies based upon their attributes. In our above example, if you were automatically giving access to a SaaS app and assigning an O365 license to the dynamic Chicago users group, then when anyone moves to the city and their AAD attribute is updated they will automatically be assigned licenses and access.

 

Set-Up Basics

To set up a dynamic group, we will start in the Azure AD blade of the Azure portal.

  1. Select "Users and groups", "all groups", then select "+New group" at the top of the pagecreate new AAD group
  2. Select either "dynamic user" or "dynamic device" as the membership type
  3. Construct your query. You can use the drop down menu to create a simple rule or select advanced rule to write one yourselfCreate dynamic group image
  4. To save the group, click "add query" then "create"

Check out the full list of attributes you can use to create groups for user and device objects. For more information on constructing advanced rules you can reference this doc.

Common Scenarios

All Guest Users

A dynamic group for all guest users can be helpful when securing guest access to your corporate resources. With a dynamic group of all guest users, you can then apply conditional access policies forcing them to MFA, block access of corpnet, etc. More info on how to enable conditional access for these users here.

(user.userType -eq "guest")

Advanced User Group

There may be occasions when you need to create a group based upon multiple user attributes, such as country and department. For example, you could create a group of all the IT users in the US who are not in the IT department.

 

(user.country -eq "United States") -and -not (user.department -eq "IT")

Corporate/Personal Device Groups

When using Intune as your MDM, you may want to easily target different policies to corporate and personal devices. This is especially helpful if you have users with both corporate and personal devices- by using device groups you can apply different policies/apps for their devices depending on ownership.

 

To differentiate between the devices we will create two dynamic device groups. Unlike assigned groups, these groups won't be populated until the device finishes Intune enrollment and registers with Azure AD. It is normal for Intune policies to take a little longer to apply to these groups since the dynamic group population takes time (typically under 30 minutes, by up to 24 hours for larger directories).

 

(device.deviceOwnership -eq "Company")

(device.deviceOwnership -eq "Personal")

NOTE: All devices in Intune are automatically labeled "personal" unless they: 1) Came in through DEP, 2) Were pre-declared as corporate, or 3) Had the ownership changed by the admin in the portal.

 

What Next?

Once you start building dynamic AAD groups you will find how many activities you can automate when leveraging all of EMS. Do you have more group related actions that you want to automate? Let us know in the comments so we can cover them in future posts!

 

-Sarah & Josh

Comments (0)

Skip to main content