Implementing Azure AD dynamic group membership
Before we pe into the principles of Azure AD dynamic groups, it is important to take a step back and ensure you have an overall appreciation of the available methods you can use to assign access rights to your users in Azure AD. These are as follows:
- Direct assignment: Permissions to Azure AD resources are granted by manually assigning access for the resource to an inpidual Azure AD user object.
- Group assignment: Permissions to Azure AD resources are granted by manually assigning access for the resource to an Azure AD group that contains a set of Azure AD user objects that are added or removed from the group manually.
- Rule-based assignment: Permissions to resources are granted by dynamically assigning users to a group by defining rules for membership based on specific user object attributes (such as the department field).
- External authority assignment: Permissions to resources are granted by creating groups in order to provide access to resources for sources external to Azure AD. In this situation, the external source is given permission to manage group membership.
This essentially means that the most basic way to provide access rights to resources in Azure AD is to grant access directly to inpidual users. However, this has obvious disadvantages compared to the use of groups. By using group assignment, permissions to resources can be assigned directly to that group and all its members in a single action, instead of us having to provide access to inpidual users. This can be a laborious and ongoing task for administrators, who will need to add and remove users from groups on a constant basis.
Rule-based assignment using Azure AD dynamic groups simplifies this process and provides a secure method for maintaining appropriate access to resources. Let's look at how this works.
Creating a dynamic group in Azure AD using the Azure portal
To create a dynamic group, we need to log in to the Azure portal at https://portal.azure.com as a Global Administrator, Intune Administrator, or User Administrator, and navigate to Azure Active Directory | Groups | All groups:
The following steps will enable you to set up the group:
- We will start by clicking on New group:
- Choose between the available group types, that is, Security, which is used to grant access to users and devices, and Office 365, which is used to grant access only to users and can be assigned a group email address:
- Enter a name and description for the group. In this example, I have named my group Marketing Users and provided a description that states, For access to the Marketing Dept SharePoint Team Site. You can choose your own name and description here. Please always try and give logical names and descriptions that will be easy for your users to understand.
- Choose the desired membership type: Assigned, Dynamic User, or Dynamic Device (only with Security Groups).
For this example, I have chosen to create a Security Group for the Marketing Department. I have set the membership type to Dynamic User and selected an Owner for the group:
- I can now go ahead and choose Add dynamic query so that I can begin creating my dynamic membership rules. The rule builder allows you to add up to five expressions. In the following example, I have configured a simple rule for adding members to this group where the user's department field equals Marketing:
- The Rule syntax text box can be used if you need to add more than five expressions and create more advanced rules. In addition, you can use the Get custom extension properties option to add an Application ID (if applicable). This can be either synced from your on-premises AD or from a connected SaaS application:
- When you are happy with your selections, click Save and then Create.
Creating dynamic groups with Azure AD PowerShell
It is also possible to create and manage Azure AD groups with PowerShell. Let's look at the Marketing Users group we created in the Azure portal using PowerShell.
First, we need to launch PowerShell. I always recommend running PowerShell as an Administrator. Once we have PowerShell open and ready, we need to perform the following steps:
- Run install-module azuread.
- Run import-module azuread.
- Run get-module azuread.
- Run connect-azuread:
We will be prompted for our credentials, and will need to connect as a Global Administrator, Intune Administrator, or User Administrator. This will connect us to Azure AD in the PowerShell session. Now, we can retrieve a full list of all Azure AD groups by running Get-AzureADGroup.
- However, we need to view our Marketing Users group. To do this, we will filter our command, as follows:
Get-AzureADGroup -Filter "DisplayName eq 'Marketing Users'"
The executed command is shown in the following screenshot:
The output of this command will show you the ObjectID, DisplayName, and Description values of your group.
- Creating a group in PowerShell is just as simple. Let's say we need to create another dynamic security group with the same settings for the Sales Department users, but this time, we want to do this in PowerShell. To do this, run the following code:
New-AzureADMSGroup -Description "For access to the Sales Dept SharePoint Team Site" -DisplayName "Sales Users" -MailEnabled $false -SecurityEnabled $true -MailNickname "SalesDynamic" -GroupTypes "DynamicMembership" -MembershipRule "(user.department -eq ""Sales"")" -MembershipRuleProcessingState "On"
The executed command is shown in the following screenshot:
- With this, the group is created for you. We can search for and view it in the Azure portal as follows:
- You can click on the group name (in this case, Sales Users) to open and inspect the group settings. This will show you the Group overview:
- Select Dynamic membership rules. Here, you will see the rule syntax that we defined in the PowerShell command:
The New-AzureADMSGroup command not only allows us to create Security Groups, but Office 365 Groups as well.
Important note
When creating an Office 365 Group, a welcome email is sent to all the members of the group. It is possible to change this behavior, if desired, by using the Exchange Online PowerShell with the Set-UnifiedGroup command and the -UnifiedGroupWelcomeMessage switch set to enabled.
Links to all the relevant PowerShell commands related to Azure AD groups can be found in the References section at the end of this chapter.
Using group-based licensing in Azure AD
It is also possible to use Azure AD groups to assign licenses to users within Microsoft 365. You can configure this from the Azure AD portal by navigating to Azure Active Directory and then selecting Licenses followed by All products:
Let's say we wish to assign an Office 365 E3 license to everyone in the Marketing Users group we created earlier in this chapter. To do this, we need to follow these steps:
- Click the Office 365 E3 license selection.
- Select Licensed groups and click Assign.
- Click on Users and groups, search for Marketing Users, select the group, and click on Select:
- Now, click Assignment options. When assigning a license, we may not be ready to deploy and support all the features of the E3 license to users just yet, so we can turn off what we don't need to give them, as shown in the following screenshot:
- Once you are happy with your selections, click OK and then Assign. This will automatically assign all the members of the Marketing Users group an E3 license with only the features you wish to release at this time. The assignment option can be modified at any time when you are ready to add or remove more features.
Important note
Know your PowerShell. While a great deal of administration of Azure AD groups can be carried out in the Azure portal, you can expect PowerShell questions in the exam.
So, here, you can see how these features can enable you, as an administrator, to empower your users with some easy administration. Next, we will look at another feature of Azure AD Premium that promotes user convenience – Azure AD self-service password reset.