Using Azure AD dynamic groups for Microsoft 365 resources

• Author
• Recent Posts

Robert Pearman

Robert is a small business specialist from the UK and currently works as a system administrator. He was a Microsoft MVP for eight years and has worked as a technical reviewer for Microsoft Press. You can follow Robert on Twitter and in his blog.

Latest posts by Robert Pearman (see all)

• Office Deployment Tool (ODT): Deploy Office using custom XML files - Thu, Mar 30 2023
• Microsoft Teams freezes: Set cam permissions for conferencing apps - Tue, Mar 21 2023
• Microsoft 365 Apps admin center: Remote Office configuration - Wed, Mar 8 2023

Use of dynamic groups requires at least an Azure AD P1 license. They can ease the administrative burden of creating new staff or provisioning devices. Their effective use requires planning, of course. To that end, I recommend making a dynamic group a member of a traditional group, one whose membership is assigned. This will allow you to add a device or user who may be outside the scope of the query rule, such that they still get the same access as a member of the dynamic group.

To create and manage dynamic groups, head over to the Azure Active Directory portal. Then find Groups.

Managing groups in the Azure AD Portal

Click New group.

Creating a new group

The New group screen contains several sections

Azure AD group type

The group type can be Security or Microsoft 365. The differences, as described in the tool tip, are that security groups are used for assigning access to applications or resources and for assigning licenses, and that the members can be users, devices, service principals, or other groups.

A Microsoft 365 group is used for collaboration, access to shared mailboxes, SharePoint, etc.; however, the members can only be users.

Explaining group types

The group name and group description don't require an explanation. This takes us to Azure AD roles, which can be assigned to groups. This is a useful setting if you want to assign administrative roles to a custom group.

For example, by default, a global administrator does not have access to all roles and permissions in a tenant. A discussion of role-based access is beyond the scope of this article, but you can read more about it here. If you decide you want to create a group that has assigned roles, this is the setting you want to change.

Membership type

This is the setting this article is written for. You have three choices.

1. Assigned—Members are manually assigned to the group.
2. Dynamic User—User objects are dynamically assigned to the group.
3. Dynamic Device—Device objects are dynamically assigned to the group.

The three group types

Dynamic membership is, as the name implies, changeable. Not only are users and devices assigned, they are also removed when they no longer meet the criteria.

Azure AD group owners

Group owners are users who are set as group owners, meaning they can manage the membership of the group. Anyone can be a group owner, and they do not need an administrative role assigned to them. Whoever creates the group automatically becomes an owner; you do not have to specify additional owners if you do not want to.

When you select either a dynamic user or device group, the membership field changes to allow you to add a dynamic query.

Adding a dynamic query

Let's add a dynamic security user group and take a look at the query rules editor.

Adding a dynamic membership rule

The rule editor contains several sections. There is a tab for a really useful feature validation that allows you to test your rules.

Below that is the area where you can use dropdown menus to build your queries, or if you know the query language well enough to manually type a query, you can click edit and type straight into the rule syntax box.

More information on constructing queries can be found here. For this example, let's keep things simple. I want to find everyone who is in the Management department.

Creating a dynamic rule

Using the Property dropdown, I find department. I set Operator to equals and type in Management for the value.

You can see the rule syntax automatically updates to show my query.

The query rule syntax

If I now switch to the rule validation tab, I can select several users who, ideally, I know do and do not fit the criteria I specified in the rule. This allows me to check whether the rule would apply to them.

Adding a user

Click Add users to choose the users you want to test the rule against. As soon as the users are selected, they are tested against the query, and you can see the result.

Validating a user rule

A green check indicates that the user met the criteria, and a red cross indicates that they did not.

Once you are happy with your rule, save it. Then click Create to create the group.

Creating a dynamic group

We have now created a dynamic group; anyone in the tenant whose department is set to Management will become a member of the group.

Let's assume we have a SharePoint site for managers only, but we do not want to manually assign membership to that site. When we navigate to the permissions for the site, we can add our dynamic group to the site members.

Adding a group to SharePoint

You might be thinking that's a lot of effort to go through to assign a few managers to a single SharePoint site, and you would be right. However, I am a strong believer in working smarter, not harder. Guess what happens the next time a user is promoted, or a new hire comes on board? While adding or updating their account, you set their department to Management, and a few minutes later, they have access to this site.

In addition, any other site or folder on a different site that requires management-level clearance also just became available to them (assuming you set the group on those resources).

Earlier, I mentioned some limitations of Microsoft Exchange. Unfortunately, you cannot use a group like this to assign access to a shared mailbox, as that is only available to mail-enabled security groups.

A few scenarios came up in my work recently, where using a dynamic group was the perfect solution, one of those I wrote about recently. Based on the learning I did for that, I realized that I could implement dynamic groups to accomplish some other improvements.

Device Azure AD groups

On the device side, I currently have two uses for dynamic groups; both are used in conjunction with Intune.

The rule syntax for device groups is more limited. A current list is available here.

Let's say I need to deploy an application to a specific device type or model, for example, Adobe InDesign or perhaps an accountancy package. If I use a dynamic device group, I can create a query to populate those specific devices into the group and then set the relevant scope on the application deployment rule in Intune to get the application deployed.

Adding the device group rule

Azure will then go find all those devices and add them to the group.

You might decide you want to deploy the application broadly but exclude a certain type of device. Intune does not allow you to set exclusions on application deployments, but creating a dynamic group and using a negative operator like NOT would allow you to select all but those devices.

The device group rule NOT

I can definitely see a use case for application deployment rules when used in conjunction with dynamic user groups together with Windows Autopilot. Which device is in use becomes less important than who is using it.

I don't think I have even scratched the surface in this article on what you could achieve using dynamic groups, but if you are new to the idea, I hope that I have given you enough examples to get you thinking of how you might use them to make your life easier.