How to Use Microsoft 365 Dynamic Groups to Streamline Access Management

Cloud Computing

In today’s dynamic business landscape, managing user access to resources is critical for organizations. Azure Active Directory (AAD), a comprehensive identity and access management solution from Microsoft, offers a powerful feature called dynamic groups. These dynamic user groups provide a flexible and automated approach to managing user access based on predefined rules and user attributes. In this article, I’ll explore the benefits of dynamic groups and delve into the steps for effectively using dynamic groups within Azure Active Directory and Microsoft 365.

What are Microsoft 365 dynamic groups?

Dynamic groups in Azure Active Directory enable organizations to automate user access management by dynamically updating group membership based on specified criteria. Unlike static groups that require manual updates, dynamic groups evaluate rules against user attributes in real time, ensuring that users have the appropriate access as their details change.

This dynamic approach streamlines administration, enhances security, and reduces the risk of errors associated with manual group management. You can use this functionality for dynamic distribution groups and Microsoft 365 Groups.

The benefits of using dynamic groups in Microsoft 365

The main benefits of utilizing dynamic groups are the time your admins will save and the robustness of your group membership. Let me go into more detail here and describe these benefits.

Automated membership management

Dynamic groups eliminate the need for manual updates by automatically adding or removing users based on predefined rules. This automation saves time and effort, especially in organizations with a large number of users or where attributes frequently change.

Real-time access control

As user attributes evolve, dynamic groups ensure that access is granted or revoked promptly. This real-time access control enhances security and eliminates the possibility of users retaining inappropriate access privileges due to outdated group memberships.

Streamlined administration

With dynamic groups, administrators can define rules based on various user attributes such as department, job title, location, or custom attributes. This approach allows for granular access controls and reduces administrative overhead by eliminating the need to individually manage group memberships. IT pros can use device attributes, simple expressions, direct reports, and other attribute families to create the best group for various teams.

Scalability and flexibility

Dynamic groups are highly scalable and can adapt to evolving organizational structures. They can be used across various Azure Active Directory-integrated services including SharePoint, Teams, and other Microsoft 365 applications, all while providing a consistent and automated approach to access management.

How to use dynamic groups in Microsoft 365

The guidelines I’m going to detail will help you to effectively leverage dynamic groups in Microsoft 365 and Azure Active Directory. The following topic areas should help you to understand the intricacies of these types of groups and how they can assist and add value to your IT organization.

You can choose between security groups or Microsoft 365 groups for this process. Using a group membership rule and various rule syntax, you can offer your IT support teams added value in maintaining groups in Microsoft 365.

Defining group rules

Start by determining the criteria for membership in a dynamic group. Consider attributes like department, job title, location, or any custom attribute that reflects your organizational structure and access requirements.

For this tutorial, I will be using my Microsoft 365 Developer AAD tenant. Let me first show you a partial view of my users.

Users list from Azure AD
Users list from Azure AD (Image credit: Petri/Michael Reinders)

One of the attributes I can use in creating my new group is ‘Department’. I have taken the liberty of adjusting the columns shown and added the ‘Department’ as you can see. So, we will create a new dynamic group that includes every user in the ‘Finance’ or ‘Marketing’ departments.

Creating a dynamic group in Microsoft 365

Using the Azure portal or PowerShell, we can create a new dynamic group and specify the membership rules based on the defined criteria. Azure Active Directory provides a user-friendly interface called the Rule Builder for creating and managing dynamic groups, allowing you to select attributes and define operators to match specific conditions.

  • Let’s get started in the Azure portal and select Azure Active Directory.
Azure AD Portal Website (Image credit: Petri/Michael Reinders)
  • Go ahead and click Groups on the left, and then click New group.
  • A New Group window will open. Here, I chose Microsoft 365 as the ‘Group type‘, entered a name and a description, and chose Dynamic User in the ‘Membership’ type dropdown.
Adding a new group in Azure AD
Adding a new group in Azure AD (Image credit: Petri/Michael Reinders)
  • Next, I will click the Add dynamic query link to define our rules. This will open the Dynamic membership rules pane.
  • Here, I chose the ‘Property’ of department, the ‘Operator’ of Equals‘, and typed in Finance.
Adding a dynamic membership rule
Adding a dynamic membership rule (Image credit: Petri/Michael Reinders)
  • I then clicked ‘+ Add expression‘ and did the same except I typed in Marketing. I was careful to change the ‘And/Or’ field to O‘ so that they will be included if the user is in either of the two types.
  • Next, I click Save and the Create button at the lower left corner of the pane.
  • There is our new Budget and Marketing Team dynamic group on the list! Let’s select it.
There's our new 'Budget and Marketing Team' Microsoft 365 dynamic group
There’s our new ‘Budget and Marketing Team’ group (Image credit: Petri/Michael Reinders)
  • We can see that this is indeed a Microsoft 365 dynamic group that will dynamically include everyone in the Finance and Marketing departments.
Details for our new Microsoft 365 dynamic group
Details for our new Microsoft 365 dynamic group (Image credit: Petri/Michael Reinders)

Testing and validating membership

After creating a dynamic group, you need to validate its membership by reviewing the users included in it based on the rules you defined. You should ensure that the group accurately reflects the intended criteria and adjust the rules if necessary.

So, right after creating it, we can see there are no members, yet. The information link on the top does say that updates to dynamic groups can take up to 24 hours to process. Let’s give it some time and check back in a bit.

Applying dynamic group membership

Once validated, you can leverage dynamic groups across various Azure Active Directory-integrated services. That includes assigning access permissions, applying policies, or enabling specific features based on the dynamic group’s membership. You can even use dynamic groups when creating or modifying conditional access policies in the security realm!

Monitoring and reviewing your dynamic group

You need to continuously monitor the membership of dynamic groups to ensure that users have the appropriate access. Making sure that the new hire is a member of that group is critical to receive all appropriate access and permissions. It’s your responsibility to regularly review and update the group rules as your organization evolves or new access requirements arise.

  • Let’s check again on our group members and see if we see any updates. There we go! Alex, Megan, and Pradeep are in the Finance or Marketing departments.
We have 3 users 'dynamically' added to our group
We have 3 users ‘dynamically’ added to our group! (Image credit: Petri/Michael Reinders)

Now, what happens when we hire a new marketing director? Let’s see.

  • I went back to the Users view on the left, clicked New User, and filled in the basic information for Fox Mulder, our new Marketing Director.
Adding a new user in the 'Marketing' department
Adding a new user in the ‘Marketing’ department (Image credit: Petri/Michael Reinders)
  • I clicked on the Create button on the bottom and waited a bit to refresh my Users view. Fox is now here in the list!
Fox Mulder is now a user
Fox Mulder is now a user (Image credit: Petri/Michael Reinders)
  • Now, let’s go check our group membership again. Without anyone needing to do anything, Fox is dynamically a member of our dynamic group.
There he is in our Microsoft 365 dynamic group
There he is in the group! (Image credit: Petri/Michael Reinders)

This is wonderful time savings for your HR and Identity and Access Management teams. And this is just a simple example…the query power and possibilities are huge. You could conceivable create a group that takes location, hybrid/office working locations, departments, titles, etc.

Microsoft 365 dynamic groups: Advanced usage and options

There are even more advanced options at your disposal when working with dynamic groups in Microsoft 365. Let me go through some of the more prevalent and useful ones for the majority of enterprises today.

Custom attributes

Azure Active Directory allows the creation of custom attributes to accommodate specific business needs. Using custom attributes in dynamic group rules enables more granular access controls, providing flexibility in defining membership criteria.

Dynamic group size and performance

It is important to consider the size and complexity of dynamic groups. Large groups or complex rules might result in longer update times. That’s why you should monitor the performance of dynamic groups and optimize the rules if needed to maintain efficient membership updates.

Hybrid environments

If your organization operates in a hybrid environment with both on-premises and cloud resources, you should ensure that the necessary synchronization is in place between Azure Active Directory and on-premises Active Directory. This synchronization ensures that user attributes are accurately reflected and evaluated for dynamic group membership.

Security considerations

While dynamic groups simplify access management, it’s crucial to ensure the security of group rules and attributes. It’s important to regularly review and validate these rules and ensure that they align with your organization’s security policies and practices.

Dynamic groups can streamline access management

Dynamic groups in Azure Active Directory offer a powerful and automated approach to user access management. By leveraging user attributes and predefined rules, organizations can streamline administration, enhance security, and adapt to dynamic changes within their user base, ensuring appropriate access at all times.

Related Articles: