User management is critical in enabling your employees’ productivity, collaboration, and security. With many businesses focusing on technological transformations, ensuring that this primary yet crucial part of IT tasks is handled with efficiency will be key to ensure stability while pursuing growth.
As such, it’s important to familiarize yourself with tools that can help you achieve this. While third-party management solutions can be leveraged, getting familiar with native Microsoft tools will be greatly advantageous as you explore your Microsoft environment.
Microsoft 365 dynamic groups aim to reduce the administrative overhead for IT teams by providing an efficient user management system where the creation of rules is the only requirement to automate adding and removing users to and from your organization’s groups.
With query-based membership, users are automatically added to appropriate dynamic groups based on the attributes of the user or device that are relevant to them.
This is done by creating complex attribute-based rules in Azure Active Directory (Azure AD) to sort users into groups based on properties like department, business unit, location, or roles specified in their user account. Any updates on their user profile are automatically identified so changes to their group memberships are easily carried out.
How Do You Create a Dynamic Group?
To create and manage dynamic groups, your organization must have enough P1 licenses to match or exceed the number of users in said groups.
While the licenses do not have to be directly assigned, only P1 and some other higher Microsoft 365 licenses such as E3, E5, MF1, and MF3 include this Azure AD premium functionality.
Azure AD provides a graphical-based rule builder in the Azure portal where you can create and update your rules easily. This rule builder can support construction of up to five expressions, and a text box is available if you need to create more.
While this rule builder helps form rules with a few simple expressions, it can’t reproduce every rule. It supports the ability to enter your query string into the text editor, though, and the text box may be used if the rule builder doesn’t support the rule you want to create.
To get in-depth information about dynamic membership rules for Azure Active directory groups, give this official Microsoft documentation a read.
How to Create a Group Membership Rule
To create dynamic groups, you must be a global administrator, Intune administrator, or a user administrator in your Azure AD organization.
- Sign in to the Azure AD admin center.
- Go to Groups. Select All groups and choose New group.
- Create a new group by entering a name and description on the Group page. Choose a membership type for users or devices, then select Add dynamic query.
- Once your rules are created, you can click Save, then select Create once you’re on the new group page to officially create the group.
A notification in the Azure portal will pop up if your rule isn’t valid. The notification will include details as to why it couldn’t be processed and how you can fix the rule.
Dynamic Group Integrations
There are more ways than one to create Microsoft 365 dynamic user groups. If your organization already has Microsoft 365 Groups or security groups, you can turn these static groups into dynamic groups to better manage existing group membership.
To do so, you can either create a new group in Azure AD and then add your dynamic membership rule, or you can edit your group settings by adding your new membership rules to your existing groups.
It’s important to note that changing an existing group from static to dynamic will cause all existing members of that group to be removed. They will only be added back when they have relevant dynamic attributes.
Microsoft 365 Groups
Microsoft 365 Groups are used to give access to shared Microsoft 365 resources for a group of people who will be working together. This means you can create dynamic membership rules based on your users’ profiles.
As we’ve mentioned, all existing members of a Microsoft 365 Group will be removed, as will their access to apps and resources. Their access will be reinstated once they are added back to the Group if they have the necessary attributes.
Dynamic membership rules in security groups work pretty much the same with Microsoft 365 Groups. The main difference is that with security groups, you can choose to create rules for devices or users (though you can’t create rules that contain both devices and users).
Also, creation of device groups works only by referencing device attributes such as operating system versions, Intune device property labels, or enrollment profile names instead of the device owner’s attributes.
Again, this will cause your members to be reevaluated based on their attributes, with other members being added or removed depending on the conditions of your group.
Microsoft Teams Dynamic Groups
Microsoft Teams also supports dynamic memberships. Teams associated with Microsoft 365 Groups may be managed with dynamic group capabilities.
While they primarily have the same process (in which members are added and removed based on the criteria presented), creating Teams with dynamic membership rules will result in a few things:
- Only Team members can be defined by the rules, not Team owners
- Since dynamic group rules define the Team members, Team owners do not have the ability to add and remove users in their Teams.
- General member management options for the Team are hidden, such as options to add members, edit member roles, send and approve join requests, and leave the Team
Microsoft 365 Dynamic Distribution Groups
Exchange Online also supports dynamic membership for email distribution groups. Instead of users and devices, group membership is calculated each time a message is sent to the group.
Utilizing dynamic groups is only a part of the many Microsoft solutions you can leverage to automate and improve the efficiency of your business processes. Third-party Microsoft integrations such as AvePoint solutions are also available to support many of the various spheres of IT and administrative functions.
As business leaders, getting familiar with what works for your organization will be key to ensure that your journey to the cloud is safe and well-handled. Have any other questions? Feel free to drop them in the comments below!