#AzureAD : Dynamic groups membership

Microsoft Azure AD comes with many unique features that provides simplified identity management. One of the unique feature is dynamic group membership for users. Dynamic user membership of security group enables organizations to manage security group membership based on the attribute. Let’s take an example to understand in much better way. Many employees join and leave large organizations on the daily basis or move within the organization to take up a new role. To manage right set of access for active users and write-off the access for employees leaving the organization or moving between department/role is a challenging task but can be simplified with Azure AD. However, there are many third-party solutions are available to do the same but Azure AD provides this feature natively with Premium P1 licenses.

For example, an organization wants to provide certain security and application access to their sales employees and want to avoid human error and delay in the process. Let’s have a look how to configure it.

Login to the https://aad.portal.azure.com and go to the Azure Active Directory.

Go to the Users and groups.

Go to the All groups.

Select + New group to create a new security group.

Enter the group name, description and select “Dynamic User” under membership type.

Select “Dynamic user members” and define Dynamic membership rules. Define rule and click on Add query.

Now, click on create to create this dynamic user membership security group.

Note: In my example, I am using a simple rule but you have an option to write Advanced rule as well.

For example, you want to give this access to field sales employees but not to their support team then define this rule like this:

(user.department -eq “Sales”) -and -not (user.jobTitle -contains “support”)

As of now, I haven’t defined department for any users in my setup. Let me define the department properties.

After updating the department name for a user Rick M, he becomes a member of this group automatically.

Hope, this blogpost helped you to understand this topic and configure your environment.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s