Tag Archives: Azure AD dynamic group membership

#Azure AD : All about Azure Active Directory

IT has moved from Datacenter Era to the Cloud Era. Focus of the organizations have been changed from one specific set of vendors to the open world of technology. Since Datacenter came in inception, Identity has played a vital role and always been used to treat as a backbone of IT. Now in the new era of multi-cloud environment, Identity is playing a centric role that itself is a new beginning of Identity that has been extended from IT backbone to user-experience oriented.

Microsoft had played a key role in datacenter era by Windows Server Active Directory and now again playing a crucial role in multi-cloud environment by offering Azure Active Directory. Microsoft Azure Active Directory in not only a directory service but it is a complete cloud service that can fulfill all your identity and authorization needs. However, you may find there are couple of things related to identity that can’t be fulfilled by native AAD features but it is continuously evolving.

In this era, organizations don’t need SME for everything but they need design SME who has board understanding of complete end-to end solution stack starting from infrastructure technologies to application technologies.

I have written a series of blog posts on Microsoft Azure AD and these posts mainly focus on how to do it or you can say step-by-step guides backed by real-time scenarios.

Microsoft Azure Active Directory

Azure AD Connect

SSO to SaaS

Application Proxy

Multi-factor Authentication

Self-service Password Management

Self-service group management

Access Panel/My Apps

Dynamic groups membership

Pricing, Licensing and Support

Conditional Access

Custom domain names

Company branding

Cloud App Discovery

Group-based licensing

Identity Protection Part I

Identity Protection Part II

Identity Protection Part III

Privileged Identity Management Part I

Privileged Identity Management Part II

Privileged Identity Management Part III

Azure Active Directory Domain Services Part I

Azure Active Directory Domain Services Part II

Azure Active Directory Domain Services Part III

Azure Active Directory Domain Services Part IV

Device Management – Azure AD Registering

Device Management – Azure AD Join

B2B Collaboration

B2B Licensing


Error – SSPR_0029: We are unable to reset your password due to an error in your on-premises configuration.

Above series of blog posts have covered most of the areas of Azure Active Directory. You can bookmark this blog post for any Azure AD need, I’ll try my level best to add new Azure AD related posts in this series.


#AzureAD : Dynamic groups membership

Microsoft Azure AD comes with many unique features that provides simplified identity management. One of the unique feature is dynamic group membership for users. Dynamic user membership of security group enables organizations to manage security group membership based on the attribute. Let’s take an example to understand in much better way. Many employees join and leave large organizations on the daily basis or move within the organization to take up a new role. To manage right set of access for active users and write-off the access for employees leaving the organization or moving between department/role is a challenging task but can be simplified with Azure AD. However, there are many third-party solutions are available to do the same but Azure AD provides this feature natively with Premium P1 licenses.

For example, an organization wants to provide certain security and application access to their sales employees and want to avoid human error and delay in the process. Let’s have a look how to configure it.

Login to the https://aad.portal.azure.com and go to the Azure Active Directory.

Go to the Users and groups.

Go to the All groups.

Select + New group to create a new security group.

Enter the group name, description and select “Dynamic User” under membership type.

Select “Dynamic user members” and define Dynamic membership rules. Define rule and click on Add query.

Now, click on create to create this dynamic user membership security group.

Note: In my example, I am using a simple rule but you have an option to write Advanced rule as well.

For example, you want to give this access to field sales employees but not to their support team then define this rule like this:

(user.department -eq “Sales”) -and -not (user.jobTitle -contains “support”)

As of now, I haven’t defined department for any users in my setup. Let me define the department properties.

After updating the department name for a user Rick M, he becomes a member of this group automatically.

Hope, this blogpost helped you to understand this topic and configure your environment.