This post is part of the overall MS-500 Exam Study Guide. Links to each topic as they are posted can be found here.
Implement Azure AD Group Membership
There are two types of groups in Azure AD as it relates to membership: Assigned and Dynamic. Assigned membership works just like regular AD groups. You create the group in Azure AD and assign owners and members one by one.
Dynamic membership is a lot more flexible. With dynamic membership we create rules that are processed to determine membership. There are two types of dynamic groups, user and device but both work in pretty much the same way. When we create a dynamic group, we set owners as we would with assigned groups, and then we configure membership rules.
To configure membership rules, click on the “Add dynamic query” option and you will be brought to the rules editor. From here you can add in the rules for scoping membership of the group. In the below example, we are specifying all enabled users whos display name does not contain the string “Adele”.
We can then use the preview feature to validate our rules. This allows us to add users to check the rule against and verify if they would be included or not. Below I have added three accounts, Allan, Adele and Alex. Allan has sign-ins disabled so is not included in the group, Adele has “Adele” in her name so is also excluded and Alex meets both of our criteria and is included.
We can see that our group rules are working as expected and if we click “view details” on the users status, we can even see the reasons for the status.
Dynamic membership rules can be really useful in a number of scenarios such as:
- Creating Device Groups for Intune / Autopilot configuration
- Licensing users based on particular attributes
- Granting access to data based on a users job title
- Dynamically adding users to Microsoft Teams
Some useful links to check out: