This post is part of the overall MS-500 Exam Study Guide. Links to each topic as they are posted can be found here.
Implement Azure AD Group Membership
There are two types of groups in Azure AD as it relates to membership: Assigned and Dynamic. Assigned membership works just like regular AD groups. You create the group in Azure AD and assign owners and members one by one.
Dynamic membership is a lot more flexible. With dynamic membership we create rules that are processed to determine membership. There are two types of dynamic groups, user and device but both work in pretty much the same way. When we create a dynamic group, we set owners as we would with assigned groups, and then we configure membership rules.
To configure membership rules, click on the “Add dynamic query” option and you will be brought to the rules editor. From here you can add in the rules for scoping membership of the group. In the below example, we are specifying all enabled users whos display name does not contain the string “Adele”.
We can then use the preview feature to validate our rules. This allows us to add users to check the rule against and verify if they would be included or not. Below I have added three accounts, Allan, Adele and Alex. Allan has sign-ins disabled so is not included in the group, Adele has “Adele” in her name so is also excluded and Alex meets both of our criteria and is included.
We can see that our group rules are working as expected and if we click “view details” on the users status, we can even see the reasons for the status.
Dynamic membership rules can be really useful in a number of scenarios such as:
- Creating Device Groups for Intune / Autopilot configuration
- Licensing users based on particular attributes
- Granting access to data based on a users job title
- Dynamically adding users to Microsoft Teams
Some useful links to check out:
Create a basic group and add members – Azure Active Directory | Microsoft Docs
Create or edit a dynamic group and get status – Azure AD | Microsoft Docs
Rules for dynamically populated groups membership – Azure AD | Microsoft Docs
One thought on “Study Guide Series: Exam MS-500 – Implement Azure AD Group Membership”
Pingback: Study Guide Series – Exam MS-500: Microsoft 365 Security Administration – Sean McAvinue