Dynamic group memberships reduce the administrative overhead of adding and removing users from a group as the process is automated and driven by attribute changes. For example, a user with a department attribute of Sales within AD could be automatically added to a dynamic group named Sales, and removed automatically if the user moved roles. For example, the user department attribute in AD was amended from Sales to Marketing. In this case, the user would be automatically removed from the Sales group and moved to the Marketing group if a dynamic group existed for Marketing.
In this blog post I will go through the process of creating a dynamic group within Azure AD and add a dynamic query/condition so staff from Sales UK are automatically added to a dynamic group.
- Access Azure AD
- Click Groups located in the left pane
3. Click + New group
4. Complete the fields for your group (Example below)
Group Type: Security
Group Name: CloudBuild_Sales
Group Description: Dynamic group for staff working in Sales UK
Membership Type: Dynamic User
Owner: I have assigned myself as an owner
The next step involved adding a dynamic query
5. Click Add dynamic query
6. Input details for your query, see example below
Property: department (This is the field located within the users Azure AD account properties)
Value: Sales UK (I want all users with a department of Sales UK to be added into my new dynamic group)
7. Click save
8. Click create
The result, all users with Sales UK included within the department field will automatically be added to your dynamic group. When the department field is changed, such as, the user moves departments, the process will automatically remove the user from the dynamic group.
1. You can not manually add or remove a member of a dynamic group
2. You can create a dynamic group for devices or for users, but you can’t create a rule that contains both users and devices
3. This feature requires an Azure AD Premium P1 licence for each unique user that is a member of one or more dynamic groups. You don’t have to assign licences to users for them to be members of dynamic groups, but you must have the minimum number of licenses in the Azure AD organisation to cover all such users. For example, if you had a total of 300 unique users in all dynamic groups in your organisation, you would need at least 300 licences for Azure AD Premium P1 to meet the licence requirement. No licence is required for devices that are members of a dynamic device group.