Office 365 Dynamic Groups

Office 365 dynamic groups

Dynamic groups are groups that have their group membership updated dynamically based on defined rules. If used properly, dynamic groups can save you a lot of time and improve the security of your network.

Office 365 dynamic groups require you to have an Azure AD Premium P1 or P2 subscription.

Active Directory (on-premises) only has support for dynamic distribution groups. Distribution groups are used for mail delivery – they can’t be used to assign file access or group policies.

Do you want Dynamic Groups on-premises AND in Office 365 without the costly P1 or P2 subscription? Read this!

Create an Office 365 Dynamic Group Using the Portal

Office 365 includes support for dynamic groups. Contrary to AD dynamic groups the Office 365 dynamic groups can actually be used to grant access to resources – but only to Office 365 resources like Teams, SharePoint, etc. Since the groups are not synchronized to your local AD domain they can’t be used on your local AD resources like shared folders and group policies.

To create dynamic groups in Office 365 using the GUI, go to Groups and click “New Group”:

Create Office 365 Dynamic Group

When you define the new group make sure to set the membership type as “Dynamic User”:

Create an Office 365 Dynamic Group Using PowerShell

To create a dynamic group in Office 365 using PowerShell, use the New-AzureADMSGroup command:

New-AzureADMSGroup -DisplayName "Marketing Department" -Description "Marketing department group" -MailEnabled $True -SecurityEnabled $True -MailNickname MarketingDepartment -GroupTypes "DynamicMembership", "Unified" -MembershipRule "(User.department -eq ""Marketing"")" -MembershipRuleProcessingState "On"

This command will generate output similar to this:

Id                            : 14753031-d04c-4712-be0b-48796f0581cb
Description                   : Marketing department group
OnPremisesSyncEnabled         : 
DisplayName                   : Marketing Department
OnPremisesLastSyncDateTime    : 
Mail                          : 
MailEnabled                   : True
MailNickname                  : MarketingDepartment 
OnPremisesSecurityIdentifier  : 
ProxyAddresses                : {} 
SecurityEnabled               : True 
GroupTypes                    : {} 
MembershipRule                : (user.department -eq "Marketing") MembershipRuleProcessingState : Paused

Office 365 Dynamic Group Rules

The rules that define group membership are built from a limited set of user attributes. The following table shows you what attributes can be used in Office 365 dynamic group rules:

Office 365 Dynamic Groups

BoolaccountEnableduser.accountEnabled -eq true
BooldirSyncEnableduser.dirSyncEnabled -eq true
Stringcity( -eq “value”)
Stringcountry( -eq “value”)
StringcompanyName(user.companyName -eq “value”)
Stringdepartment(user.department -eq “value”)
StringdisplayName(user.displayName -eq “value”)
StringemployeeId(user.employeeId -eq “value”)
StringfacsimileTelephoneNumber(user.facsimileTelephoneNumber -eq “value”)
StringgivenName(user.givenName -eq “value”)
StringjobTitle(user.jobTitle -eq “value”)
Stringmail(user.mail -eq “value”)
StringmailNickName(user.mailNickName -eq “value”)
Stringmobile( -eq “value”)
StringobjectId(user.objectId -eq “value”)
StringonPremisesSecurityIdentifier(user.onPremisesSecurityIdentifier -eq “value”)
StringpasswordPolicies(user.passwordPolicies -eq “DisableStrongPassword”)
StringphysicalDeliveryOfficeName(user.physicalDeliveryOfficeName -eq “value”)
StringpostalCode(user.postalCode -eq “value”)
StringpreferredLanguage(user.preferredLanguage -eq “en-US”)
StringsipProxyAddress(user.sipProxyAddress -eq “value”)
Stringstate(user.state -eq “value”)
StringstreetAddress(user.streetAddress -eq “value”)
Stringsurname(user.surname -eq “value”)
StringtelephoneNumber(user.telephoneNumber -eq “value”)
StringusageLocation(user.usageLocation -eq “US”)
StringuserPrincipalName(user.userPrincipalName -eq “alias@domain”)
StringuserType(user.userType -eq “Member”)
String collectionotherMails(user.otherMails -contains “alias@domain”)
String collectionproxyAddresses(user.proxyAddresses -contains “SMTP: alias@domain”)

Unfortunately it’s not possible to base your rules on any other attributes than the ones listed above, but they should cover the most common needs.

Dynamic Groups in Your Local Active Directory – and Office 365 – for Free!

As you’ve seen in the previous sections there are several nags associated with Office 365 dynamic groups:

  • They require the costly P1 or P2 Azure AD license
  • They can’t be used to manage resource access in your on-premises AD
  • The set of user attributes that can be filtered are limited

To help admins overcome these obstacles we have created the free tool, DynamicGroups. DynamicGroups is a windows service that allows you to create an unlimited number of dynamic groups in your on-premises AD. Using Azure AD Connect you can then synchronize these groups to Office 365, effectively giving you dynamic groups in Office 365.

No expiry! No limited functionality! No nags! DynamicGroups is sponsored by Easy365Manager – the easy way to manage Office 365…

With DynamicGroups you define your groups based on an LDAP filter, a target OU or a combination of both. Take a look at the extensive documentation for more information.