Office 365 Dynamic Groups

Office 365 dynamic groups

Dynamic groups are groups that have their group membership updated dynamically based on defined rules. If used properly, dynamic groups can save you a lot of timeĀ and improve the security of your network.

Office 365 dynamic groups require you to have an Azure AD Premium P1 or P2 subscription.

Active Directory (on-premise) only has support for dynamic distribution groups. Distribution groups are used for mail delivery – they can’t be used to assign file access or group policies.

To understand how to get Office 365 dynamic groups without the P1 or P2 subscription, that can also be used on-premise, go to the end of this post.

Create an Office 365 Dynamic Group Using the Portal

Office 365 includes support for dynamic groups. Contrary to AD dynamic groups the Office 365 dynamic groups can actually be used to grant access to resources – but only to Office 365 resources like Teams, SharePoint, etc. Since the groups are not synchronized to your local AD domain they can’t be used on your local AD resources like shared folders and group policies.

To create dynamic groups in Office 365 using the GUI, go to Groups and click “New Group”:

Create Office 365 Dynamic Group

When you define the new group make sure to set the membership type as “Dynamic User”:

Create an Office 365 Dynamic Group Using PowerShell

To create a dynamic group in Office 365 using PowerShell, use the New-AzureADMSGroup command:

  1. New-AzureADMSGroup -DisplayName "Marketing Department" -Description "Marketing department group" -MailEnabled $True -SecurityEnabled $True -MailNickname MarketingDepartment -GroupTypes "DynamicMembership", "Unified" -MembershipRule "(User.department -eq ""Marketing"")" -MembershipRuleProcessingState "On"

This command will generate output similar to this:

Id : 14753031-d04c-4712-be0b-48796f0581cb Description : Marketing department group OnPremisesSyncEnabled : DisplayName : Marketing Department OnPremisesLastSyncDateTime : Mail : MailEnabled : True MailNickname : MarketingDepartment OnPremisesSecurityIdentifier : ProxyAddresses : {} SecurityEnabled : True GroupTypes : {} MembershipRule : (user.department -eq "Marketing") MembershipRuleProcessingState : Paused

Office 365 Dynamic Group Rules

The rules that define group membership are built from a limited set of user attributes. The following table shows you what attributes can be used in Office 365 dynamic group rules:

Office 365 Dynamic Groups

TypePropertyExample
BoolaccountEnableduser.accountEnabled -eq true
BooldirSyncEnableduser.dirSyncEnabled -eq true
Stringcity(user.city -eq “value”)
Stringcountry(user.country -eq “value”)
StringcompanyName(user.companyName -eq “value”)
Stringdepartment(user.department -eq “value”)
StringdisplayName(user.displayName -eq “value”)
StringemployeeId(user.employeeId -eq “value”)
StringfacsimileTelephoneNumber(user.facsimileTelephoneNumber -eq “value”)
StringgivenName(user.givenName -eq “value”)
StringjobTitle(user.jobTitle -eq “value”)
Stringmail(user.mail -eq “value”)
StringmailNickName(user.mailNickName -eq “value”)
Stringmobile(user.mobile -eq “value”)
StringobjectId(user.objectId -eq “value”)
StringonPremisesSecurityIdentifier(user.onPremisesSecurityIdentifier -eq “value”)
StringpasswordPolicies(user.passwordPolicies -eq “DisableStrongPassword”)
StringphysicalDeliveryOfficeName(user.physicalDeliveryOfficeName -eq “value”)
StringpostalCode(user.postalCode -eq “value”)
StringpreferredLanguage(user.preferredLanguage -eq “en-US”)
StringsipProxyAddress(user.sipProxyAddress -eq “value”)
Stringstate(user.state -eq “value”)
StringstreetAddress(user.streetAddress -eq “value”)
Stringsurname(user.surname -eq “value”)
StringtelephoneNumber(user.telephoneNumber -eq “value”)
StringusageLocation(user.usageLocation -eq “US”)
StringuserPrincipalName(user.userPrincipalName -eq “alias@domain”)
StringuserType(user.userType -eq “Member”)
String collectionotherMails(user.otherMails -contains “alias@domain”)
String collectionproxyAddresses(user.proxyAddresses -contains “SMTP: alias@domain”)

Unfortunately it’s not possible to base your rules on any other attributes than the ones listed above, but they should cover the most common needs.

An Alternative to Office 365 Dynamic Groups

As you’ve seen in the previous sections there are several nags associated with Office 365 dynamic groups:

  • They require the costly P1 or P2 Azure AD license
  • They can’t be used to manage resource access in your on-premise AD
  • The set of user attributes that can be filtered are limited

To help admins overcome these obstacles we have created the free tool, DynamicGroups. DynamicGroups is a windows service that allows you to create an unlimited number of dynamic groups in your on-premise AD. Using Azure AD Connect you can then synchronize these groups to Office 365, effectively giving you dynamic groups in Office 365.

With DynamicGroups you define your groups based on an LDAP filter, a target OU or a combination of both. Take a look at the extensive documentation for more information.

Did you like this post? Maybe your friends will too!