Creating Dynamic Groups in Microsoft Entra ID

Posted on by

I will demonstrate how to automate assigning group membership automatically.

The scenario is group membership will be updated automatically based on the user job titles. This feature requires a Microsoft Entra ID P1 or a P2 subscription

First we are going to create two test users in MS Entra ID

AzureDynamicGroups2024-02-08 13_56_55-Window

This user will need at least need the Attributes:

Job title (Properties tab): Cloud Administrator
Department (Properties tab): IT
Usage location (Properties tab):Canada

AzureDynamicGroups2024-02-08 14_17_38-Window

The 2nd user we will create will have the following attributes:

Job title: System Administrator
Department: IT

Usage location: Canada

AzureDynamicGroups2024-02-08 14_22_03-Window

For this demo I have a P2 Trial license. Under Microsoft Entra ID | license | All Products | Select your P2 license. We want to assign our users a P2 license as this is required for Dynamic group membership

Click Assign….

AzureDynamicGroups2024-02-08 14_23_40-Window

Add the user…

AzureDynamicGroups2024-02-08 14_23_54-Zoomit Zoom Window

Select the two users we just created….

AzureDynamicGroups2024-02-08 14_24_09-WindowNow lets create some dynamic groups. Navigate to Microsoft Entra ID | Groups

AzureDynamicGroups2024-02-08 14_25_19-Zoomit Zoom Window

Click on New Group

AzureDynamicGroups2024-02-08 14_25_31-Zoomit Zoom Window

We will call this group IT Cloud Administrators

image

We want to create a dynamic expression but we cannot create one until we select in the dropdown for Membership type

AzureDynamicGroups2024-02-08 14_29_43-Zoomit Zoom Window

In the drop down list select Dynamic user

image

Once you select Dynamic user the “Members” option changes to “Dynamic user members”

AzureDynamicGroups2024-02-08 14_27_26-Zoomit Zoom Window

Click on ‘Add dynamic query” and then + Add expression

AzureDynamicGroups2024-02-08 14_27_40-Zoomit Zoom Window

We will based our query on the attribute “jobtitle” and the value we put for the user as “Cloud Administrator

AzureDynamicGroups2024-02-08 14_28_17-Zoomit Zoom Window

Save the expression and save the create the group

AzureDynamicGroups2024-02-08 14_28_47-Window

We will create a 2nd group called “IT System Administrators

AzureDynamicGroups2024-02-08 14_30_54-Window

We will use “jobtitle” again but this time the value will be “System Administrators

AzureDynamicGroups2024-02-08 14_30_45-Window

Now if we look at the group membership for IT System Administrators we can see that our user svitest02 became a member of the IT Systems Administrators group automatically..

AzureDynamicGroups2024-02-08 14_33_39-Zoomit Zoom Window

The reason is the Job Title was defined as as “System Administrator” based on our dynamic query.

image

Remember this all happens because we have to assign a license to our users. To show this I have created a third user svitest02 with a job title of Cloud Administrator..

AzureDynamicGroups2024-02-08 14_36_01-Window

However If we look at the group the user is not a member….

AzureDynamicGroups2024-02-08 14_36_37-Window

I now assign svitest03 a license.

AzureDynamicGroups2024-02-08 14_38_40-WindowIf we look at the IT Cloud Administrators group we now see our svitest03 a member of that group.

AzureDynamicGroups2024-02-08 14_39_02-Window