Automating On-boarding and Dynamic Membership

Think about the process of on-boarding a user: making sure they’re in the correct distribution lists, that they have access to the necessary applications, even resources as tedious as colour printing. How many times has something been missed? Normally it’s a case of the requester missing out key details but IT isn’t perfect either: we too make mistakes. What if you could automate that process and prevent the errors. Hidden among the features of Azure AD Premium, Dynamic Groups is one of the coolest products in my opinion.

Azure Dynamic Groups (and in-turn, Exchange Online Dynamic Distribution Lists) is a way to automatically add users to a group, based on details stored in Azure Active Directory. This might be data such as their department; enabling automatic access to resources or their office location; giving access to a printer.

Dynamic Groups are available to users subscribed to AzureAD Premium which now includes all of those Microsoft 365 Business Premium users too which is great.

Beyond the licensing requirement, the cornerstone of dynamic groups is the information within AzureAD – this data must be up to date. There’s no use trying to capture all of the staff in the marketing department if half of the users don’t have a department listed.  

Rule Creation

Dynamic Groups are created through the Azure portal, defined as either user or device groups. Microsoft have included a basic editor to hand-hold some of the creation however more complex rules often need to be written manually.

To assist with this, Microsoft have provided a way to validate your creations against a selection of users. This is a great step forward, providing you feedback via the View Details link to see where something succeeds or fails.

Below are also two handy references I use for both the commands available alongside the up to date service plan ID’s.

Despite Microsoft 365 Business Premium officially including Azure Active Directory Premium Plan 1, the service description page does agree with this notion, instead using AAD_SMB with the ID de377cbc-0019-4ec2-b77c-3f223947e102. This has caused some confusion however you can still use the AAD_PREMIUM ID to capture your Microsoft 365 Business Premium users.

I feel lied to

Use Cases

Personally I use dynamic groups wherever possible – from Intune policies to access control within SharePoint. In this example, I’ve created a group that includes users licensed for Office Apps for Enterprise and Intune Plan A. We can then use this group as the scope for a policy within Intune to automatically deploy the applications to the users.

user.assignedPlans -any (assignedPlan.servicePlanId -in ["c1ec4a95-1f05-45b3-a911-aa3fa01094f5","43de0ff5-c92c-492b-9116-175376d08c38"] -and assignedPlan.capabilityStatus -eq "Enabled")

Your options are endless when it comes to Dynamic Groups and where to apply them. I love them for simplifying access to data – whether that be in SharePoint or even 3rd party applications that leverage AzureAD for single sign-on.

NameRuleUse Case
Sales Data AccessDepartment equals ‘Sales’Assign edit rights to Sales SharePoint site
MS Project LicensingTitle equals ‘Project Manager’Assign & install Microsoft Project automatically
Salesforce AccessDepartment equals ‘Marketing’Enable access to Salesforce via single sign-on
Just a few of the options

Exchange Dynamic Distribution Lists

Earlier I did mention distribution lists and the ability to make them automatically. Azure Dynamic Groups can’t be mail enabled however Exchange Online has its own Dynamic Distribution List functionality available, again leveraging AzureAD’s user details.

Dynamic Distribution Lists can be created through the Exchange Online Admin Center however the functionality is somewhat limited. For more advanced rules, you’ll need to break out PowerShell.

For example, this rule will include all of the user mailboxes with an office location defined as Melbourne. Again, this simplifies the on boarding process by ensuring users are added to the resources they need to be.

New-DynamicDistributionGroup -Name "DDG Melbourne Office" -RecipientFilter {((RecipientType -eq 'UserMailbox') -and (office -eq 'Melbourne'))}

Keep in mind that these are email addresses that you might not want accessible outside the organisation so you’ll need to limit the sending scope.

For a full list of available properties, see the Docs article here.

Final Thoughts

Dynamic Groups and Dynamic Distribution Lists are two tools that just make things simpler. I don’t need to think about when we onboard that next user if they’re assigned to the apps for their role or if they’re in the correct distribution list for the office Christmas party emails. Using dynamic membership does require some planning and preparation but in the end, I see it as absolutely key to simplifying management within Microsoft 365.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: