This article shows you an approach how Microsoft 365 group members can also be maintained. Until recently, it was only possible to assign group members directly. This is very intuitive, but rather impractical for certain use cases. What about the case when one has already maintained existing security groups and wants to use them as a basis for Microsoft 365 groups or Teams members? Then you still had to maintain the group members manually, because no groups can be entered directly as members.
Therefore, in this article I would like to show you how you can still maintain the group membership based on an existing security group quite easily without manually entering the members individually.
As a starting point, we use the security group
sg-Sales and Marketing.
The security group has 8 direct members that should be automatically used as members of a Microsoft 365 group.
Now we create a new Microsoft 365 group. The described procedure only works via Azure AD, not via the Microsoft 365 Admin Center.
So, we select
Microsoft 365 as the group type and
Dynamic User as the membership type.
The last step is to add the dynamic query. At the moment only the direct input of the query works, not via the builder.
The group membership query then looks like this. After we use the
-in comparison operator, it is also possible to check for multiple group memberships. To do this, simply add another group ID. The group ID can be read from the overview of the group (see first screenshot, there called object ID).
For easier copying, the query is also listed here once again:
user.memberof -any (group.objectId -in ['ceafbe27-9b86-4773-9334-55fd341f5803'],'<weitere Gruppen ID>')
Now we can have the Microsoft 365 group created. However, immediately after the creation, there are still no members in the group. This is normal, because the dynamic query must first be processed by Microsoft 365. This can be seen from the fact that on the overview page of the group, the properties
Dynamic rule processing status and
Last membership change have a plausible value entered.
After the rule processing is complete, the members from the security group are now also listed in the Microsoft 365 group.
So you can see that the group memberships are now really dynamically controlled by the security group, we add another user (
Lidia Holloway) to the security group.
After a short time (during which rule processing is performed), the new user will also appear as a member of the Microsoft 365 group.
Of course, the
Dynamic Membership Rule can be adjusted afterwards.
So with this approach shown, Microsoft 365 group members can also be managed based on existing security groups.
There are of course a few things to consider here, such as that nested security groups do not work or that this means that the familiar management (add/remove) of users no longer works.
Otherwise, I find the approach very exciting if you don’t start from scratch, but can continue to use existing groups.