Dynamic management of Microsoft 365 group members

This article shows you an approach how Microsoft 365 group members can also be maintained. Until recently, it was only possible to assign group members directly. This is very intuitive, but rather impractical for certain use cases. What about the case when one has already maintained existing security groups and wants to use them as a basis for Microsoft 365 groups or Teams members? Then you still had to maintain the group members manually, because no groups can be entered directly as members.

Therefore, in this article I would like to show you how you can still maintain the group membership based on an existing security group quite easily without manually entering the members individually.

As a starting point, we use the security group sg-Sales and Marketing.

Microsoft 365 group
Security group in Azure AD

The security group has 8 direct members that should be automatically used as members of a Microsoft 365 group.

Microsoft 365 group
Members of the security group

Now we create a new Microsoft 365 group. The described procedure only works via Azure AD, not via the Microsoft 365 Admin Center.

Microsoft 365 group
Create new group in Azure AD

So, we select Microsoft 365 as the group type and Dynamic User as the membership type.

Microsoft 365 group
Create new Microsoft 365 group

The last step is to add the dynamic query. At the moment only the direct input of the query works, not via the builder.

Microsoft 365 group
Create dynamic query

The group membership query then looks like this. After we use the -in comparison operator, it is also possible to check for multiple group memberships. To do this, simply add another group ID. The group ID can be read from the overview of the group (see first screenshot, there called object ID).

Microsoft 365 group
Rule syntax for group membership

For easier copying, the query is also listed here once again:

user.memberof -any (group.objectId -in ['ceafbe27-9b86-4773-9334-55fd341f5803'],'<weitere Gruppen ID>')

Now we can have the Microsoft 365 group created. However, immediately after the creation, there are still no members in the group. This is normal, because the dynamic query must first be processed by Microsoft 365. This can be seen from the fact that on the overview page of the group, the properties Dynamic rule processing status and Last membership change have a plausible value entered.

Group with no members

After the rule processing is complete, the members from the security group are now also listed in the Microsoft 365 group.

Group with members

So you can see that the group memberships are now really dynamically controlled by the security group, we add another user (Lidia Holloway) to the security group.

Added new member to the security group

After a short time (during which rule processing is performed), the new user will also appear as a member of the Microsoft 365 group.

Member is added to the Microsoft 365 group

Of course, the Dynamic Membership Rule can be adjusted afterwards.

Show or edit the dynamic membership rule

So with this approach shown, Microsoft 365 group members can also be managed based on existing security groups.

There are of course a few things to consider here, such as that nested security groups do not work or that this means that the familiar management (add/remove) of users no longer works.

Otherwise, I find the approach very exciting if you don’t start from scratch, but can continue to use existing groups.

One comment

Leave a Reply

Your email address will not be published. Required fields are marked *