A few weeks ago I posted a blog about Dynamic Groups in Azure AD and how they can make your life easier in Office 365 etc. I currently have a few practical cases where this has saved me a bunch of time. When working with Conditional Access in Azure AD, you might consider special groups of users, and it can be a pain sometimes to search out these users and add them to a group. With Dynamic Groups and attributes you can simply let Azure AD add these users to your groups.
I have two cases that I am using and there are others that I will share as I continue on this journey.
I want to build special conditional access rules around Special Admins (defined as any account that has administrative permissions in Azure AD) and Service Accounts. It doesn’t matter at this point what I want to do with these groups, but I want to populate an Azure AD group with these types of users…and it’s easier for me to
- Use my Active Directory as the authority
- Automate the process so it’s no longer manual.
Start with your On-premise Active Directory
Since I have an Exchange Server, I am going to use some attributes Exchange has added for me that sync over automagically. If you don’t have an Exchange Server, you will likely be creating some attributes and creating a sync rule for them.
In my case I’ll be using ExtensionAttribute1 through 14, but today I only need to use 1. I’ve created an Active Directory group called AzureAD Special Admins and used the Attribute Editor to add “SpecialAdmins” as the value of ExtensionAttribute1
Sync your settings
On your Azure AD Connect server run the following powershell cmdlet
Start-ADSyncSyncCycle -PolicyType Delta
simply wait for Azure AD Connect to run its next sync cycle. This will sync over the changes
Create the Dynamic Azure Active Directory Group
Create the group and set it to Dynamic Group membership. The rule I created looks like this
Right now, I only have 1 user to that group
But as I ensure that attribute is added to other users, I start to see this group populate
This will save so much time, and it has some really practical applications…I’ll share more as I start to explore them.