Convert a static Azure AD Group to Dynamic

This took some digging and at first I didn’t think it was possible but then I came across this Microsoft article which basically details everything you need to know about dynamic group membership. Towards the bottom they give an example of a PowerShell script.

Where this becomes useful is if you’ve never used dynamic groups before and have created static assigned groups, you need a way to change them. It’s not obvious as in it’s not in the portal GUI. For this you have to use PowerShell, and you needed to use an upgraded version of PowerShell

Step 1 install Azure AD Preview

Use the following instructions to achieve this https://docs.microsoft.com/en-us/powershell/azure/active-directory/install-adv2?view=azureadps-2.0

Don’t forget to run PowerShell module as Administrator, and close and open it before the commands becomes available. At least this was my experience.

Step 2 The Script

I am going to pull this verbatim from the Microsoft KB, but I will try to explain it

There are two parts of this script. The function which gives us the cmdlets to convert a static group to dynamic and a dynamic group to static. There are some caveats you should understand.

  1. When converting a static to a dynamic group, all existing members will be wiped out. This is because the membership is no longer assigned but will be determined by the query.
  2. Test this with a test group first.
  3. Not in this section but in the next section you will have to use the object ID of the group you want to manipulate. There are a few ways of gathering this

In the portal, if you navigate to the group you will get it’s Object ID number in the Overview

or you can use PowerShell

Once you have that, you can use the following script

The first part of the script presents the two functions to convert static to dynamic, and dynamic to static. I will run them below and show you the results.

######################################################################################################################################

#The moniker for dynamic groups as used in the GroupTypes property of a group object
$dynamicGroupTypeString = “DynamicMembership”

function ConvertDynamicGroupToStatic
{
Param([string]$groupId)

#existing group types
[System.Collections.ArrayList]$groupTypes = (Get-AzureAdMsGroup -Id $groupId).GroupTypes

if($groupTypes -eq $null -or !$groupTypes.Contains($dynamicGroupTypeString))
{
throw “This group is already a static group. Aborting conversion.”;
}

#remove the type for dynamic groups, but keep the other type values
$groupTypes.Remove($dynamicGroupTypeString)

#modify the group properties to make it a static group: i) change GroupTypes to remove the dynamic type, ii) pause execution of the current rule
Set-AzureAdMsGroup -Id $groupId -GroupTypes $groupTypes.ToArray() -MembershipRuleProcessingState “Paused”
}

function ConvertStaticGroupToDynamic
{
Param([string]$groupId, [string]$dynamicMembershipRule)

#existing group types
[System.Collections.ArrayList]$groupTypes = (Get-AzureAdMsGroup -Id $groupId).GroupTypes

if($groupTypes -ne $null -and $groupTypes.Contains($dynamicGroupTypeString))
{
throw “This group is already a dynamic group. Aborting conversion.”;
}
#add the dynamic group type to existing types
$groupTypes.Add($dynamicGroupTypeString)

#modify the group properties to make it a static group: i) change GroupTypes to add the dynamic type, ii) start execution of the rule, iii) set the rule
Set-AzureAdMsGroup -Id $groupId -GroupTypes $groupTypes.ToArray() -MembershipRuleProcessingState “On” -MembershipRule $dynamicMembershipRule
}

ConvertStaticGroupToDynamic “eb043c14-6e80-43e5-bb7d-a01a048ec981” “user.extensionAttribute1 -eq “”specialadmins”””

ConvertDynamicGroupToStatic “eb043c14-6e80-43e5-bb7d-a01a048ec981”

################################################################################################################################

Currently, you can see that my group is set to dynamic with 13 members. What I’ve done is set all of my Special Admins to have an extension attribute of “specialadmins” so I can dynamically add them to a group.

I want to run the script to convert this back to an Assigned membership type.

I will run the first part of the script that pertains to functions, and then call the function and pass it the ObjectID

ConvertDynamicGroupToStatic “eb043c14-6e80-43e5-bb7d-a01a048ec981”

and the result is my group changes to Assigned membership type but it maintains my membership

Now I will run the reverse. For the reverse we need to identify the ObjectID as well as pass a valid query. My particular query will be to get any extensionattribute1 that has the value “SpecialAdmins”

ConvertStaticGroupToDynamic “eb043c14-6e80-43e5-bb7d-a01a048ec981” “user.extensionAttribute1 -eq “”specialadmins”””

You will notice that my group membership type is set to Dynamic again and it’s added back my 13 members.

I am hoping this helps save you some time until they make the switch easier.

Leave a comment

Your email address will not be published.


*