Microsoft Previews Dynamic Group Rules for Azure Active Directory
Microsoft announced a preview this week of a new Azure Active Directory feature that lets IT pros write simple and complex rules for the groups they manage.
The new feature, called "Attribute Based Dynamic Group Membership," will be available as part of Azure Active Directory Premium subscriptions, but it's been released this week for testing. The new feature is conceived as a time saver for IT pros. They can specify access to resources by end users by writing rules for groups. Resource access, such as to software, will get automatically assigned, based on those rules. The idea is that IT pros will be freed from having to do a lot of the manual configuration tasks that they do today using Azure Active Directory.
For instance, a Microsoft MSDN library article describes creating a simple rule to assign all sales reps to use a certain SaaS application. That's done through a pull-down menu in the Azure Management Portal. Microsoft's example of a simple rule looks like this: "Add users where is set to the jobTitle that EqualsSales Rep."
IT pros can also use the Azure Management Portal to create advanced rules for groups, which can include logical operators. Microsoft's example of an advanced rule looks like this: "All users where Department equals Sales or Marketing and Job title contains Manager." The syntax for such complex rules is described in Microsoft's library article.
Resources get automatically assigned using the Dynamic Group approach, including the software licensing. Microsoft's announcement explains that "a typical scenario would then give this group access to some SharePoint sites, or automatically assign them Office 365 licenses."
Rules get reevaluated when changes are made to individual user attributes, according to Microsoft's explanation. For instance, the action would change if a user were removed from a group.
The new Attribute Based Dynamic Group Membership feature needs to be turned on first in order to work. That's done via a button in the Azure AD Admin Portal. It also has to be turned on in the directory configuration page, according to Microsoft.
Kurt Mackie is senior news producer for 1105 Media's Converge360 group.