Microsoft Previews Dynamic Group Rules for Azure Active Directory

Microsoft announced a preview this week of a new Azure Active Directory feature that lets IT pros write simple and complex rules for the groups they manage.

The new feature, called "Attribute Based Dynamic Group Membership," will be available as part of Azure Active Directory Premium subscriptions, but it's been released this week for testing. The new feature is conceived as a time saver for IT pros. They can specify access to resources by end users by writing rules for groups. Resource access, such as to software, will get automatically assigned, based on those rules. The idea is that IT pros will be freed from having to do a lot of the manual configuration tasks that they do today using Azure Active Directory.

For instance, a Microsoft MSDN library article describes creating a simple rule to assign all sales reps to use a certain SaaS application. That's done through a pull-down menu in the Azure Management Portal. Microsoft's example of a simple rule looks like this: "Add users where is set to the jobTitle that EqualsSales Rep."

IT pros can also use the Azure Management Portal to create advanced rules for groups, which can include logical operators. Microsoft's example of an advanced rule looks like this: "All users where Department equals Sales or Marketing and Job title contains Manager." The syntax for such complex rules is described in Microsoft's library article.

Resources get automatically assigned using the Dynamic Group approach, including the software licensing. Microsoft's announcement explains that "a typical scenario would then give this group access to some SharePoint sites, or automatically assign them Office 365 licenses."

Rules get reevaluated when changes are made to individual user attributes, according to Microsoft's explanation. For instance, the action would change if a user were removed from a group.

The new Attribute Based Dynamic Group Membership feature needs to be turned on first in order to work. That's done via a button in the Azure AD Admin Portal. It also has to be turned on in the directory configuration page, according to Microsoft.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.


  • Spaceflight Training in the Middle of a Pandemic

    Surprisingly, the worldwide COVID-19 lockdown has hardly slowed down the space training process for Brien. In fact, it has accelerated it.

  • Surface and ARM: Why Microsoft Shouldn't Follow Apple's Lead and Dump Intel

    Microsoft's current Surface flagship, the Surface Pro X, already runs on ARM. But as the ill-fated Surface RT showed, going all-in on ARM never did Microsoft many favors.

  • IT Security Isn't Supposed To Be Easy

    Joey explains why it's worth it to endure a little inconvenience for the long-term benefits of a password manager and multifactor authentication.

  • Microsoft Makes It Easier To Self-Provision PCs via Windows Autopilot When VPNs Are Used

    Microsoft announced this week that the Windows Autopilot service used with Microsoft Intune now supports enrolling devices, even in cases where virtual private networks (VPNs) might get in the way.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.