Microsoft Previews Dynamic Group Rules for Azure Active Directory

Microsoft announced a preview this week of a new Azure Active Directory feature that lets IT pros write simple and complex rules for the groups they manage.

The new feature, called "Attribute Based Dynamic Group Membership," will be available as part of Azure Active Directory Premium subscriptions, but it's been released this week for testing. The new feature is conceived as a time saver for IT pros. They can specify access to resources by end users by writing rules for groups. Resource access, such as to software, will get automatically assigned, based on those rules. The idea is that IT pros will be freed from having to do a lot of the manual configuration tasks that they do today using Azure Active Directory.

For instance, a Microsoft MSDN library article describes creating a simple rule to assign all sales reps to use a certain SaaS application. That's done through a pull-down menu in the Azure Management Portal. Microsoft's example of a simple rule looks like this: "Add users where is set to the jobTitle that EqualsSales Rep."

IT pros can also use the Azure Management Portal to create advanced rules for groups, which can include logical operators. Microsoft's example of an advanced rule looks like this: "All users where Department equals Sales or Marketing and Job title contains Manager." The syntax for such complex rules is described in Microsoft's library article.

Resources get automatically assigned using the Dynamic Group approach, including the software licensing. Microsoft's announcement explains that "a typical scenario would then give this group access to some SharePoint sites, or automatically assign them Office 365 licenses."

Rules get reevaluated when changes are made to individual user attributes, according to Microsoft's explanation. For instance, the action would change if a user were removed from a group.

The new Attribute Based Dynamic Group Membership feature needs to be turned on first in order to work. That's done via a button in the Azure AD Admin Portal. It also has to be turned on in the directory configuration page, according to Microsoft.

About the Author

Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.


  • How To Ransomware-Proof Your Backups: 4 Key Best Practices

    Backups are the only guaranteed way to save your data after a ransomware attack. Here's how to make sure your backup strategy has ransomware mitigation built right in.

  • Microsoft Buys Mover To Aid Microsoft 365 Shifts

    Microsoft announced on Monday that it bought Mover to help organizations migrate data and shift to using Microsoft 365 services.

  • Microsoft Explains Windows 7 Extended Security Updates Setup Process

    Microsoft this week described installation instructions for volume licensing users of Windows 7 Service Pack 1 to get Extended Security Updates (ESU) activated on PCs.

  • Microsoft Azure Active Directory Outage Blocks Access for 2.5 Hours

    Issues affecting the Azure Active Directory service blocked customers from accessing applications early on the morning of Oct. 18 for about 2.5 hours.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.