In this blog I will show how Azure AD dynamic groups work. In the Azure AD there two ways to manage the membership of groups:
- Assigned Membership
- Dynamic Membership
The difference between the two is the members of the Assigned group are added manually, by selecting the users and/or groups from the Azure AD. To use Assigned Groups you don’t need any additional Azure subscriptions, it’s included in the basic Pay-As-you-Use subscription. With Dynamic groups the members are added when they meet the rules which are configured, another difference with assigned groups is that Dynamic groups are devided in User and Device groups. Users and Devices can be member of a Assigned group.
|Assigned Groups||Dynamic Groups|
|Members||Users and Devices||Users or Devices|
|Manually Assigned||Assigned using rules|
|Member processing||Instant||about 2 to 30 minutes|
|Licensing||no additional license needed||Azure Premium P1 needed|
Dynamic user and device groups
Dynamic groups can be devided into two membership types:
- Dynamic User Membership
- Dynamic Device Membership
Rules need to be configured to populate a dynamic group. Each Rule contains a Property, Operator and a Value. If more than one rule has been configured also an And/or statement is required:
The Properties which can be used in to configure rules depend on the membertype. When user membership is selected only Azure useraccount related properties can be used (e.g. EmployeeId, Jobtitle, department, etc).
When device membership is selected only device related properties can be used (e.g. deviceOSType, deviceOSVersion, isRooted, etc).
Before dynamic groups are populated with members the rules need to be evaluated. The evalution status can be monitored in the Group Overview:
Just after creating the group the membership processing status and last updated field will be empty.
After some time the evaluation will start. The membership processing status will change to “Evaluating” and the Membership last updated to “In Progress”
When evaluation has finished, the membership processing status will change to “Update complete” and the Membership last update will show the update date and time.
When the evaluation has finished and no members have been added the membership last updated will show “Unknown”. This has been my own observation, according to Microsoft documentation: “Unknown: The last update time can’t be retrieved. The group might be new.”
This part of Dynamic groups is a bit of a grey area. I haven’t found any Official documentation from Microsoft about this topic. So these are my own observations and suggestions I found on forums on the Internet (see sources).
Manual trigger evaluation
At the moment it’s not possible to trigger a dynamic group update manually by pressing a button. There is a request open for more than a year, which is under review by the Azure team. Please vote if you read this.
Some suggested options to trigger the dynamic membership evaluation are:
- Editing the name of the dynamic group, adding a white space and saving the dynamic group. This should trigger the evaluation.
- Another option is by pausing and starting the MembershipRule processing by using the PowerShell. To do this the AzureADPreview module is needed.
Install-module AzureADPreview -AllowClobber Import-Module -Name AzureADPreview Set-AzureADMSGroup -Id <dynamic group id> -MembershipRuleProcessingState "paused" Set-AzureADMSGroup -Id <dynamic group id> -MembershipRuleProcessingState "on"
What I observed with a Dynamic user group is the following:
1. The dynamic user group contains 2 users and has last updated at 2:47.57 PM
2. It adds all usersaccounts which are enabled and are in the “Administration” department
3. It currently contains two users “ams user 2” and “ams user 4”
4. Now I update “ams user 1” to be in the “Administration” department and press “save” at 3:22 PM
5. Now I check the group again and it’s updated at 3:23:48 PM.