In this blog I will show how Azure AD dynamic groups work. In the Azure AD there two ways to manage the membership of groups:
- Assigned Membership
- Dynamic Membership
The difference between the two is the members of the Assigned group are added manually, by selecting the users and/or groups from the Azure AD. To use Assigned Groups you don’t need any additional Azure subscriptions, it’s included in the basic Pay-As-you-Use subscription. With Dynamic groups the members are added when they meet the rules which are configured, another difference with assigned groups is that Dynamic groups are devided in User and Device groups. Users and Devices can be member of a Assigned group.
Assigned Groups | Dynamic Groups | |
Members | Users and Devices | Users or Devices |
Manually Assigned | Assigned using rules | |
Member processing | Instant | about 2 to 30 minutes on average. up to 24 hours |
Licensing | no additional license needed | Azure Premium P1 needed for dynamic user groups |
Dynamic user and device groups
Dynamic groups can be devided into two membership types:
- Dynamic User Membership
- Dynamic Device Membership
Rules
Rules need to be configured to populate a dynamic group. Each Rule contains a Property, Operator and a Value. If more than one rule has been configured also an And/or statement is required:
Properties
The Properties which can be used in to configure rules depend on the membertype. When user membership is selected only Azure useraccount related properties can be used (e.g. EmployeeId, Jobtitle, department, etc).
When device membership is selected only device related properties can be used (e.g. deviceOSType, deviceOSVersion, isRooted, etc).
Membership Evaluation
Before dynamic groups are populated with members the rules need to be evaluated. The evalution status can be monitored in the Group Overview:
Just after creating the group the membership processing status and last updated field will be empty.
After some time the evaluation will start. The membership processing status will change to “Evaluating” and the Membership last updated to “In Progress”
When evaluation has finished, the membership processing status will change to “Update complete” and the Membership last update will show the update date and time.
When the evaluation has finished and no members have been added the membership last updated will show “Unknown”. This has been my own observation, according to Microsoft documentation: “Unknown: The last update time can’t be retrieved. The group might be new.”
Membership Re-evaluation
This part of Dynamic groups is a bit of a grey area. I haven’t found any Official documentation from Microsoft about this topic. So these are my own observations and suggestions I found on forums on the Internet (see sources).
Manual trigger evaluation
At the moment it’s not possible to trigger a dynamic group update manually by pressing a button. There is a request open for more than a year, which is under review by the Azure team. Please vote if you read this.
Some suggested options to trigger the dynamic membership evaluation are:
- Editing the name of the dynamic group, adding a white space and saving the dynamic group. This should trigger the evaluation.
- Another option is by pausing and starting the MembershipRule processing by using the PowerShell. To do this the AzureADPreview module is needed.
Install-module AzureADPreview -AllowClobber Import-Module -Name AzureADPreview Set-AzureADMSGroup -Id <dynamic group id> -MembershipRuleProcessingState "paused" Set-AzureADMSGroup -Id <dynamic group id> -MembershipRuleProcessingState "on"
Automatic evaluation
What I observed with a Dynamic user group is the following:
1. The dynamic user group contains 2 users and has last updated at 2:47.57 PM
2. It adds all usersaccounts which are enabled and are in the “Administration” department
3. It currently contains two users “ams user 2” and “ams user 4”
4. Now I update “ams user 1” to be in the “Administration” department and press “save” at 3:22 PM
5. Now I check the group again and it’s updated at 3:23:48 PM.
Sources:
https://docs.microsoft.com/nl-nl/azure/active-directory/users-groups-roles/groups-dynamic-membership
I have created new guest users in my domain. I have a dynamic rule that if a userType = Guest, add it to this group. This is not happening. No information is available and I have sadly open a ticket with the non-responsive mIcrosoft Office support. Do you have any reason why this simple, one-line rule would not be applied to what is clearly to me at least a Guest user? We have attempted this repeatedly with different created users and it’s the same result, the existing group will not update. Thanks.
Hi Jim,
Do you have enough Azure AD licenses? Azure AD Dynamic groups need an Azure AD Premium P1 license for each unique user that is a member of one or more dynamic groups. Could you try the following syntax: (user.userType -match “guest”). I just tested it and it works.
Best regards
Yes, we have plenty of Azure AP Premium P1 licenses. The licensing is E3 with EMS for each user. We discovered that there are known issues with dynamic groups. I deleted the original group, then created another one with the same userType statement. It took 9 hours to sync. There is no way to change that. Microsoft has answered us with this:
“As we discussed before the only way to force Dynamic group membership by add white-space in the dynamic group rules https://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/groups-troubleshooting#troubleshooting-dynamic-memberships-for-groups. And i do agree with you this is a real problem need to be fixed as soon as possible as it is impacting many other Microsoft customers, please add your vote and your opinion this suggestion to be reviewed by Microsoft engineers https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/33481477-ability-to-trigger-a-dynamic-group-update.
As we discussed on the phone i will try my best and use more resources to seek other solution that will be more convenience. As a reminder we will follow up with you Monday Oct-26 around 11:00 am EST.”
Note: that workaround above did not work for us. We are evaluating whether or not to drop dynamic groups altogether.
Hi Ted,
Thanks for the update. Too bad you are experiencing issues with Dynamic groups. My current experience over the last year is very positive. One advise I would like to give is to test with a small group first, because updating an existing Dynamic group takes a very long time. Also it’s faster to delete and create a new group than updating an existing group.
regards, Aad
Thanks.. I don’t find that to be an acceptable answer to the issue. No knock against you, but we’re talking a group with 14 users in it taking 9 hours to propagate, then Microsoft calling at random hours to tell me that they are “escalating” the issue and to “put a white space and then remove it”. Over the years, my experience with Microsoft support has been negative to say the least. Armies of “concierges” attempting to answer questions by saying “my reach-back engineer told me…..” I’m convinced that all Microsoft cloud products are basically open source software you pay for, and you get what you get, with little to no wrench-turning support options. This is a monopoly, so they have no motivation to fix the issue. Zero documentation, lame workarounds, and know-nothing support reps who never call when they are supposed to call. The only consistent thing I hear from that company is “I’m sorry for the inconvenience.”