Overview
Azure Active Directory now allows you to harness the power of dynamic groups based on rules to determine group membership using user or device properties. Dynamic membership is supported for security groups and Microsoft 365 Groups. When a group membership rule is applied, user and device attributes are evaluated for matches with the membership rule. When an attribute changes for a user or device, all dynamic group rules in the organization are processed for membership changes. Users and devices are added or removed if they meet the conditions for a group. Security groups can be used for either devices or users, but Microsoft 365 Groups can be only user groups.
Why Use Dynamic Groups
Dynamic groups reduce the administrative overhead of IT or other owners having to manage permissions themselves, instead, being able to set-up rules which will govern workspace permissions automatically
Some popular use cases include:
- Department workspaces (rule: DEPARTMENT = IT, or, DEPARTMENT = Finance)
- Team workspaces (rule: MANAGER = person x)
- City or office workspaces (rule: OFFICE = Birmingham)
Anyone joining the business or moving departments, once their AD attributes have been altered, the dynamic rules will take care of the rest and remove them from some permissions whilst adding them to others, depending on the rules. This is a great way to ensure automated governance and will be one less thing for someone to do.
For more information please see the below 2 articles from Microsoft
- https://learn.microsoft.com/en-us/azure/active-directory/enterprise-users/groups-dynamic-membership
- https://learn.microsoft.com/en-us/azure/active-directory/enterprise-users/groups-create-rule
Leveraging Dynamic Groups for Atlas ConneX Workspace Permissions
When creating a standard M365 group-based workspace (knowledge or collaboration type), a dynamic group will be spun up in Azure Active Directory (AAD) accordingly and will house the permissions for the workspace. It is within this AAD M365 Group where the dynamic membership function needs to be switched on.
Starting in Azure Active Directory
An IT admin with permissions to Azure will be able to access AAD and find the associated group to the workspace which has been provisioned. This is the ConneX card for the workspace Global Gourmet Supplies:
This is the AAD Group of the same name. In order to 'switch on' dynamic rule capabilities, you will need to select Properties from the 'Manage' area:
Under Properties there is a field called Membership Type. Out of the box it will say 'Assigned', but you will need to change this to 'Dynamic User':
Once switched on, a new option will appear showing a link to Add dynamic query:
This is where you configure the dynamic rules which will guide the permissions. In the example below, users must have a department which equals IT Services in order to gain entry to the group.
You could select multiple rules here, utilising the AND/OR options.
At the bottom of the 'Manage' area, an option called Dynamic membership rules will enable the admin to reconfigure or validate rules against users. In the example below, the user Rene Cannon has been validated as eligible for the group, and will be automatically added:
Checking the membership, 10 users have now been added to this group via the dynamic ruling setup:
What dynamic membership workspace permissions look like
In ConneX
If you created a dynamic group for your workspace permissions, when editing the workspace in ConneX, the members area will be 'greyed out', meaning that users cannot be added manually and all users here are driven from a dynamic group.
There is a note to say 'The membership of this workspace has been set to dynamic.
This is fixed and provides no room for manual permissions management, so unfortunately you cannot add one other person into the workspace from here.
In Microsoft Teams
This behaviour will also be reflected in the Manage team area of the associated Microsoft Team if there is one for the workspace:
Members Only
As we are working with M365 group permissions, these do not have a visitor area. If you see the screenshots from AAD above, there is an owners and members area, but no visitors.
What we have built in Atlas is an additional visitors area of permissions on to the workspace, but this is a SharePoint Group in the back-end, meaning users will not have access to the M365 Group and will not be able to view any associated MS Team, but will gain access to the SharePoint site through the browser.
This means dynamic group rules only apply to members (who will have edit permissions), making it impossible to configure dynamic AD Group rules for visitors and owner permission levels.
This is an important consideration and you can read more here in our article for managing Atlas workspace permissions
As Visitors is a SharePoint Group in the back-end, you are able to keep groups here for ongoing permissions management as they are not broken down.
If you want to remove the dynamic group configuration from the workspace, you will need to do that via AAD, and the workspace will alter automatically, but please note that individuals may lose access whilst they are re-added.
Comments
0 comments
Please sign in to leave a comment.