SharePoint Online and Azure AD Dynamic Groups

Tags: Azure AD, SharePoint Online, Office 365

One very common requirement in SharePoint, and other portal solutions for that matter, is to have the possibility to target content to a dynamic audience of users and even secure information based on dynamic rules. Traditionally this has been done with Audiences in SharePoint. Audience is a dynamic set of users that is compiled, usually once a day, and at compile time the rules of the Audience is evaluated. A SharePoint Audience is used to target information, but cannot be used to protect content - ie as a security group.

The Azure Active Directory released a new feature the other week, called Dynamic Membership, which is a very similar feature to the SharePoint Audience feature. But, does it work with SharePoint Online? Let's have a look!

Enabling Dynamic Groups in Azure AD

Delegated Group ManagementFirst of all we need to enable Dynamic Membership in Azure Active Directory. To do this you need to be an Azure AD admin and you must have Azure Active Directory Premium subscription, and also the administrator you're logging in with must have an Azure AD Premium license assigned to him. Once you have the licensing sorted out you need to enable Delegated Group Management. This is done in the Azure Portal under Azure AD > Configure.

Creating a Dynamic Group

When you've enabled the Delegated Group Management you can create a new group or configure an existing group in Azure AD. Remember if you change an already existing group to dynamic that group will loose all members. Click on the created or already existing group and choose the Configure tab. On that tab you can enable Dynamic Memberships. When you do that the screen changes into an interface where you can specify the rules; either through a simple guide or using a more advanced syntax.

In the screenshot below you can see that we have a group called "CVP" (Corporate Vice Presidents) and we would like everyone with the term CVP in their title to be a part of this group. Click Save when you are done with your configuring of the dynamic group.

Dynamic Memberships

To create the group we can use most of the Azure AD attributes. Note that the SharePoint Online user profile specific attributes cannot be used, so there are still some reasons to use SharePoint Audiences.

Group memberships are almost immediate. You might have to wait a minute or two when you do changes. There is no way to force a recalculation of the group (as far as I know).

Does it work in SharePoint Online?

The final test - can I now use this dynamic group in SharePoint Online (Office 365). The answer is YES! The newly created dynamic security group is immediately available for usage in SharePoint Online.

Dynamic Groups in SharePoint Online

Summary

Dynamic Groups in Azure AD is a really great feature. We can use it in SharePoint Online, Office 365 and even our custom applications to provide a better way to control security or target information. Although it requires you to have an Azure AD Premium subscription this is just one those small features that should make you consider that upgrade!

3 Comments

  • Rob de Jong said

    Currently, Dynamic Groups in AAD are restricted to security groups only. The team is working hard to get these to write back to on premise AD as well.

    We're also working on adding the Dynamic Membership feature to the new Office 365 Groups - please get in touch with me if you need more information.

Comments have been disabled for this content.

About Wictor...

Wictor Wilén is the Nordic Digital Workplace Lead working at Avanade. Wictor has achieved the Microsoft Certified Architect (MCA) - SharePoint 2010, Microsoft Certified Solutions Master (MCSM) - SharePoint  and Microsoft Certified Master (MCM) - SharePoint 2010 certifications. He has also been awarded Microsoft Most Valuable Professional (MVP) for seven consecutive years.

And a word from our sponsors...