SharePoint Online and Azure AD Dynamic Groups

Wictor Wilen

by Wictor Wilen on 3/26/2015

Share this:
Print

Article Details

Date Revised:
3/26/2015

Applies to:
Azure AD, dynamic groups, dynamic membership, SharePoint Audience, SharePoint Online


One very common requirement in SharePoint, and other portal solutions for that matter, is to have the possibility to target content to a dynamic audience of users and even secure information based on dynamic rules. Traditionally this has been done with Audiences in SharePoint. An Audience is a dynamic set of users that is compiled, usually once a day, and at compile time the rules of the Audience is evaluated. A SharePoint Audience is used to target information, but cannot be used to protect content, i.e., as a security group.

The Azure Active Directory released a new feature the other week called Dynamic Membership, which is a very similar feature to the SharePoint Audience feature. But, does it work with SharePoint Online? Let’s have a look!

Enabling Dynamic Groups in Azure AD

First of all we need to enable Dynamic Membership in Azure Active Directory. To do this you need to be an Azure AD admin and you must have Azure Active Directory Premium subscription. Also, the administrator you’re logging in with must have an Azure AD Premium license assigned to him. Once you have the licensing sorted out, you need to enable Delegated Group Management in the Azure Portal under Azure AD > Configure.

Configure the Azure Portal under Azure AD to enable Delegated Group Management

Figure 1: Configure the Azure Portal under Azure AD to enable Delegated Group Management.

Creating a Dynamic Group

When you’ve enabled the Delegated Group Management you can create a new group or configure an existing group in Azure AD. Remember, if you change an already existing group to dynamic, that group will lose all members. Click on the created or already existing group and choose the Configure tab. On that tab you can enable Dynamic Memberships. When you do that, the screen changes into an interface where you can specify the rules; either through a simple guide or using a more advanced syntax.

In figure 2 you can see that we have a group called "CVP" (Corporate Vice Presidents) and we would like everyone with the term CVP in their title to be a part of this group. Click Save when you are done with your configuring of the dynamic group.

In Azure AD, Delegated Group Management you can enable Dynamic Memberships

Figure 2: In Azure AD Delegated Group Management you can enable Dynamic Memberships.

To create the group we can use most of the Azure AD attributes. Note that the SharePoint Online user profile specific attributes cannot be used, so there are still some reasons to use SharePoint Audiences.

Group memberships are almost immediate. You might have to wait a minute or two when you make changes. There is no way to force a recalculation of the group (as far as I know).

Does it work in SharePoint Online?

The final test – can I now use this dynamic group in SharePoint Online (Office 365). The answer is YES! The newly created dynamic security group is immediately available to use in SharePoint Online (figure 3).

The Azure AD dynamic group you enabled works in SharePoint Online

Figure 3: The Azure AD dynamic group you enabled works in SharePoint Online.

Summary

Dynamic Groups in Azure AD is a really great feature. You can use it in SharePoint Online, Office 365 and even our custom applications to provide a better way to control security or target information. Although it requires you to have an Azure AD Premium subscription, this is just one those small features that should make you consider that upgrade!

You can see Wictor’s original post here.


Topic: SharePoint Online

Sign in with

Or register