Manage Azure Active Directory Groups

Overview of Azure AD Groups

What are Azure AD Groups?

Azure Active Directory (Azure AD) groups are fundamental for managing access to resources and applications within your organization. They allow you to assign permissions, licenses, and application access to multiple users or devices simultaneously, simplifying administrative tasks.

There are two primary types of groups in Azure AD:

  • Security groups: Used to grant access to Azure resources. Members can be users, service principals, or other security-enabled groups.
  • Microsoft 365 groups: Used to grant access to Microsoft 365 resources like SharePoint sites, Outlook inboxes, and Teams. They also include a shared mailbox, calendar, and more.

Groups can have static or dynamic memberships. Dynamic membership rules automatically add or remove members based on user attributes or device properties, reducing manual management.

Creating and Managing Groups

Creating a New Group

You can create groups using the Azure portal, PowerShell, or Microsoft Graph API. Here's a brief overview of the Azure portal process:

  1. Sign in to the Azure portal.
  2. Navigate to Azure Active Directory.
  3. Select Groups from the left-hand menu.
  4. Click New group.
  5. Choose the group type (Security or Microsoft 365).
  6. Provide a group name and description.
  7. Configure membership type (Assigned, RoutedEventArgs, or Dynamic User/Device).
  8. If using dynamic membership, define the rules.
  9. Click Create.
Create Group in Azure Portal

Adding and Removing Members

Once a group is created, you can add or remove members. For dynamic groups, this is handled automatically by the defined rules.

For assigned groups:

  • Navigate to the group's properties in the Azure portal.
  • Under 'Members', click 'Add members'.
  • Search for and select the users or devices to add.
  • To remove members, select them from the member list and click 'Remove member'.

Managing Group Settings

Group settings allow you to configure various aspects, including:

  • Membership type: Static vs. Dynamic.
  • Owners: Users who can manage group membership and settings.
  • Roles: Assign Azure AD administrative roles to groups.
  • Licenses: Assign Microsoft 365 licenses.
  • Guest access: Control whether external users can be members.

Dynamic Membership Rules

Creating Dynamic Membership Rules

Dynamic membership simplifies group management by automatically adding or removing members based on user attributes (like department, job title, location) or device properties. You define rules using a query language.

Example Rule (Users in 'Sales' department):

user.department -eq "Sales"

Example Rule (Devices in 'Corp' OU):

device.accountEnabled -eq true and device.onPremisesSyncEnabled -eq false and (device.operatingSystem -contains "Windows") and (device.deviceOSType -eq "Windows10")

You can create complex rules using logical operators (AND, OR, NOT) and various attributes. The Azure portal provides an intuitive interface for building these rules.

Learn More about Dynamic Rules

Best Practices

Key Best Practices:
  • Use meaningful names: Make group names descriptive.
  • Leverage dynamic groups: For large organizations or frequently changing membership.
  • Assign ownership: Delegate group management to appropriate individuals or teams.
  • Regularly review membership: Ensure groups contain only the intended members.
  • Use groups for permissions: Avoid assigning permissions directly to individual users.
  • Principle of Least Privilege: Grant only the necessary access through group memberships.
← Azure Active Directory Documentation Manage Azure AD Users →