Monday 3 September 2018

Creating Azure AD Groups with Azure Guest user exclusions

As Azure Guest access becomes more and more prevalent in an Office 365 tenant, certain Managers and Administrators are looking for a way to have 'employee only' Groups. Enter Azure Active Directory dynamic groups - a feature of Azure AD Premium P1 and above.

You can create a dynamic group in the Azure Portal, specifically | Azure Active Directory | Groups | + New Group. Let's take a look:

When creating the group, simply ensure the 'Membership type' is set to 'Dynamic User', you can then add your dynamic query, for example this one specifically looks for users with a mail add that contains '' - handy if you want to put users into groups based on primary SMTP address.

To specifically include or exclude Azure Guest Users - we're looking for 'UserType' where we'll match it, or not match it, or a variety of other options, with 'Guest'.

Once the Group is created it will take a while before you'll see the results of your dynamic group - more on that later, but drilling back into the Group we can confirm the dynamic membership rules query. We have the option of a simple rule or an advanced one, advanced allows us to join a variety or rules together to fine tune our dynamic membership

Once the dynamic group has had time to be processed it will show the objects contained within based on the rules you have created

So can we use Powershell to create Dynamic Groups? The answer is yes using the AzureAD Powershell module.

Once you have succesfully connected you can view your groups using Get-AzureADMSGroup 

 We can specifically look for dynamic groups by looking for the 'GroupTypes' attribute

Get-AzureADMSGroup |select DisplayName, GroupTypes 

And we can also actually create them, I find Powershell far easier creating a dynamic group when wanting to match multiple rules.

In this Powershell example I am specifically creating a Sales Group and also ensuring no Azure Guest users will be hiding within it. There's a few more considerations to bear in mind here as ww have to include -MailEnable -MailNickname and -MembershipRuleProcessingState

New-AzureADMSGroup -DisplayName "Oliver Test Dynamic Group" -GroupTypes dynamicmembership -MembershipRule '(user.userType -notMatch "Guest" -and user.department -eq "Sales")' -MailEnabled $false -MailNickname $false -SecurityEnabled $true -MembershipRuleProcessingState On

-MembershipRuleProcessingState states whether it will start processing the group or whether you want to pause the processing of the rule for the time being. The options available are 'On' or 'Paused' - Paused makes sense if you're using Powershell to script the creation of your on-premises dynamic groups to Azure AD, you may have a lot and want to slowly control which ones start processing.

More on understanding your on-premises dynamic groups and how to create them in Azure AD in my next post.

Have fun!


No comments: