Microsoft provides a great option for anyone trying to create a team to include all members of an organization. While that option is great, it does not cover the entire reality as organizations may have external consultants or test accounts created that should not be part of an org-wide group. So if your Active Directory is completely clean and organized, you may want to skip this post.
For those of us who need an org-wide team but need to make a few extra tweaks which makes groups easier to manage, Azure AD allows dynamic rules to be created so that groups can be automated using a user’s (or device) properties. Say you want a group of all the employees from the Finance department, or all the users located in a particular city, or even all the users with the word consultant in their titles.
For an overview of all different groups, and what is available for each each of them, follow the table below:
| Group type | Membership Type | Purpose |
|---|---|---|
| Security | Assigned | Typical standard security group |
| Security | Dynamic User | Useful for distributing M365 application licenses instead of assigning them directly to the user. |
| Security | Dynamic Device | Useful for tagging company-wide assets to be used in Windows Auto-Pilot |
| Microsoft 365 | Assigned | Any groups where the membership does not follow a common logic, department, etc. |
| Microsoft 365 | Dynamic User | Company-wide groups such that cover all users of a department or role. |
Dynamic Groups are only available in Azure AD admin center. To set them up follow these steps:
- Have the M365 Group or Team you want already created. This is not needed but chances are you will be converting a static group into dynamic.
- From the Azure AD admin center, click on Groups
- If you are setting up a new group, click on “New” and skip to step #6
- Search for the group you would like to change the membership
- Click on Properties
- Under membership type, if it says assigned, switch it to dynamic
- Select a group owner
- Click on “Add dynamic query” and use the property dropdowns to build the membership query for the group. See screenshot below.
- You can also click on “Edit” in the rule syntax box to type in your query.
- Once you are done click Save.
- Wait a couple minutes and check under the group Members tab if the query you built cover everyone you need to add to the group.
Once enabled, a new tab called “Dynamic membership rules” will appear so that the query can be edited directly by clicking on it. With so many different properties available, as long as your AD information is up to date, you will be able to really fine tune your groups to so many different criteria.
IMPORTANT: Microsoft 365 groups will fully refresh whenever they are changed from Assigned to dynamic, so it is important to deactivate group membership notifications first by running the following PowerShell Script:
#Connect to Exchange
Set-ExecutionPolicy Unrestricted
Start-service winrm
Import-module MSOnline -Verbose
#replace the below with your admin username
$adminUPN="admin@organization.com"
$UserCredential = Get-Credential -UserName $adminUPN -Message "Enter password"
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic –AllowRedirection
Import-PSSession $Session
Connect-MsolService -Credential $UserCredential
#Disable Welcome Messages
Get-UnifiedGroup <group name> | Set-UnifiedGroup -UnifiedGroupWelcomeMessageEnabled:$false
#Ensure to run this at the end
Remove-PSSession $Session
Unsuck Microsoft365 