Teams Real Simple with Pictures: Nested Dynamic Groups via Azure AD in Entra

Written: 10/07/2022 | Updated: N/A

So imagine this scenario. Say we have two teams in our organisation. One team is the Sales Team. The other is the Marketing Team. I need to ensure specific users are part of the Sales Team dependent upon their role. I need to then make sure that specific users are part of the Marketing Team dependent upon their role. For this? We can use Dynamic Groups. But now we need to ensure that everyone in the Sales and Marketing Team need to be in a third team – the Commercial Team, and this also needs to be done automatically without manual adds. For this we are going to use a new functionality called Nested Dynamic Groups. Users of Dynamic Group A comprise of Users dynamically added and removed within Dynamic Group B and Dynamic Group C. Sounds pretty nuts. But it’s straightforward as I’ll show you. Nested Dynamics Groups support Security Groups and Microsoft 365 groups – so we can use them for Teams. As a public preview feature there is some caveats such as they aren’t supported in the rule builder. The full list is in the footnotes I’m sure they’ll knock them out soon.

Let’s go. I love Identity.

This blog will cover

  • Amending Azure AD Attributes
  • Creating the Teams
  • Setting Dynamic Groups and Nesting
  • FAQ’s

NOTE: This blog may have abridged steps and will assume some familiarity with Microsoft 365 and Teams

Pre-requisites

  • Azure AD Premium Licence in the Tenant
  • Global Administrator, Intune Administrator, or User Administrator role to use the memberOf attribute to create an Azure AD dynamic group
  • Teams Licence (within an Office 365/Microsoft 365 Licence) to setup up and test

AMENDING AZURE AD ATTRIBUTES

So the first thing we do for the Dynamic Groups is set the attributes of the Azure AD Users

1.) Log into https://entra.microsoft.com and under Azure Active Directory select Users and then All Users

2.) Select a User

3.) Select Edit Properties

4.) I select the user’s Department to be Sales. And then Save.

5.) I repeat this process for several others with the following

Department: Sales (Amanda Sterner, Chris Hoard, Adam Deltinger)
Department: Marketing (Mar Llambi, Chirag Pateli, Vesku Nopanen)

All department information has been completed and I have surfaced the department column to double check

All users are ready to go

CREATING THE TEAMS

Now the users attributes have been set, I can create the Teams.

1.) In Teams Select Join or Create a Team

2.) Select Create a Team

3.) Select From Scratch

4.) Select Private

5.) This Team will be called Sales, then Create

6.) No users to be added, select Skip

7.) Repeat this process until the three teams – Sales, Marketing and Commercial are created.

Our users are ready, and so are our Teams. Let’s get back into Microsoft Entra

SETTING DYNAMIC GROUPS AND NESTING

Ok so the building blocks are in which is our users and Teams (and so Microsoft 365 Groups). Where so we go from here. The first place is to build dynamics groups in Sales and Marketing

1.) In the Entra portal select Groups and then All Groups

2.) Select Sales, one of the Teams created

3.) Select Properties

4.) Change the Membership Type to Dynamic User

5.) Select Add Dynamic Query

6.) Create the Expression Department Equals Sales and then select Save

7.) Now select Save and save the Dynamic Query to the group

8.) The rule can be checked under Dynamic Membership Rules

9.) Repeat the process above for the group Marketing and create the Expression Department Equals Marketing and then Save. Checkback that this has also been created under Dynamic Membership rules

10.) At this point everything is in place. Sales and Marketing are set up as Dynamics Groups, but before we go and amend the third group – Commercial, we make a note of the Object ID’s also called the ‘Group ID’s’ of the groups. This is on the overview page of the group or in the properties

Sales is: 97b318b8-1ebe-4fdf-9f2d-c46155a3bce0
Marketing is f90a60e3-7b80-49ec-9154-4ae1d57b22b8

11.) Now, under All Groups select the final group, Commercial

12.) Select Properties

13.) Change to Dynamic User and Add Dynamic Query

14.) Now, Edit the Rule Syntax – because the editor doesn’t support memberof at this time it has to be added manually. Add as follows

user.memberof -any (group.objectId -in ['groupId', 'groupId'])

So with the groups which have been built it will look like this

user.memberof -any (group.objectId -in ['97b318b8-1ebe-4fdf-9f2d-c46155a3bce0', 'f90a60e3-7b80-49ec-9154-4ae1d57b22b8'])

Once done select Save

15.) Verify on the Dynamic Membership Rules

Our job here is done. User attributes configured. Teams built. Dynamic User Groups created for Sales and Marketing created based upon Department Attribute and then the third Dynamic group created with a custom rule based upon the Object ID’s of the other groups

Because it can take a time in the Teams Client, lets check the admin centre. All correct three are in Sales.

The correct four in Marketing

And the composite – the correct six in Commercial

This is a really nice functionality, which I am sure will become a fundamental part of how we manage Users and Teams moving forward especially when the caveats (see below) are knocked out. All in all the above took under 25 minutes. Whilst a simple illustration, think of the time – and the teams sprawl saved by using this

FAQ’s

Q.) Can devices be used for this?
A. Yes, using the following rule

device.memberof -any (group.objectId -in ['groupId', 'groupId'])

Q.) What are the caveats to using this?
A. Currently it has the following caveats

  • Dynamic group rule builder and validate can’t be used for memberOf at this time (as shown)
  • Each AAD tenant is limited to 500 dynamic groups using memberOf
  • MemberOf groups do count towards the total dynamic group member quota of 5,000
  • Each dynamic group can have up to 50 member groups
  • You can’t use one memberOf dynamic group to define the membership of another
  • MemberOf can’t be used with other rules currently
  • MemberOf can’t be used with other operators currently
  • Only direct members of the security group become members of the dynamic group