Is it possible to create an Azure AD dynamic group based on the user's other group memberships, or can it only be dynamically assigned based on user properties?
What I would like to create is an "Everyone" type group that will include everyone except users that are in an ExceptionGroup. This is for O365 licensing, so by default all users will get a base O365 license, but users that need Project will have a different license applied.
(The reason it needs to be completely separate is because of a conflict between the SharePoint licenses required for O365 Business Premium and Project -- if there was another way around that part of the problem, I might be able to avoid this type of dynamic group.)
Philippe is correct that you cannot directly create a query that uses group membership as a criteria, but if you are syncing your Azure AD against an on-premise ActiveDirectory environment, you can certainly use scheduled scripts to put values into the extensionAttributeX fields, and then build criteria based upon those without issues.
We needed to use the distinguishedName parameter to create dynamic groups based on OU membership, but the DN field is also not supported. So, using a scheduled job running a Powershell script I update the value of extensionAttribute9 to the DN if it has changed, and then our Azure Connect synchronization takes care of getting that data into Azure AD for the dynamic group member assignment.
An example of a Powershell script to do that for a group membership would look something like this:
Import-Module ActiveDirectory
$exclude = Get-ADGroupMember -Identity "excludeGroup" -Recursive | select -ExpandProperty SamaccountName
$population = Get-ADUser -Filter {enabled -eq $true}
foreach($p in $population) {
if (-not $exclude.Contains($p.SamAccountName)) { Set-ADUser -Replace #{extensionAttribute4 = "Good"} }
}
Put that into a script that you run on a scheduled basis and then you create your dynamic Azure AD group membership based on the value in extensionAttribute4 (or whichever extensionAttribute you are not already using or prefer).
Do make sure you are syncing those fields between your local AD and Azure AD, but IIRC those are in the default set.
No, it is not currently possible to use group membership as a part of the query for a dynamic group.
Related
I have a security group called SecurityGroupParent and another security group called SecurityGroupChild. I want to add SecurityGroupChild as a member to SecurityGroupParent. But I cannot see the option Group Memberships as explained here although I have the right role.
You'll need the Groups Administrator or User Administrator role to
edit group membership.
Also please check if you have logged into correct tenant or account in
which you have above roles before adding membership.
Also please note that there are some limits while using nesting of groups.
For example: We cannot add group which is synced with on-premises Active Directory.
See Limitations - groups - Azure Active Directory - Microsoft Entra | Microsoft Docs
You can also try to add child security group as a member to the parent security group from members blade:
If the groups are set to role assignable or IsAssignableToRole is
set to $True, then the groups are private and only members can view
the content of the group.
Also check , if HiddenMembership is enabled. reference: visibility
I was wondering if it's possible to automate add/remove group memberships from devices?
Basic concept: I have a bunch of devices with a certain group-role. I want to remove this group role from a device if the device display name matches a record in a .csv file. How would I approach this?
extra info: Azure AD joined devices.
• Yes, you can add/remove devices which is a member of multiple groups in Azure AD. But you need to maintain a file, i.e., a csv file as you said for each group that exists in your environment. You can also create a custom role assignment for this purpose and assign it the ‘microsoft.directory/groups/members/update’ permissions so that the user which is assigned this role assignment will have privileges to only update(add/delete/modify) the groups in Azure AD.
• For this purpose, you can use the below script by logging into Azure Powershell through the custom role assigned user id and executing it by locating the correct csv file for the respective groups to remove the device from the respective group. Also, request you to download the updated CSV file for the group from which devices are to be removed from Azure AD.
‘ $cred=Get-credentials
Connect-AzureAD $cred
$devices=Import-Csv -Path ‘<Path of the csv file containing group members
details>’
foreach($device in $devices){
Remove-AzureADGroupMember -ObjectId “ObjectID of the Group” -MemberID
$device.ObjectId
} '
• However, you will have to use ‘Object ID’ parameter of the device rather than ‘Display Name’ as display name as an argument is not supported in ‘Remove members from group’ operation.
Please refer the below link for more details: -
https://learn.microsoft.com/en-us/powershell/module/azuread/remove-azureadgroupmember?view=azureadps-2.0
As stated in this article from microsoft on group naming policies, selected administrators are exempted and able to override any given naming policy.
In my case I have registered an app that is used to run azure functions creating unified groups through the graph api.
I want to override the naming policy when using the app but I can't find a way to make it happen.
Any ideas?
The application you registered will have a service principal in Azure AD. Your application performs the actions under the service principal's identity.
You can assign the exempted roles to the service principal object of your application and then your application should be exempted as well.
You can find the role ID using this command :
Get-AzureADDirectoryRole | Where-Object {$_.displayName -eq 'Helpdesk Administrator'}
You can find the object ID of the service principal either by searching directly under enterprise applications or through PS using this command:
Get-AzureADServicePrincipal -searchstring (your enterprise application name)
Finally, you can assign the role to your application using this command:
Add-AzureADDirectoryRoleMember -ObjectId $AADRole.ObjectId -RefObjectId $service princiapl.ObjectId
Hope this helps.
I am querying Active Directory from SQL Server via a Linked Server called LDAP.
The linked server was created thus, authenticating through a specially created service account myDomain\ServiceAccountWithNoPermissions.
exec master.dbo.sp_addlinkedserver #server = N'LDAP', #srvproduct=N'Active Directory Service Interfaces', #provider=N'ADSDSOObject', #datasrc=N'adsdatasource'
exec master.dbo.sp_addlinkedsrvlogin #rmtsrvname=N'LDAP',#useself=N'False',#locallogin=NULL,#rmtuser=N'myDomain\ServiceAccountWithNoPermissions',#rmtpassword='########'
And I'm querying the members of a specific Active Directory Group with the following:
select *
from OpenQuery (LDAP, '
select objectGUID, sAMAccountName
from ''LDAP://myServer.myDomain.com/DC=myDomain,DC=com''
where MemberOf=''CN=Some Group,OU=Folder,DC=myDomain,DC=com''
order by sAMAccountName asc
');
Here's my problem. The above system is working correctly for some Active Directory Groups and not others.
By default I think Authenticated Users is supposed to be able to query any User or Group objects in Active Directory. And as a test I verified that the effective permissions of myDomain\ServiceAccountWithNoPermissions includes "Read all properties" on Groups for which the members are both queryable and non-queryable.
What could be the difference between Groups that are queryable and non-queryable?
You didn't describe what you mean by it working incorrectly, so I can only guess. But the most obvious thing I can see is that you're querying the membership of a group by using memberOf. Depending on how your environment is setup, that may not give you all the results you hope for. I wrote about this, but here's the important part:
Groups only get added to memberOf if they have a Group Scope of:
Universal and are in the same AD forest as the user, or
Global and are on the same domain.
Groups do not get added to memberOf if they have a Group Scope of Global and are on another domain (even if in the same forest).
On top of that, memberOf will only include Domain Local groups from the same domain of the server you are retrieving results from. (if you are working in a multi-domain environment and reading from a Global Catalog, this may not be the same domain the user is from)
It will also not report the user’s primary group (usually Domain Users), if that’s important to you, nor will it include groups on external trusted domains.
The most reliable way to find all the members of a group is to read the member attribute of the group itself. But if the group is used as the primary group for any users, then you would also have to use a different way to find those.
I feel like I am missing something. I am looking to use New-AzureRmADGroup to create new groups in bulk -- the issue is I cannot see how to enable or disable a group as security enabled. Is this not possible?
AFAIK the command you are using New-AzureRmADGroup will always create a Security group.
So if you check the created group's properties using PowerShell, you will always find SecurityEnabled: True
You can create another type of group, i.e. an "Office 365" group using Azure Portal or a completely different PowerShell command (also a different module) i.e. New-UnifiedGroup (documentation)
Here's a quick link to Microsoft Documentation on creating Azure AD Groups and the two types. (Link)
Security groups are good to manage access to Azure resources as a group instead of individual users. More info here: Manage access to resources with Azure Active Directory groups
If you're interested in Office 365 groups and related PowerShell Commands, more info here: Office 365 Groups and Manage Office 365 Groups with PowerShell