Getting started with Azure AD Groups
In the simplest terms, an Azure AD group is a container for users. An Azure AD group helps organize users making it easier to manage their corresponding access level and permissions. Azure AD allows us to group a certain set of permissions and assign them further in the form of roles. There are a number of predefined roles available in Azure AD and if we have a Premium P1 or P2 subscription we could create our own custom roles as well. These roles can be mapped to groups.
The users that are members of a particular group will inherit the permissions from the role mapped to that group, rather than having to perform the tedious task of assigning a role to each individual user manually by hand. For example, we know that both Ram and Sham are going to be in the Finance group, we can give them the necessary role so that they have the appropriate permissions at the group level rather than assigning it to both of them individually.
Each group can have an owner of the group and an owner manages the properties of that group object.
Types of Azure AD Groups
Azure AD allows us to define two different types of groups.
1. Security groups
These are the most common and are used to manage member and computer access to shared resources for a group of users. For example, you can create a security group for a specific security policy. By doing it this way, you can give a set of permissions to all the members at once, instead of having to add permissions to each member individually. This option requires you to have Azure AD administrator rights.
2. Office 365 groups
These groups provide collaboration opportunities by giving members access to a shared mailbox, calendar, files, SharePoint site, and more. This option also lets you give people outside of your organization access to the group. Since this category of groups does not involve access to critical infrastructure resources, it’s made available to users as well as admins.
Different ways to add members to Azure AD Groups
There are basically three different ways you can assign access rights
1. Assigned
This option lets you add specific users to be members of this group and to have unique permissions.
2. Dynamic User
Interestingly this option allows you use dynamic membership rules to automatically add and remove members. If a member's attributes change, the system looks at your dynamic group rules for the directory to see if the member meets the rule requirements (is added) or no longer meets the rules requirements (is removed).
3. Dynamic Device (Security groups only)
The earlier two options are mainly used to assign group memberships to human users while with this category you could manipulate group memberships or permissions assigned to devices connected/authenticated with your Azure AD tenant. You use dynamic group rules to automatically add and remove devices. If a device's attributes change, the system looks at your dynamic group rules for the directory to see if the device meets the rule requirements (is added) or no longer meets the rules requirements (is removed).
Create and manage Azure AD groups Examples
Have you given some thought to which groups you need to create? Would you directly assign or dynamically assign membership? In the following section of the article, we will learn how to create groups in Azure Active Directory.
So far, we’ve learned what are Azure AD groups and how they could be helpful. In this section we will have a practical demonstration on how we could create a dynamic security group and then assign ourselves as a member to that group.
Creating an “Assigned” membership type group
Let’s log in to the Azure portal and inside the search bar, type in Azure Active Directory. Click on the Azure AD service and this will take us to the Azure AD service management page.
We are now inside our Azure AD tenant and from here we will click on the Users tab.
You might have some users already added here if you’re organization is already actively using an Azure AD tenant. For the purpose of our demonstration, we will create a new user and we will name this user demo. Under the Users section, click on the New User button.
Under the new user creation page, we will not go through all the different attributes for the user since we’ve already gone through the process in depth in a previous article. But we would like to show you the Job Info section as this could be used for dynamic group assignment at a later stage. Also, please note that we do not assign any group to the user at the moment at creation time.
Once we click on the Create button our user will be created and we may verify the same by going back to the users page.
Now that we have created our user, let’s go back to the Azure AD service page. Now, click on the Groups button under the Manage section of the page.
Once you open the groups page, here click on the New group button.
Here, we need to select the group name, group type and we may also add an optional description. We could specify an owner for the group as well if it’s warranted.
Once we have provided values for the mandatory fields, we’ll click on create. The group creation process will take a couple of seconds. Once it’s complete our group will be visible in the groups page as shown below.
To add members to our group, click the group name. This will show the group properties and on the left side of the page, a management pane is displayed. Under the manage section click on Members.
We did not add any members to this group during the group creation phase, therefore the list is empty for now.
Click on add members button which will open a search window where we could type the entity name we wish to add as a member to this group. In our case, we’ll search for the user we created earlier.
Click on demo user and then click the select button. This will add the user to our demo group.
There are a couple of things worth noting in the above demonstration. We used the free version of Azure AD to perform this demonstration and with the free subscription you cannot in fact associate roles with groups and you also cannot assign dynamic group memberships.
In order to use dynamic group assignments, you require a premium P1 or P2 subscription.
We will now share a scenario wherein we use an Azure AD Premium P2 subscription and demonstrate how we would create a group with dynamic member assignments.
Creating an “Dynamic” membership type group
Groups created with the membership type of assigned will always have fixed members and we would require administrator intervention to add or remove members from such groups. In a fluid fast paced organization where employees regularly change their job functions, modifying the group memberships every time this happens could be a cumbersome task.
To help mitigate this issue, Azure AD groups allow us to create groups with dynamic group memberships where in a group would have a property in the form of a key value pair likely a user attribute along with a condition to match. This property could then be used to query the users in our Azure AD tenant and those users which would or would not meet the query criteria would be added to or removed from the group automatically. This makes group administration much easier as long as the group query property is clearly defined. Also, we could have more than one criterion to match.
To create a group with dynamic membership, click on the new group button in the Azure AD groups page.
Keep the Group type as Security and Membership type as Dynamic User. Notice a mandatory filed called Dynamic user members along with the button titled Add dynamic query. This is where we specify our property to match for while assigning group memberships to users dynamically. Now add this query and then click on create to create the group.
In the above example, we are using the job title property to match the value of accountant. So, once this group is created, all users whose job title is accountant will be added to this group.
Mapping roles to groups in Azure AD
To manage roles, click on the Roles and Administrators tab in manage section of the Azure AD services page.
Here you can view the different pre-defined roles that are available to be assigned to users or mapped to groups.
Click on the role that you’d like to map to a group.
You would notice a tab titled Add assignments. But the tab is greyed out. This is because the ability to map roles to groups requires the user to have administrator access but in our case, our role is that of a user and therefore this option is greyed out for us.
Summary
In this article, we covered what are Azure AD groups, their different types and different types of group assignments. We went through a demonstration where in we created a user, created a group and then added the user as a member of the newly created group. In addition to this we also became aware of the fact that in order to use dynamic group members we require an Azure AD Premium P1 or P2 subscription and the fact that only users with administrator privileges could map roles in Azure AD to groups.
References
We referred to Microsoft Azures’ official documentation on creating and managing groups, links to which have been provided below.
Create Azure users and groups in Azure Active Directory
Manage users and groups in Azure Active Directory
Assign Azure AD roles to groups