Creating groups in Azure AD – Microsoft AZ-104 Exam
Creating groups in Azure AD
There are two main group types, as follows:
- Security groups: These groups serve the same function as traditional on-premises groups, which is to secure objects within a directory. In this case, it is to secure objects within Azure AD.
- Microsoft 365 groups: These groups are used to provide a group of people access to a collection of shared resources that is not just limited to Azure AD but also includes shared mailboxes, calendars, SharePoint libraries, and other Microsoft 365-related services.
Security groups are used as container units to group users or devices together. There are three main membership types for security groups:
- Assigned: This is where you manually assign users to a group.
- Dynamic user: This is where you can specify parameters to automatically group users, for example, grouping all users who have the same job title.
- Dynamic device: This is where you can specify parameters to automatically group devices, for example, grouping all devices that have the same operating system version.
To create and manage groups from the Azure AD tenant in the Azure portal, you have to perform the following steps:
- Navigate to the Azure portal by opening a web browser and browsing to https://portal.azure.com.
- In the left-hand menu, select Azure Active Directory.
- Under the Manage blade of Azure AD in the left-hand menu, select Groups | All groups. Then, select the + New group option from the top-level menu, as follows:
Figure 1.4 – The Azure AD group creation page part 1
- Add the following values to create the new group:
- Group type: Security
- Group name: Azure Admins
- Group description: Dynamic group for all Azure Admins
- Azure AD roles can be assigned to the group: No
- Membership type: Dynamic User
- Owners: No owners selected:
Figure 1.5 – The Azure AD group creation page part 2
- Refer to the following screenshot to add a dynamic query.
For the Dynamic Query rule, the property is jobTitle, the operator is Equals, and the value is Azure Administrator, as shown in the following screenshot:
Figure 1.6 – The Azure AD group dynamic query
- Click on Create.
Tip
Remember that when using dynamic groups, a Premium P1 license needs to be assigned to the user.
Now that we have created the group, replication takes around 5 minutes. Refresh the Azure web page, and the users will appear as members of the Azure Admins group that we just created:
Figure 1.7 – The Azure AD group’s dynamic group users added automatically based on the membership rules
In this section, we took a look at Azure AD users and groups and created a few accounts. We also created a dynamic membership group to include users via dynamic membership rules.
We encourage students to read up further by using the following links, which are based on Azure AD fundamentals such as adding users in Azure AD, assigning RBAC roles, creating Azure AD groups, and also creating dynamic groups in Azure AD:
- https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/add-users-azure-active-directory
- https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/add-custom-domain
- https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-users-profile-azure-portal
- https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-users-assign-role-azure-portal
- https://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/groups-create-rule
- https://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/groups-dynamic-membership
Next, we are going to look at Azure AUs, specifically where they can be used and how to create an AU.