In this video, Pete Zerger demonstrates how to create groups in Azure Active Directory to facilitate a variety of functions, including assigning resource access, enabling Office 365 collaboration, or even automating license assignment to cloud services li
- [Instructor] One of the features of Azure Active Directory user management, is our ability to create groups of users. Let's start by creating a group, and then we'll talk about what we can do with it. So I've logged into the Azure Portal, I've selected my Default Directory, and I'll select Users and Groups, and now All Groups. So, depending on the services to which your organization has subscribed, you can actually create groups in a number of areas: the Azure Portal, where I'm choosing to work; Office 365 subscribers could create groups in their Office 365 Admin Portal.
We can even create groups using Azure PowerShell. So I'll click the New Group option here, and we'll create a very simple group. And I'm going to create a group for IT. For Membership Type, I'll select Assigned: this is another way of saying Static Group Membership. And you'll notice that there is a Dynamic option or two there, as well. We'll stick with Static for the moment. So I'll pick the user or users I'd like to add, if I wish to enable Office features, Office 365 groups, enable some default collaboration functionality, they're really targeted toward enabling collaboration amongst a group of users.
And I'll select Create, and it's as simple as that. So what else can I do? In addition, a resource owner can also assign access to a resource, to an Azure Active Directory group owned by someone else. This assignment grants the members of that group access to the resource, and then the owner of the group manages membership in the group. So, effectively, the resource owner delegates, to the owner of the group, permission to assign users to their resource. So let's talk about how we manage group memberships dynamically.
I've created a couple of examples for you here of dynamically populated groups. We'll begin with the Sales Group here, and I've clicked on that group. And in the Properties here, I'll click on Dynamic Membership Rules. So I chose Dynamic User, and you'll notice here, that I opted for the Simple Rule Option. Well I get a list of all of the Properties of the user object, I get a list of fairly self-explanatory operators. And, in this case, I decided that department containing the word Sales, was a suitable formula for a dynamically populated group of folks in the Sales Department.
Now notice when I click Advanced Rule, I get a free text area where I can type a formula manually. So just a tip here, we can actually use the Simple Rule Option to create a number of formulas, and then on the Advanced screen here, make a copy of that so we can then construct an Advanced group population formula, without typing that formula from scratch. So for example, I'd like to make a group, not just of Sales, and not just of my Managers, which I have here in another group.
My Managers have a dynamic formula that looks at the job title containing the word Manager. So what if I'd like to put those together? Well, on each of these groups, I can simply copy that text, put that together in Notepad, or the text editor of my choice, and I can build a more complex formula quite easy, connecting those formulas with simple operators. So I'll look at the group I've pre-created for us here called Sales Managers, and my dynamic membership here is Advanced, and I simply, using that little trick with the Simple Rule, Advanced Rule, buttons, pasted my user department contains Sales, and my job title contains Manager, and you'll see that I've connected them with the And operator, so just a simple dash And.
You can also, incidentally, create formulas with the dash Or operator, if you needed to populate on an either / or basis. So in that case, I've taken a group of Sales Department workers at 42, and Managers at another quite high number, around 86, and combining those formulas, now found the intersect there of Sales Managers, at about 10 people. So these complex rules require us to write a formula, but with that little tip, you can minimize your writing.
And if I click on the Licensing Property, I can leverage the Group Licensing feature of Azure Active Directory, which will allow me to assign Licenses dynamically to the member of a group. So if we connect this with our earlier work, developing a synchronized, or federated identity model, users synchronized into Azure AD, using Azure AD Connect, can by dynamically populated in a group, where they are automatically assigned the Licensing that they need, minimizing our administrative effort.
So as you can see, Azure Active Directory groups are multi-functional, and very flexible, to minimize our administrative effort.
In this course—the first in the series—Microsoft MVP Pete Zerger takes you through the basics of setting up endpoint protection. He begins by explaining how to set up Azure Active Directory Premium. Next, he goes into enabling multi-factor authentication, followed by setting conditions for secure access. To wrap up, Pete covers managing mobile devices with Intune, and publishing applications with Azure AD App Proxy.
- Setting up Azure Active Directory for an organization
- Enabling user-level and application-level multi-factor authentication
- Setting conditions for secure access
- Planning a mobile device management (MDM) strategy
- How Intune (standalone) MDM works
- How Intune mobile application management works
- Publishing applications with Azure AD App Proxy
- Assigning users and groups