Blog Post

Microsoft Entra Blog
2 MIN READ

Using #AzureAD Dynamic Groups with SharePoint Online

Alex_Simons's avatar
Alex_Simons
Icon for Microsoft rankMicrosoft
Sep 07, 2018
First published on CloudBlogs on May, 26 2016
Howdy folks, Today's we're trying something new - a quick "how-to" post. Rob De Jong is the PM who owns our self-service group and dynamic group features. Here he's going to walk you through using Dynamic Groups with SharePoint online. I hope you'll find this useful. Let us know what you think! Best Regards, Alex Simons (Twitter: Alex_A_Simons) Director of Program Management Microsoft Identity Division ------------ Hello, Rob De Jong here. Today I want to tell you about a very powerful feature in Azure Active Directory is the ability to manage access to SharePoint Online through a dynamic group. Often, directory administrators need to provide access based on a user's department, location or job title, or maybe some other attribute or combination of attributes. And usually this information is available, perhaps in an HR system or in a local directory. If these attributes are synced to Azure AD then it is easy to use them in a dynamic group to manage access. This is sometimes also referred to as "Attribute Based Access Control", or ABAC. In this video I'm showing how to configure a group in your directory to provide dynamic, attribute-based access to a SharePoint site. You could use the same approach to manage SaaS applications, assign licenses or even manage access to on premises resources. Note that, since the dynamic group feature supports standard user attributes as well as extension attributes and custom attributes, you can use virtually all attributes in your on premises AD to sync to Azure AD and drive a dynamic group to provide access to resources in your directory. Here you can read more about dynamic groups in Azure AD. Please note that dynamic groups require an Azure AD Premium license assigned to all members of the dynamic group. Best Regards, Rob
Published Sep 07, 2018
Version 1.0

3 Comments

  • RSM_Ryanph's avatar
    RSM_Ryanph
    Copper Contributor

    Hey Alex/Rob, any updates on the video listed above?  I'm about to setup a bunch of DDL's based on our PeopleSoft's AD attribute/value stamp and picking up this setting in the AAD Attribute:  PhysicalDeliveryOfficeName.  Since this AD attribute and value are stamped via the HR tool and NOT manually typed in, we don't have to worry about the Filter needing lots of different -eq "Dallas, TX" OR -eq "Dallas, TX, USA", etc.

     

    With this done, we will start to replace our older AD SGs with these DDLs and replace permissions, enable AAD Connect Group Write-Back, to keep our directories in sync!

     

    Anyway, if you have a link to that video, would love to take a look, make sure I'm doing all the correct tasks 🙂

     

    .....Ryan

  • SrikantD's avatar
    SrikantD
    Copper Contributor

    Hello Alex  - The link to the video is missing.  Is this feature still available?