Forum Discussion
PeterJ_Inobits
May 15, 2020Iron Contributor
Azure AD Dynamic Security Groups
Is it possible to create a dynamic security based on whether or not a user has completed the MFA registration process or has less than two methods defined as per the Activities and Insights report.
I've got a bit of unique situation here and I was hoping to use dynamic groups as a way out of the situation..
- Joe StockerBronze ContributorHi Peter,
No, dynamic security groups have a limited number of properties that can be used to construct a membership rule. These are defined here:
https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/groups-dynamic-membership#supported-properties
As a work-around, you could create a scheduled task that runs hourly that populates group membership based on the MFA properties in Azure AD. Azure AD stores the number of authentication methods in:
StrongAuthenticationMethods
So if StrongAuthenticationMethods.Count -eq 0 then the user has not completed registration.
And if StrongAuthenticationMethods.Count -lt 2 then they have less than two methods defined.
For example:
connect-msolservice
$user = get-msoluser -SearchString "John Doe"
$user.StrongAuthenticationMethods | select methodType
PhoneAppOTP
PhoneAppNotification
Then you just need some more code that populates a group based on this.
-Joe - DustyCopper ContributorI could also use such a feature. It doesn't exist yet but I submit feedback to request it. Perhaps if enough people do, Microsoft will implement it. (I'm not holding my breath though)
- PeterJ_InobitsIron ContributorIt would really be useful. The other feature that would be cool is the ability to create dynamic user security groups based on the on premises DistinguishedName attribute of a user when they are synched to AzureAD. The weird thing is you can do this based on the onPremisesSecurityIdentifier attribute but not the DN... Well you couldn't do it the last time I checked .😀
- HardWorkingITguyCopper ContributorIf you are hybrid, custom sync rule on your AADconnect, sync DN to customattributeX, dynamic rule filter based on customattributeX