Forum Discussion

PeterJ_Inobits's avatar
PeterJ_Inobits
Iron Contributor
May 15, 2020

Azure AD Dynamic Security Groups

Is it possible to create a dynamic security based on whether or not a user has completed the MFA registration process or has less than two methods defined as per the Activities and Insights report.

 

I've got a bit of unique situation here and I was hoping to use dynamic groups as a way out of the situation..

 

 

  • Joe Stocker's avatar
    Joe Stocker
    Bronze Contributor
    Hi Peter,

    No, dynamic security groups have a limited number of properties that can be used to construct a membership rule. These are defined here:
    https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/groups-dynamic-membership#supported-properties

    As a work-around, you could create a scheduled task that runs hourly that populates group membership based on the MFA properties in Azure AD. Azure AD stores the number of authentication methods in:
    StrongAuthenticationMethods

    So if StrongAuthenticationMethods.Count -eq 0 then the user has not completed registration.
    And if StrongAuthenticationMethods.Count -lt 2 then they have less than two methods defined.

    For example:
    connect-msolservice
    $user = get-msoluser -SearchString "John Doe"
    $user.StrongAuthenticationMethods | select methodType
    PhoneAppOTP
    PhoneAppNotification

    Then you just need some more code that populates a group based on this.
    -Joe
  • Dusty's avatar
    Dusty
    Copper Contributor
    I could also use such a feature. It doesn't exist yet but I submit feedback to request it. Perhaps if enough people do, Microsoft will implement it. (I'm not holding my breath though)
    • PeterJ_Inobits's avatar
      PeterJ_Inobits
      Iron Contributor
      It would really be useful. The other feature that would be cool is the ability to create dynamic user security groups based on the on premises DistinguishedName attribute of a user when they are synched to AzureAD. The weird thing is you can do this based on the onPremisesSecurityIdentifier attribute but not the DN... Well you couldn't do it the last time I checked .😀
      • HardWorkingITguy's avatar
        HardWorkingITguy
        Copper Contributor
        If you are hybrid, custom sync rule on your AADconnect, sync DN to customattributeX, dynamic rule filter based on customattributeX

Resources