Dynamic Security group in Azure AD using attribute - preferreddatalocation

Question

I have a need to configure group-based licensing for multi-geo license assignment and I would like to create a dynamic security group in Azure using the attribute preferreddatalocation but this is not a supported attribute to use in Azure AD.

any other option to configure group-based licensing for multi-geo based on the preferreddatalocation? we only apply multi-geo to specific country users and not all.

vasilmichev · Answer

Use "country" or "usagelocation"? Or custom attributes/extensions: https://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/groups-dynamic-membership#extension-properties-and-custom-extension-properties

oliwer_sundgren · Answer

Hey there!Any reason not to use the "usagelocation" attribute for this scenario?

ketzpatel · Answer

oliwer_sundgren&nbsp;&nbsp;unfortunately we can not use usage location. Within that country only users and executives with highly sensitive data has multi-geo licenses assigned to keep their mailboxes to FR data center.

oliwer_sundgren · Answer

I understand!Then I would recommend using an extension attribute to tag these specific users with, and then use that attribute in your dynamic groups rule. That's the simplest and most bullet proof solution I can think of 🙂Let me know if that helps or if you have further questions!

ketzpatel · Answer

Thanks.Yes we have been using Ext attribute 15 to populate the data location in AD but we have need for this attribute to use somewhere and we would like to replace this in AD with MSDS-Preferreddatalocation which syncs to Azure AD preferred data location. we want to use this attribute to create dynamic DL for group-based multi-geo license assignment so above recommedation does not help us much.

Forum Discussion

Dynamic Security group in Azure AD using attribute - preferreddatalocation

5 Replies

Resources