Forum Discussion
Azure AD Dynamic Security Groups
Is it possible to create a dynamic security based on whether or not a user has completed the MFA registration process or has less than two methods defined as per the Activities and Insights report. ...
Hi Peter,
No, dynamic security groups have a limited number of properties that can be used to construct a membership rule. These are defined here:
https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/groups-dynamic-membership#supported-properties
As a work-around, you could create a scheduled task that runs hourly that populates group membership based on the MFA properties in Azure AD. Azure AD stores the number of authentication methods in:
StrongAuthenticationMethods
So if StrongAuthenticationMethods.Count -eq 0 then the user has not completed registration.
And if StrongAuthenticationMethods.Count -lt 2 then they have less than two methods defined.
For example:
connect-msolservice
$user = get-msoluser -SearchString "John Doe"
$user.StrongAuthenticationMethods | select methodType
PhoneAppOTP
PhoneAppNotification
Then you just need some more code that populates a group based on this.
-Joe
No, dynamic security groups have a limited number of properties that can be used to construct a membership rule. These are defined here:
https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/groups-dynamic-membership#supported-properties
As a work-around, you could create a scheduled task that runs hourly that populates group membership based on the MFA properties in Azure AD. Azure AD stores the number of authentication methods in:
StrongAuthenticationMethods
So if StrongAuthenticationMethods.Count -eq 0 then the user has not completed registration.
And if StrongAuthenticationMethods.Count -lt 2 then they have less than two methods defined.
For example:
connect-msolservice
$user = get-msoluser -SearchString "John Doe"
$user.StrongAuthenticationMethods | select methodType
PhoneAppOTP
PhoneAppNotification
Then you just need some more code that populates a group based on this.
-Joe