Forum Discussion
Automating User Tags
When we create a custom user tag we can select a group and have all the users in the group tagged. However if a user is removed or added to that group at a later stage the tag is not removed/added.
Is there a way to automate this?
Only thing I found is that this was before on the roadmap but seems to have been removed?
https://m365admin.handsontek.net/microsoft-defender-for-office-365-tagging-support-for-groups/
https://learn.microsoft.com/en-us/defender-office-365/user-tags-about
If you assign a group to a user tag, members of the group at the time of tag creation are assigned tag. Users later added to the group aren't automatically assigned the user tag.
- IemSaifiBrass Contributor
Hi JimmyWork,
I hope this work for you.
Solution Overview
- Detect Group Membership Changes
- Use a scheduled task or event-based mechanism to monitor changes in group membership.
- Query the group regularly to compare its current members with the previously logged state.
- Update Tags Based on Membership
- Automatically add or remove tags for users based on the detected membership changes.
- Tools/Approaches
- PowerShell: For Microsoft environments like Azure AD or on-premises AD.
- API Automation: If your platform supports REST or Graph API, you can script updates.
- Third-Party Tools: Consider automation platforms like Microsoft Power Automate, Logic Apps, or custom scripts in Python or similar.
PowerShell Example: Azure AD Dynamic Tagging
If you're working in an Azure AD or Microsoft 365 environment:
# Install AzureAD module if not already installed
Install-Module -Name AzureAD -Force# Connect to Azure AD
Connect-AzureAD# Variables
$GroupId = "<Your Group Object ID>" # Replace with the Group Object ID
$TagAttribute = "extensionAttribute1" # Replace with your tagging attribute# Get Current Group Members
$groupMembers = Get-AzureADGroupMember -ObjectId $GroupId | Select-Object -ExpandProperty UserPrincipalName# Iterate through the users to update tags
foreach ($user in $groupMembers) {
# Check if the user already has the tag
$userDetails = Get-AzureADUser -ObjectId $user
if ($userDetails.extensionAttribute1 -ne "YourTag") {
# Update the tag if not present
Set-AzureADUser -ObjectId $user -ExtensionProperty @{"extensionAttribute1"="YourTag"}
Write-Host "Tag added for $user"
}
}# Remove Tags for Users No Longer in Group
$allTaggedUsers = Get-AzureADUser -Filter "extensionAttribute1 eq 'YourTag'" | Select-Object -ExpandProperty UserPrincipalName
$usersToRemoveTag = $allTaggedUsers | Where-Object { $_ -notin $groupMembers }foreach ($user in $usersToRemoveTag) {
Set-AzureADUser -ObjectId $user -ExtensionProperty @{"extensionAttribute1"=$null}
Write-Host "Tag removed for $user"
}can you try this hope this will be work
- Detect Group Membership Changes