Azure AD Dynamic Security Groups

%3CLINGO-SUB%20id%3D%22lingo-sub-1393318%22%20slang%3D%22en-US%22%3EAzure%20AD%20Dynamic%20Security%20Groups%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1393318%22%20slang%3D%22en-US%22%3E%3CP%3EIs%20it%20possible%20to%20create%20a%20dynamic%20security%20based%20on%20whether%20or%20not%20a%20user%20has%20completed%20the%20MFA%20registration%20process%20or%20has%20less%20than%20two%20methods%20defined%20as%20per%20the%20Activities%20and%20Insights%20report.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI've%20got%20a%20bit%20of%20unique%20situation%20here%20and%20I%20was%20hoping%20to%20use%20dynamic%20groups%20as%20a%20way%20out%20of%20the%20situation..%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1393318%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAAD%20Dynamic%20Groups%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1394864%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Dynamic%20Security%20Groups%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1394864%22%20slang%3D%22en-US%22%3EHi%20Peter%2C%3CBR%20%2F%3E%3CBR%20%2F%3ENo%2C%20dynamic%20security%20groups%20have%20a%20limited%20number%20of%20properties%20that%20can%20be%20used%20to%20construct%20a%20membership%20rule.%20These%20are%20defined%20here%3A%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fusers-groups-roles%2Fgroups-dynamic-membership%23supported-properties%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fusers-groups-roles%2Fgroups-dynamic-membership%23supported-properties%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EAs%20a%20work-around%2C%20you%20could%20create%20a%20scheduled%20task%20that%20runs%20hourly%20that%20populates%20group%20membership%20based%20on%20the%20MFA%20properties%20in%20Azure%20AD.%20Azure%20AD%20stores%20the%20number%20of%20authentication%20methods%20in%3A%3CBR%20%2F%3EStrongAuthenticationMethods%3CBR%20%2F%3E%3CBR%20%2F%3ESo%20if%20StrongAuthenticationMethods.Count%20-eq%200%20then%20the%20user%20has%20not%20completed%20registration.%3CBR%20%2F%3EAnd%20if%20StrongAuthenticationMethods.Count%20-lt%202%20then%20they%20have%20less%20than%20two%20methods%20defined.%3CBR%20%2F%3E%3CBR%20%2F%3EFor%20example%3A%3CBR%20%2F%3Econnect-msolservice%3CBR%20%2F%3E%24user%20%3D%20get-msoluser%20-SearchString%20%22John%20Doe%22%3CBR%20%2F%3E%24user.StrongAuthenticationMethods%20%7C%20select%20methodType%3CBR%20%2F%3EPhoneAppOTP%3CBR%20%2F%3EPhoneAppNotification%3CBR%20%2F%3E%3CBR%20%2F%3EThen%20you%20just%20need%20some%20more%20code%20that%20populates%20a%20group%20based%20on%20this.%3CBR%20%2F%3E-Joe%3C%2FLINGO-BODY%3E
Highlighted
Contributor

Is it possible to create a dynamic security based on whether or not a user has completed the MFA registration process or has less than two methods defined as per the Activities and Insights report.

 

I've got a bit of unique situation here and I was hoping to use dynamic groups as a way out of the situation..

 

 

1 Reply
Highlighted
Hi Peter,

No, dynamic security groups have a limited number of properties that can be used to construct a membership rule. These are defined here:
https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/groups-dynamic-membership...

As a work-around, you could create a scheduled task that runs hourly that populates group membership based on the MFA properties in Azure AD. Azure AD stores the number of authentication methods in:
StrongAuthenticationMethods

So if StrongAuthenticationMethods.Count -eq 0 then the user has not completed registration.
And if StrongAuthenticationMethods.Count -lt 2 then they have less than two methods defined.

For example:
connect-msolservice
$user = get-msoluser -SearchString "John Doe"
$user.StrongAuthenticationMethods | select methodType
PhoneAppOTP
PhoneAppNotification

Then you just need some more code that populates a group based on this.
-Joe