Mar 02 2018
- last edited on
Jul 24 2020
Hi, Do anyone know what kind of group(s) are valid here. Synced Universal/Global Security Group seems to work but how about subgroups or Azure Dynamic Secure group?
Documentation of SSPR said "Only members of a specific Azure AD group that you choose can use the SSPR functionality"
Mar 02 2018 12:31 AM - edited Mar 02 2018 12:53 AM
Any Group in Azure AD. This also applies to Dynamic Groups, because the dynamic property applies to the membership type, not the Group itself.
When you go to Azure > Password Reset you see three options: None, Selected, and All. With All you enable SSPR for all users, but with Selected you can select specific groups from your AAD directory.
Mar 29 2019 05:23 AM
We took the approach of using a dynamic security group, with the members populated based on the fact a user had a EMS licence assigned (licence requirement for SSPR with AD writeback)
Mar 29 2019 06:48 AM
For some reason I'm not able to reply to the private message I got asking how we did this so will post here :
Sure no worries. We use a dynamic security cloud only group. And then configured the advanced rule with the below. Once it was populating correctly we just assigned that user group permissions to do SSPR which would write back to our local AD. When we designed it this way it means we don't have to keep ontop of populating the security group who can do SSPR, as soon as one of our users are assigned the EMS licence, they become a member of the group and have permissions for SSPR / Writeback :)
This was the code for the advanced rule scope:
user.assignedPlans -any (assignedPlan.servicePlanId -eq "c1ec4a95-1f05-45b3-a911-aa3fa01094f5" -and assignedPlan.capabilityStatus -eq "Enabled")
Hope this helps.