SOLVED

Dynamic Office 365 groups

Copper Contributor

Any chance for dynamic Office 365 groups? 

 

Let's say, a new employee is hired for an organization. This person should be added automatically to this organization's Office 365 group to enable her/him to join the organization's team work, calendars, etc.

11 Replies
best response confirmed by VI_Migration (Silver Contributor)
Solution

It is available with Azure AD premium subscription. 

@SanthoshB1 is correct, you need AAD Premium to get this working out of the box.

 

However, if you are a bit into Powershell scripting then you should be able to write a script that can read a users security group profile (retrieved from AD using AD Connect) and add members to unified groups using the Add-UnifiedGroupLinks cmdlet to add members to a unifiedgroup based on a security profile.

 

Thanks for the link to the documentation.  If we don't have the premium Azure AD, and we convert Dynamic distribution lists that were set up in Exchange to "Groups" would the membership in that group then have to be maintained by the Group owner?

I am creating some documentation for our users and I noticed that using the People directory shows Dynamic Distribution lists, but doesn't show the membership.  I was thinking of converting to Groups, but will have to work out the maintenance of membership.

correct in that case the owner will have to manage the members. I highly recommend in that case to have multiple owners.

Would love to see dynamic Office 365 Group functionality without AAD Premium licenses! A dynamic group is great for areas such as when adding a new student to their respective graduating year "group". Or all students to a "All Students" group, new employee to an "All Employees" group, etc. Dynamic Exchange groups make this easy.

An as a side note, being able to "nest" the new Office 365 groups would make management of these groups much easier as well. An example is custodians, kitchen, office staff, all members of "Employees - Other", "Teachers - Middle School", "Teachers - Grade School", "Teachers - High School" groups all members of "Teachers", and Teachers and "Employees - Other" groups both members of an "All Employees" group. Works well with nested distribution groups or nested security groups, but I have to manage many more group members with the new Groups. A step back in manageability. 

I am not a great coder or scripter but I was able to come up with the following solution.

 

I created a powershell script that iterates through the AD structure automatically adding users to the Office 365 group based off of job titles.  I have this scheduled in task manager on our DC that hosts the AAD Connect software to run once a day adding and removing users from the Office 365 Group.  The criteria can be changed to look at any field in the AD structure.

 

#Sets up the powershell environment retrieving an encrypted password from a text file decrypting it and storing the password in the $O365credential variable

$pwdloc=Join-Path (Split-Path $profile) creds.txt
$O365password = gc $pwdloc
$o365password = ConvertTo-SecureString $O365password -Force
import-module msonline
$O365username = '<office 365 username>'
$O365credential = New-Object System.Management.Automation.PSCredential -ArgumentList $O365username,$O365password
$sessionProxy = New-PSSessionOption -ProxyAccessType IEConfig -ea stop
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $O365credential -Authentication Basic -AllowRedirection -ea stop
Import-PSSession $Session -AllowClobber -DisableNameChecking -ea stop
Connect-MsolService -Credential $O365credential
Import-Module ActiveDirectory


# Check Users for keywords in title and add or remove users from the Office 365 Group

#Sets email address of all users who meet the criteria

$Users = (get-aduser -SearchBase "AD structure search base" -filter {(title -like "*Sales*")} -Properties sAMAccountName,Title,mail | select-object mail).mail

#Grabs members of the Office 365 Group
$UsersUnifiedGroup = (get-unifiedgrouplinks -identity <Office 365 Group> -linktype members | select-object primarysmtpaddress).primarysmtpaddress

#Loops through object to return email addresses needing to be added as a variable
$AddToUsersUnifiedGroup = $Users | where{$UsersUnifiedGroup -notcontains $_}

#Loops through object to return email addresses needing to be removed as a variable
$RemoveFromUsersUnifiedGroup = $UsersUnifiedGroup | where{$Users -notcontains $_}

#Loop to add users to the Office 365 Group
foreach($AddToUsersUnifiedGroupEmail in $AddToUsersUnifiedGroup) {add-unifiedgrouplinks -identity <Office 365 Group> -links $AddToUsersUnifiedGroupEmail -linktype members -confirm:$false}

#Loop to remove users from the Office 365 Group
foreach($RemoveFromUsersUnifiedGroupEmail in $RemoveFromUsersUnifiedGroup) {remove-unifiedgrouplinks -identity <Office 365 Group> -links $RemoveFromUsersUnifiedGroupEmail -linktype members -confirm:$false}

Hi Jared,

 

  If you work in the public education sector, talk to your Microsoft Licensing representative. There are other licensing options available to you that may allow you to use Dynamic Groups without having Azure Premium.

Has anyone tried this specifically for Office 365 groups? I only have the option under newly created security groups, and only when they are created. Does the dynamic rule run on a schedule, or triggered somehow for a new user? Because from what I can see it's only done upon group creation.

Alexander it works fine but make sure you read this article if you want to convert an Office 365 group from static to dynamic membership (you'll need to run a PowerShell cmdlets. Membership refreshes on a regular basis. try it out!

I've tested this in a UAT Tenant and it's worked successfully. Cheers!
1 best response

Accepted Solutions
best response confirmed by VI_Migration (Silver Contributor)
Solution

It is available with Azure AD premium subscription. 

View solution in original post