Azure AD Dynamic Security Groups

Iron Contributor

Is it possible to create a dynamic security based on whether or not a user has completed the MFA registration process or has less than two methods defined as per the Activities and Insights report.


I've got a bit of unique situation here and I was hoping to use dynamic groups as a way out of the situation..



4 Replies
Hi Peter,

No, dynamic security groups have a limited number of properties that can be used to construct a membership rule. These are defined here:

As a work-around, you could create a scheduled task that runs hourly that populates group membership based on the MFA properties in Azure AD. Azure AD stores the number of authentication methods in:

So if StrongAuthenticationMethods.Count -eq 0 then the user has not completed registration.
And if StrongAuthenticationMethods.Count -lt 2 then they have less than two methods defined.

For example:
$user = get-msoluser -SearchString "John Doe"
$user.StrongAuthenticationMethods | select methodType

Then you just need some more code that populates a group based on this.
I could also use such a feature. It doesn't exist yet but I submit feedback to request it. Perhaps if enough people do, Microsoft will implement it. (I'm not holding my breath though)
It would really be useful. The other feature that would be cool is the ability to create dynamic user security groups based on the on premises DistinguishedName attribute of a user when they are synched to AzureAD. The weird thing is you can do this based on the onPremisesSecurityIdentifier attribute but not the DN... Well you couldn't do it the last time I checked .:grinning_face:
If you are hybrid, custom sync rule on your AADconnect, sync DN to customattributeX, dynamic rule filter based on customattributeX