Search This Blog

Tuesday, October 15, 2019

Access to Teams based on our own extension attributes

In our last post we looked at extending Azure AD with our own attributes https://blog.mindcore.dk/2019/10/azure-ad-extension-attributes.html

Now let’s try to dynamically allow access to a Microsoft team based on the attribute.

First we create a Team in Microsoft teams.

In teams we create a new private team called TestTeam.

image

We will build from scratch.

image

Private team.

image

Name the team TestTeam.

image

Skip adding members.

image

In order to use our extension attributes we need the application ID we created in the last post, in Azure Active Directory go to App registrations and find our application by name and copy the Application (Client) ID.

image

Now go to Azure Active Directory and Groups and notice that the membership type is for now Assigned.

image

Click on the group/team we just created and go to Properties and change the Membership type to Dynamic User and click on Add dynamic query.

image

Click on Get custom extension properties.

image

Paste in the application ID and click Refresh properties.

   image

After this refresh you will find the custom attributes in Property, select the required extension attribute.

image

Select the correct Operator and value, here we want all users where our Myattribute Equals Myvalue, remember to Save.

image

Remember to save once more!

image

Click Yes to accept that existing members will change.

image

If we click on Overview we are able to follow the status, here our dynamic rule is being elevated and with no update time yet.

image

This will change to Update complete and a timestamp when the rule has been processed.

image

The Members view now shows the only user we assigned our extension attribute with the value MyValue.

image

Membership type of our team/group has now been changed to Dynamic.

image

If we take a look on members in teams, the first thing to notice is that we can no longer add or remove members  - This team has membership settings that prevent you from adding or removing members – This is now done regular based on our rule.

And for now the only member is our test user with the extended attribute MyAttribute set to MyValue, if we add this attribute and value to another user, the user will automatically be added to the team.

Owners of the team is not changed by dynamic groups.

image

It will take some time before Teams shows the correct members, often it’s will be quicker to see the updated members in SharePoint.

image

And yes why is there a Add Users button in SharePoint, when we cannot add users manually any more?

If you try you will see Couldn’t add users, so it shouldn't be shown.

image

You need to have at least a Azure AD Premium P1 license for each unique user that is a member of one or more dynamic groups.

The license doesn't have to be assigned to users for them to be members of dynamic groups, but you must have the minimum number of licenses in the tenant to cover all users in dynamic groups.

In an upcoming post we will try to do the above using PowerShell only.

No comments:

Post a Comment