In our last post we looked at extending Azure AD with our own attributes http://blog.mindcore.dk/2019/10/azure-ad-extension-attributes.html
Now let’s try to dynamically allow access to a Microsoft team based on the attribute.
First we create a Team in Microsoft teams.
In teams we create a new private team called TestTeam.
We will build from scratch.
Private team.
Name the team TestTeam.
Skip adding members.
In order to use our extension attributes we need the application ID we created in the last post, in Azure Active Directory go to App registrations and find our application by name and copy the Application (Client) ID.
Now go to Azure Active Directory and Groups and notice that the membership type is for now Assigned.
Click on the group/team we just created and go to Properties and change the Membership type to Dynamic User and click on Add dynamic query.
Click on Get custom extension properties.
Paste in the application ID and click Refresh properties.
After this refresh you will find the custom attributes in Property, select the required extension attribute.
Select the correct Operator and value, here we want all users where our Myattribute Equals Myvalue, remember to Save.
Remember to save once more!
Click Yes to accept that existing members will change.
If we click on Overview we are able to follow the status, here our dynamic rule is being elevated and with no update time yet.
This will change to Update complete and a timestamp when the rule has been processed.
The Members view now shows the only user we assigned our extension attribute with the value MyValue.
Membership type of our team/group has now been changed to Dynamic.
If we take a look on members in teams, the first thing to notice is that we can no longer add or remove members – This team has membership settings that prevent you from adding or removing members – This is now done regular based on our rule.
And for now the only member is our test user with the extended attribute MyAttribute set to MyValue, if we add this attribute and value to another user, the user will automatically be added to the team.
Owners of the team is not changed by dynamic groups.
It will take some time before Teams shows the correct members, often it’s will be quicker to see the updated members in SharePoint.
And yes why is there a Add Users button in SharePoint, when we cannot add users manually any more?
If you try you will see Couldn’t add users, so it shouldn’t be shown.
You need to have at least a Azure AD Premium P1 license for each unique user that is a member of one or more dynamic groups.
The license doesn’t have to be assigned to users for them to be members of dynamic groups, but you must have the minimum number of licenses in the tenant to cover all users in dynamic groups.
In an upcoming post we will try to do the above using PowerShell only.