Delegate365 v9.4 brings support for managing dynamic security groups and some small fixes. See the details here.
- Dynamic Security Groups: In the Groups / Security Groups module, the list shows all security groups that are assigned to the administrator´s OU´s. In the list, there´s a new column Membership Type that shows if the security group is of type Assigned or Dynamic. Assigned means static users, Dynamic means a rule that includes all users whose properties match the condition (as in the M365 admin portal). The Membership Type cannot be changed for existing security groups. It must be defined when a new security group is created. If a security group is of type Dynamic, the menu on the right shows the option Dynamic membership rules.
- Create a new dynamic security group: When the user clicks on the Plus icon, the panel on the right asks for the details. In the panel, the option Dynamic can be selected in the Membership type dropdown. This shows a mandatory textbox Dynamic user members, where the rules must be added. There are some examples for rules below, e.g.
(user.accountEnabled -eq True) and (user.city -startsWith "Seattle")
You can find more about the allowed user and device properties and defining a ruleset at Dynamic membership rules for groups in Azure Active Directory. Click Save when done.
Note: The rule expression must be valid. Otherwise, a message informs about a rule that is not allowed and the rule cannot be saved.
In this sample, we generated an error saying "Security Group Membership: Code: InvalidPropertyException Message: Unsupported property 'city1'…". See the rules article here.
- Check the dynamic members: As with static security groups, we can view the members…
…but we cannot change them directly. Only members who meet the defined conditions are displayed here.
Note: Depending on the size of the M365 tenant and the number of objects, it can take some minutes until the members are shown. You can leave this module open and click on the Refresh icon to see updates, or check back later.
- Edit a dynamic group: Select the dynamic security group and open Dynamic membership rules.
In the editing area, the rule can be changed and the processing of a dynamic group can also be stopped. This can be useful for other administrative tasks that should be performed before the dynamic security group is scheduled to be updated.
Click Save when done.
- Delete a dynamic security group: Of course, this works in the same way as for security groups of membership type Assigned.
- Dynamic Distribution Groups (Exchange): Historically, these groups are not part of Azure AD, only Exchange. To clarify, Dynamic Distribution Groups that are living in Exchange can still be managed in the Groups / Dynamic Groups module.
- Smaller fixes: Fixing sorting in module License Quotas column SKU, and sorting of all other license and plan name lists, Administration / Adminstrators Select all added for domains and OU´s, and other small improvements.
This version will be rolled out to all productive Delegate365 clients in mid-January.