The Azure AD portal is the other interface that is used to create and manage groups. As with the user creation options, the Azure AD portal provides a slimmed-down feel without the wizard experience of the Microsoft 365 admin center.
To create and manage groups in the Azure AD portal, follow these steps:
- Navigate to the Azure AD portal (https://aad.portal.azure.com) and select Groups.
- With the default All groups navigation item selected, as shown in Figure 2.21, click New group:
Figure 2.21 – Azure AD all groups
- On the New Group page, as shown in Figure 2.22, fill in the Group type (Security or Microsoft 365), Group Name, and optionally the Group description fields. If you’ve selected Microsoft 365 as the group type, you will also be required to enter a value for the Group email address field. The security groups created in the Azure portal are not mail-enabled.
Figure 2.22 – New Group page
- You can choose whether Azure AD security roles can be assigned to the group. If you select Yes, then the group must have assigned membership.
- Under Membership type, you can select Assigned, Dynamic User, or Dynamic Device (if it is a security group). If it is a Microsoft 365 group, you can choose fromAssigned or Dynamic User. Security groups with assigned membership can have all supported object types, but dynamic groups are constrained to a single object type.
- If you select a group with the Assigned membership type, you can add Owners and Members. If you select a group with either of the dynamic membership types, you must choose the Add dynamic query option, as shown in Figure 2.23:
Figure 2.23 – Creating a new dynamic group
- Click Add dynamic query to configure a dynamic query.
- On the Configure Rules tab of the Dynamic membership rules page, as shown in Figure 2.24, configure an expression that represents the users or devices you want to have included in the group. For example, to create a user membership rule that looks for the Engineering value in either the jobTitle or department user attributes, select the appropriate Property option, select Equals or Contains under Operator, and then enter Engineering in the Value field.
Figure 2.24 – Creating a dynamic membership rule
- You can view the construction of the rule in the Rule syntax output box. If necessary, you can edit the rule free-form to create a more complex rule type.
- You can select the Validate Rules (Preview) tab and add users you think should be in scope or out of scope to verify that the rule is working correctly. Click Add users and then select users from the picker. In this example, Aamir E Cupp and Abagael R Rauch were selected. Aamir’s jobTitle is Manager and his department is Sales, so the expected result is that he is not included in the group. Abagael’s jobTitle is Scientist but her Department is Engineering. Based on the way the query is constructed, she is included in the group. See Figure 2.25:
Figure 2.25 – Validating the dynamic membership rule
- When finished editing the rule, click Save.
- Click Create to create the new group.
Using the Azure AD portal, you can also update the membership rules for existing groups or change a group’s membership from assigned to dynamic by selecting the group and then editing the details on its Properties menu, as shown in Figure 2.26:
Figure 2.26 – Editing a group
If you change a group’s membership from assigned to dynamic, you’ll need to create a query. It’s important to note, though, that you cannot change a group’s type (for example, from security to Microsoft 365) or whether a group is eligible for Azure AD role assignment—those options can only be selected when creating a group.
Note
Microsoft Entra is the new umbrella product that covers Microsoft identity management and governance. Currently, the Microsoft Entra admin center (https://entra.microsoft. com) maps to specific blades or tabs inside the Azure AD, Security, and Endpoint portals. Over the next year or two, anticipate that Microsoft will begin emphasizing the Entra admin center experience over the Azure portal experience for identity management tasks. See Figure 2.27:
Figure 2.27 – Entra admin center
Next, you’ll look at managing Microsoft 365 licenses.
