Now you can create dynamic groups using #AzureAD PowerShell 2.0 preview

 

A few days ago I wrote a blog post related to the public preview of the #AzureAD PowerShell v2.0, you can read the article here: https://spanougakis.com/2016/10/14/azuread-powershell-v2-0-is-now-in-public-preview/

The #AzureAD product group added recently some new cool enhancements, including the ability to manage dynamic groups. So let’s take a look at what you can do with the new AzureADMSGroup cmdlets. Don’t forget to install the new version, 2.0.0.17 which can be found here: https://www.powershellgallery.com/packages/AzureADPreview/2.0.0.17

In this example, I’ll create a dynamic security group called “Managers”. Note that I also have the ability to pause the dynamic group processing through the command:

New-AzureADMSGroup -Description “Managers team” -DisplayName “Managers” -MailEnabled $false -SecurityEnabled $true -MailNickname “Managers” -GroupTypes “DynamicMembership” -MembershipRule “(user.department -eq “”Management””)” -MembershipRuleProcessingState “Paused”

If you execute this cmdlet, this is what you get:

3wrong

Ooops… This is because you probably don’t have the correct version of AzureAD PowerShell, if you check you can see that you have the older 2.0.0.7 version, while now you need the 2.0.0.17:

4install

and when you create the new dynamic group, you get the result:

5result

But as we can see from the new Azure portal, the group is empty, because we’ve paused the processing:

6group

Now let’s try to recreate the group by enabling the processing state. I’ve already deleted the empty Managers group, so I’ll create it again:

7group

You cam also change the processing state of a group after you create it by typing this command:

Set-AzureADMSGroup -Id 53e2b806-1689-4a8b-a94c-186647fbade5 -MembershipRuleProcessingState “On”

We can check at the Azure AD new portal that now the group has 2 members:

8group

This is because my account had a value of department set to “Management”, before creating the new group:

1profile

What else you can do with this new Azure AD PowerShell version? Create Office365 accounts, like in the following example:

New-AzureADMSGroup -Description “Thessaloniki Users” -DisplayName “Users located in Thessaloniki” -MailEnabled $true -SecurityEnabled $true -MailNickname “SKGUsers” -GroupTypes “Unified”

Remember a few things though:

  • The value that you provide for the “MailNickName” parameter is used to create both the SMTP address and the email address of the group. If the MailNickName is not unique, a four-digit string is added to the SMTP and email addresses to make them unique, like in the example above.
  • The values for SecurityEnabled and MailEnabled are set and ignored when creating an Office 365 group because these groups are implicitly security and mail enabled when used in Office 365 features.
  • If you want to create a dynamic Office 365 group, you need to specify both “DynamicMembership” and “Unified” in the GroupTypes parameter:

Set-AzureADMSGroup -Id 53e2b806-1689-4a8b-a94c-186647fbade5 -GroupTypes “DynamicMembership”,”Unified” -MembershipRule “(User.department -eq “”Management””)” -MembershipRuleProcessingState “Paused”

For more details, take a look at the Enterprise mobility blog here:  https://blogs.technet.microsoft.com/enterprisemobility/2016/11/03/new-enhancements-to-the-azuread-powershell-2-0-preview-manage-dynamic-groups-and-more/

Thanks for your time!

1 Comment on “Now you can create dynamic groups using #AzureAD PowerShell 2.0 preview

Leave a Reply