Using dynamic groups in Azure Active Directory (Azure AD) requires an Azure AD Premium license. Specifically, you need either:
- Azure AD Premium P1
- Azure AD Premium P2
These licenses are necessary because dynamic membership for groups is a feature not included in the basic Azure AD versions that come with Office 365 subscriptions. The Azure AD Premium licenses offer more advanced identity management capabilities, including conditional access, identity protection, and the dynamic groups feature that you are interested in.
Dynamic groups are particularly useful for automating group membership based on user attributes and can help streamline administrative tasks and improve security by ensuring that only the appropriate users have access to certain resources based on their current attributes.
If your organization doesn't already have these licenses, you might need to consider purchasing them or evaluating if the benefits align with your organizational needs. Additionally, for organizations with extensive user bases, these licenses can add significant functionality but also additional cost, so it's important to plan accordingly.
How to create a dynamic AD-group
To create a dynamic Azure AD group that includes users who have shared mailboxes, you'll need to use PowerShell as Azure Portal doesn't directly support this feature. Here's how you can achieve this:
1.Install AzureAD PowerShell Module:
If you haven't already, install the AzureAD PowerShell module. You can do this by running the following command in PowerShell:
```powershell
Install-Module -Name AzureAD
```
2. Connect to Azure AD:
Run the following command and follow the instructions to connect to your Azure AD tenant:
```powershell
Connect-AzureAD
```
3. Create the Dynamic Group:
Run the following PowerShell script to create the dynamic group:
```powershell
$GroupName = "Shared Mailbox Users"
$GroupDescription = "Dynamic group for users with shared mailboxes"
$GroupDisplayName = "Shared Mailbox Users"
$GroupMailNickname = "shared-mailbox-users"
$GroupOwner = "owner@example.com" # Change this to the owner's email address
New-AzureADMSGroup -DisplayName $GroupDisplayName -Description $GroupDescription -MailEnabled $false -MailNickName $GroupMailNickname -SecurityEnabled $true -GroupTypes "DynamicMembership" -MembershipRule "(User -filter 'AccountEnabled eq true' -and User -filter 'ResourceProvisioningOptions/Any(x:x eq ''SharedMailbox'')')" -MembershipRuleProcessingState "On" -Owners $GroupOwner
```
Make sure to replace `"owner@example.com"` with the email address of the group owner.
4. Verify the Group:
You can verify the group creation by checking in the Azure Portal or by running:
```powershell
Get-AzureADGroup -SearchString $GroupName
```
This PowerShell script will create a dynamic Azure AD group named "Shared Mailbox Users" that includes users who have shared mailboxes based on the membership rule provided. Adjust the group properties and membership rules as needed for your specific requirements.