How To Force Update Azure Dymaic Group Membership

In this blog I will show how Azure AD dynamic groups piece of work. In the Azure AD there two ways to manage the membership of groups:

Assigned Membership
Dynamic Membership

The difference betwixt the 2 is the members of the Assigned group are added manually, by selecting the users and/or groups from the Azure AD. To utilize Assigned Groups yous don't need any additional Azure subscriptions, it's included in the basic Pay-Every bit-you-Employ subscription. With Dynamic groups the members are added when they see the rules which are configured, another difference with assigned groups is that Dynamic groups are devided in User and Device groups. Users and Devices can be member of a Assigned group.

	Assigned Groups	Dynamic Groups

Members	Users and Devices	Users or Devices
	Manually Assigned	Assigned using rules
Member processing	Instant	about ii to 30 minutes
Licensing	no additional license needed	Azure Premium P1 needed

Dynamic user and device groups

Dynamic groups can be devided into ii membership types:

Dynamic User Membership
Dynamic Device Membership

Rules

Rules need to be configured to populate a dynamic grouping. Each Rule contains a Belongings, Operator and a Value. If more than than i rule has been configured also an And/or argument is required:

example rule

Properties

The Backdrop which tin can be used in to configure rules depend on the membertype. When user membership is selected only Azure useraccount related backdrop can be used (e.g. EmployeeId, Jobtitle, department, etc).

example user properties

When device membership is selected only device related backdrop tin be used (e.thou. deviceOSType, deviceOSVersion, isRooted, etc).

example device properties

Membership Evaluation

Before dynamic groups are populated with members the rules demand to be evaluated. The evalution status can be monitored in the Grouping Overview:

Just after creating the group the membership processing status and last updated field will be empty.

Afterward some time the evaluation will start. The membership processing status volition change to "Evaluating" and the Membership last updated to "In Progress"

When evaluation has finished, the membership processing status will alter to "Update complete" and the Membership final update will testify the update date and time.

When the evaluation has finished and no members have been added the membership last updated will show "Unknown". This has been my own observation, according to Microsoft documentation: "Unknown: The final update time can't be retrieved. The grouping might be new."

Membership Re-evaluation

This part of Dynamic groups is a bit of a greyness area. I oasis't found whatsoever Official documentation from Microsoft about this topic. Then these are my own observations and suggestions I establish on forums on the Net (see sources).

Transmission trigger evaluation

At the moment it'southward not possible to trigger a dynamic group update manually by pressing a push. There is a asking open for more a year, which is under review by the Azure squad. Delight vote if you read this.

Some suggested options to trigger the dynamic membership evaluation are:

Editing the name of the dynamic group, adding a white space and saving the dynamic group. This should trigger the evaluation.
Another choice is by pausing and starting the MembershipRule processing past using the PowerShell. To exercise this the AzureADPreview module is needed.

Install-module AzureADPreview -AllowClobber Import-Module -Name AzureADPreview Set up-AzureADMSGroup -Id <dynamic group id> -MembershipRuleProcessingState "paused" Set-AzureADMSGroup -Id <dynamic group id> -MembershipRuleProcessingState "on"

Automatic evaluation

What I observed with a Dynamic user group is the post-obit:

1. The dynamic user group contains two users and has terminal updated at 2:47.57 PM