Comments on: Practical Graph: Using Dynamic Entra ID Administrative Units https://practical365.com/using-dynamic-azure-ad-administrative-units/ Practical Office 365 News, Tips, and Tutorials Mon, 03 Jun 2024 15:56:24 +0000 hourly 1 https://wordpress.org/?v=6.6.1 By: <div class="apbct-real-user-wrapper"> <div class="apbct-real-user-author-name">Tony Redmond</div> <div class="apbct-real-user-badge" onmouseover=" let popup = document.getElementById('apbct_trp_comment_id_275545'); popup.style.display = 'inline-flex'; "> <div class="apbct-real-user-popup" id="apbct_trp_comment_id_275545"> <div class="apbct-real-user-title"> <p class="apbct-real-user-popup-header">The Real Person!</p> <p class="apbct-real-user-popup-text">Author <b>Tony Redmond</b> acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.</p> </div> </div> </div> </div> https://practical365.com/using-dynamic-azure-ad-administrative-units/#comment-275545 Mon, 25 Sep 2023 16:37:16 +0000 https://practical365.com/?p=58024#comment-275545 In reply to Haitham.

Try this: https://office365itpros.com/2023/09/25/dynamic-administrative-units-ps/

]]>
By: <div class="apbct-real-user-wrapper"> <div class="apbct-real-user-author-name">Tony Redmond</div> <div class="apbct-real-user-badge" onmouseover=" let popup = document.getElementById('apbct_trp_comment_id_274692'); popup.style.display = 'inline-flex'; "> <div class="apbct-real-user-popup" id="apbct_trp_comment_id_274692"> <div class="apbct-real-user-title"> <p class="apbct-real-user-popup-header">The Real Person!</p> <p class="apbct-real-user-popup-text">Author <b>Tony Redmond</b> acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.</p> </div> </div> </div> </div> https://practical365.com/using-dynamic-azure-ad-administrative-units/#comment-274692 Fri, 15 Sep 2023 12:33:55 +0000 https://practical365.com/?p=58024#comment-274692 In reply to Haitham.

Well, I was wrong in my advice. The right way to do this is to:

1. Create a new admin unit.
2. Update the new admin unit with the properties to make it a dynamic AU.

I’ve worked out the basics of a script and will publish it when it works the way I want it to.

]]>
By: <div class="apbct-real-user-wrapper"> <div class="apbct-real-user-author-name">Tony Redmond</div> <div class="apbct-real-user-badge" onmouseover=" let popup = document.getElementById('apbct_trp_comment_id_274596'); popup.style.display = 'inline-flex'; "> <div class="apbct-real-user-popup" id="apbct_trp_comment_id_274596"> <div class="apbct-real-user-title"> <p class="apbct-real-user-popup-header">The Real Person!</p> <p class="apbct-real-user-popup-text">Author <b>Tony Redmond</b> acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.</p> </div> </div> </div> </div> https://practical365.com/using-dynamic-azure-ad-administrative-units/#comment-274596 Thu, 14 Sep 2023 09:35:34 +0000 https://practical365.com/?p=58024#comment-274596 In reply to Haitham.

Given a CSV file like this:

Name
Information Technology
Artificial Intelligence
Generative AI

You could do something like this:

ForEach ($AU in $AUs) {
$Description = (“Dynamic administrative unit created for the {0} department created {1}” -f $AU.Name, (Get-Date))
$DisplayName = (“Dynamic administrative unit created for the {0} department” -f $AU.Name)
$MembershipRule = “@{membershipRule=’user.department eq ” + “‘” + $AU.Name + “‘” + ‘”‘ + “‘}”
New-MgBetaAdministrativeUnit -Description $Description -AdditionalProperties $MembershipRule -Description $Description -MembershipType ‘Dynamic’ -MembershipRuleProcessingState ‘On’
}

I can’t test this because my Azure AD Premium licenses have expired and I am awaiting renewal, but the code above creates the rule in the correct format.

]]>
By: Haitham https://practical365.com/using-dynamic-azure-ad-administrative-units/#comment-274584 Thu, 14 Sep 2023 05:12:40 +0000 https://practical365.com/?p=58024#comment-274584 Thank you so much Tony,
I was wondering how my PS code should look like if i want to create a bunch of Dynamic AUs from a csv file where the Rule should be for each AU for example: The user department is the display name of the AU?
I tried this: MembershipRule = ‘(user.Department -eq $DynamicAU.DisplayName)’ but seems to not be working!

]]>
By: <div class="apbct-real-user-wrapper"> <div class="apbct-real-user-author-name">Tony Redmond</div> <div class="apbct-real-user-badge" onmouseover=" let popup = document.getElementById('apbct_trp_comment_id_256071'); popup.style.display = 'inline-flex'; "> <div class="apbct-real-user-popup" id="apbct_trp_comment_id_256071"> <div class="apbct-real-user-title"> <p class="apbct-real-user-popup-header">The Real Person!</p> <p class="apbct-real-user-popup-text">Author <b>Tony Redmond</b> acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.</p> </div> </div> </div> </div> https://practical365.com/using-dynamic-azure-ad-administrative-units/#comment-256071 Thu, 09 Mar 2023 09:26:30 +0000 https://practical365.com/?p=58024#comment-256071 In reply to Joshua Bines.

Isn’t PowerShell wonderful?

]]>
By: Joshua Bines https://practical365.com/using-dynamic-azure-ad-administrative-units/#comment-256062 Thu, 09 Mar 2023 08:48:51 +0000 https://practical365.com/?p=58024#comment-256062 Thanks for the write up tony great as always. I still think the inbuilt “dynamic” AADAU aren’t great. 1. doesn’t support adding groups. 2. doesn’t support added devices and users in the one AADAU 3. Licenses are required for all your scoped admins.

For now I’m going to keep supporting this script but I am happy AADAU has gone GA. I think it was preview since 2014 which was the longest preview product I have ever seen.

https://github.com/JBines/Set-AADAUDynamic

]]>
By: <div class="apbct-real-user-wrapper"> <div class="apbct-real-user-author-name">Tony Redmond</div> <div class="apbct-real-user-badge" onmouseover=" let popup = document.getElementById('apbct_trp_comment_id_255989'); popup.style.display = 'inline-flex'; "> <div class="apbct-real-user-popup" id="apbct_trp_comment_id_255989"> <div class="apbct-real-user-title"> <p class="apbct-real-user-popup-header">The Real Person!</p> <p class="apbct-real-user-popup-text">Author <b>Tony Redmond</b> acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.</p> </div> </div> </div> </div> https://practical365.com/using-dynamic-azure-ad-administrative-units/#comment-255989 Wed, 08 Mar 2023 09:54:57 +0000 https://practical365.com/?p=58024#comment-255989 In reply to Robert Andersson.

I wouldn’t use custom security attributes. There are fifteen custom extension attributes that are designed for this purpose. I compare them against Azure AD custom security attributes in https://practical365.com/azure-ad-custom-security-attributes-exo/

Here’s an example of using custom attributes in a dynamic distribution list. The same concept extends to dynamic Azure AD groups: https://office365itpros.com/2021/01/18/dynamic-distribution-lists-filters/

]]>
By: Robert Andersson https://practical365.com/using-dynamic-azure-ad-administrative-units/#comment-255984 Wed, 08 Mar 2023 08:00:49 +0000 https://practical365.com/?p=58024#comment-255984 Hi,
Great article, we are half way in on setting our path towards using these atrributes to easy up our onboarding routines.
I sometimes find that the attributes in AAD is not suiting and would like to add my own. Is that possible you think?`
For example, we have all countries, cities, departement and emails adress used in our dynamic assigment rule.
But when we try to find a way for “boardmembers” that are not in a country, city or departement the rule gets hard to achieve.

Does “custom security attributes” solve this for me or can they be used in the syntax rule for a dynamic assigned group? Thanks for one of the best blogs and materials for microsoft365 out there!

]]>
By: <div class="apbct-real-user-wrapper"> <div class="apbct-real-user-author-name">Tony Redmond</div> <div class="apbct-real-user-badge" onmouseover=" let popup = document.getElementById('apbct_trp_comment_id_254938'); popup.style.display = 'inline-flex'; "> <div class="apbct-real-user-popup" id="apbct_trp_comment_id_254938"> <div class="apbct-real-user-title"> <p class="apbct-real-user-popup-header">The Real Person!</p> <p class="apbct-real-user-popup-text">Author <b>Tony Redmond</b> acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.</p> </div> </div> </div> </div> https://practical365.com/using-dynamic-azure-ad-administrative-units/#comment-254938 Thu, 23 Feb 2023 17:49:30 +0000 https://practical365.com/?p=58024#comment-254938 In reply to Ahmed.

Given that MemberOf is still a preview feature that offers limited functionality, its lack of support in dynamic administrative units is unsurprising.

]]>
By: Ahmed https://practical365.com/using-dynamic-azure-ad-administrative-units/#comment-254926 Thu, 23 Feb 2023 16:37:31 +0000 https://practical365.com/?p=58024#comment-254926 There is one concern that it is still not supporting user.memberof dynamic role.

I have tried to tested but it is not even able to create the dynamic role.

did it work with you ,as I need to add users to an AU based on their group membership.

]]>