Posted in AZ-500 Azure Security Engineer Associate, Azure Administrator, Azure Security Engineer, Azure Solutions Architect, MS Cyber Security Architect Expert, MS Security Operations Analyst

Microsoft Entra ID Groups

   October 29, 2024

Microsoft Entra ID Groups (formerly Azure AD Groups) are used to organize users, manage access permissions, and control resources in Microsoft Entra ID (formerly Azure Active Directory). Groups allow organizations to assign specific permissions to multiple users at once, making it easier to manage and secure access to resources like applications, files, and shared drives. Microsoft Entra ID supports different types of groups and offers flexibility in managing group membership, naming policies, and expiration policies.

Here’s an in-depth guide to understanding Microsoft Entra ID Groups, including their types, membership configurations, creation, management, and policy settings.

Types of Microsoft Entra ID Groups

Microsoft Entra ID primarily supports two types of groups:

  1. Microsoft 365 (M365) Groups: Designed to enhance collaboration and productivity within Microsoft 365 apps like Teams, SharePoint, Outlook, and Planner.
  2. Security Groups: Used to control access to resources, assign permissions, and manage roles within Azure, Microsoft 365, and other integrated applications.

Each type of group serves different purposes and offers specific functionalities.

1. Microsoft 365 (M365) Groups

Microsoft 365 Groups are designed for collaboration and are integrated with Microsoft 365 applications. When you create an M365 group, a shared mailbox, calendar, document library, and Planner board are automatically created, enabling collaboration among group members.

Key Features

  • Collaboration Tools: Each group has its own shared resources, including a mailbox in Outlook, a calendar, a SharePoint document library, and a Planner board.
  • Teams Integration: Microsoft 365 Groups can be associated with Microsoft Teams, enabling chat and video meetings.
  • External Collaboration: You can add external users (guests) to an M365 Group, allowing external partners or clients to collaborate securely.

Usage Examples

  • Project Teams: Creating an M365 Group for each project allows team members to access shared resources, collaborate on documents, and communicate through Teams.
  • Departmental Communication: Departments like HR or Marketing can use M365 Groups to centralize communication, share files, and manage calendars.
  • Cross-functional Collaboration: M365 Groups are ideal for cross-departmental initiatives where members from various departments need to collaborate on shared goals.

Working Example

Scenario: An organization is launching a new product and needs cross-functional collaboration among marketing, engineering, and sales teams.

  1. Create an M365 Group: The admin creates an M365 Group named “Product Launch Team” and assigns members from each department.
  2. Collaboration: Group members can access the shared mailbox for team communications, a shared calendar for meeting schedules, and a document library for project files.
  3. Teams Integration: The group is associated with Microsoft Teams, allowing team members to chat, hold meetings, and collaborate seamlessly.

2. Security Groups

Security Groups are used to manage access to resources and applications securely. Unlike M365 Groups, Security Groups do not come with collaboration tools like shared mailboxes or document libraries.

Key Features

  • Access Management: Security Groups control access to Azure resources, Microsoft 365 applications, and third-party SaaS applications.
  • Role-Based Access Control (RBAC): Security Groups can be used with RBAC to assign permissions to Azure resources and applications, enabling centralized and secure access control.
  • Conditional Access: Security Groups can be used to configure Conditional Access policies for controlling access based on location, device compliance, or other factors.

Usage Examples

  • Application Access: Security Groups can be used to grant access to specific applications for different departments or roles.
  • Resource Permissions: Security Groups can control permissions for resources like SharePoint libraries, Teams channels, and specific Azure resources.
  • Conditional Access: Security Groups can be assigned to Conditional Access policies to enforce multi-factor authentication (MFA) or other security controls.

Working Example

Scenario: An organization needs to restrict access to a confidential document library in SharePoint to the legal and finance departments only.

  1. Create a Security Group: The admin creates a Security Group named “Confidential Document Access” and assigns members from the legal and finance departments.
  2. Permission Assignment: The Security Group is granted “Read” access to the SharePoint document library.
  3. Conditional Access: The admin configures a Conditional Access policy to require MFA for this group, ensuring secure access to sensitive information.

Group Membership Types

Microsoft Entra ID supports two types of group membership: Assigned Membership and Dynamic Membership.

1. Assigned Membership

Assigned Membership allows admins to manually add or remove users from a group. This membership type is suitable when you have a fixed group of users, such as a team or department, where changes in membership do not happen frequently.

Usage Example

  • Departmental Groups: An IT admin can create an Assigned Membership group for the HR department, manually adding all HR staff members.

2. Dynamic Membership

Dynamic Membership enables automatic user assignment to groups based on specific attributes like department, role, location, or job title. With dynamic membership, users are automatically added or removed from the group based on their attributes in Azure AD, making it ideal for organizations with frequent changes in staffing or user roles.

Usage Example

  • Automated Role-Based Groups: An organization can create a dynamic group where all users with the job title “Sales Manager” are automatically added to the group. When a user’s job title changes, their group membership is automatically updated.

How Dynamic Membership Works

  • Rules Configuration: Dynamic groups use rule-based membership. Admins set rules based on user attributes (e.g., department = “Marketing”), and Azure AD evaluates these rules to add or remove users.
  • Automatic Updates: When a user’s attribute (e.g., department) changes, their group membership is automatically updated without admin intervention.

Working Example of Dynamic Membership
Scenario: A large company wants to automatically assign all “Software Engineers” to a specific group for accessing development tools.

  1. Create a Dynamic Group: The admin creates a new dynamic Security Group called “Software Engineering Team.”
  2. Define Membership Rules: The admin sets a rule to include all users with the job title “Software Engineer.”
  3. Automatic Membership: Users with the title “Software Engineer” are automatically added to the group. If an employee’s title changes, they are automatically removed from the group.

Creating, Configuring, and Managing Microsoft Entra ID Groups

Step 1: Creating a Group

  1. Access the Azure Portal: Go to https://portal.azure.com and sign in with admin credentials.
  2. Navigate to Entra ID: Select Microsoft Entra ID from the left-hand menu.
  3. Select Groups: In the Entra ID section, choose Groups > + New Group.
  4. Configure Group Type:
  • Group Type: Choose either Microsoft 365 for collaboration or Security for access management.
  • Group Name: Enter a meaningful name (e.g., “Finance Department”).
  • Membership Type: Choose Assigned or Dynamic based on your requirements.
  1. Define Dynamic Membership Rules (if applicable):
  • If you choose Dynamic Membership, configure rules based on user attributes (e.g., department = "Finance").
  1. Create the Group: Click Create to finish the setup.

Step 2: Configuring Group Settings

  1. Configure Group Settings:
  • Go to Settings in the group to configure email notifications, privacy settings, and other options.
  1. Assign Permissions:
  • Go to the Access Control (IAM) section and assign the group permissions to resources as needed, using Azure RBAC for Security Groups or application-specific permissions for M365 Groups.

Step 3: Managing Group Membership

  1. Manual Membership Management (Assigned Membership):
  • For assigned groups, manually add or remove members through the Members tab in the group settings.
  1. Automatic Membership Management (Dynamic Membership):
  • For dynamic groups, update rules if needed, and Azure AD will automatically adjust group membership based on the defined rules.

Group Naming Policies

Group Naming Policies help enforce standardized group names, improving organization and clarity. Naming policies define prefixes, suffixes, and prohibited words, helping ensure consistent group names across your directory.

How to Configure Group Naming Policies

  1. Access Group Naming Policies:
  • In Microsoft Entra ID, go to Groups > Naming policy.
  1. Define Prefixes and Suffixes:
  • Add standard prefixes or suffixes to group names (e.g., “Dept_” for department-based groups).
  1. Prohibited Words:
  • Add prohibited words to prevent the creation of groups with inappropriate or non-compliant names.
  1. Save Policy:
  • Apply the policy, and it will automatically apply to all new groups created in Microsoft Entra ID.

Example

Scenario: An organization wants to ensure all department groups have consistent names.

  • Prefix: The naming policy enforces a prefix, “Dept_”, for all department groups.
  • Prohibited Words: Terms like “admin” and “confidential” are prohibited to prevent misuse of group names.

Result: New department groups are named in a consistent format (e.g., “Dept_Finance”), and inappropriate names are blocked.

Group Expiration Policies

Group Expiration Policies automatically delete unused or inactive groups after a specified period, helping organizations manage the lifecycle of groups and reduce

clutter in Entra ID.

How to Configure Group Expiration Policies

  1. Navigate to Expiration Settings:
  • In Microsoft Entra ID, go to Groups > Expiration policy.
  1. Set Expiration Period:
  • Choose an expiration period (e.g., 180 days). Groups will expire after this period unless renewed.
  1. Renewal Notification:
  • Entra ID will send notifications to group owners before expiration, allowing them to renew the group if it’s still needed.
  1. Automatic Deletion:
  • If the group owner does not renew, the group is automatically deleted after the expiration period.

Example

Scenario: A company creates temporary project groups for short-term projects. These groups should expire after the project ends.

  1. Set Expiration: The admin sets the expiration policy to 90 days for project groups.
  2. Renewal Reminders: Before expiration, group owners receive notifications, allowing them to renew the group if necessary.
  3. Automatic Deletion: If the project group isn’t renewed, it’s automatically deleted, keeping the directory clean.

Summary

Microsoft Entra ID Groups are powerful tools for managing access and permissions across Azure and Microsoft 365 environments. They enable secure and efficient access control, and they simplify management by grouping users with similar needs together. Here’s a summary:

  • Microsoft 365 Groups are designed for collaboration, with shared resources like mailboxes, calendars, and document libraries.
  • Security Groups are used for access control and permissions management, supporting Conditional Access policies and RBAC.
  • Assigned Membership groups require manual membership management, while Dynamic Membership groups automatically update based on rules.
  • Naming Policies ensure consistent group names, while Expiration Policies manage group lifecycles.

Microsoft Entra ID Groups simplify access control, enhance security, and improve collaboration, making them essential for organizations using Azure and Microsoft 365.

Share: XFacebookPinterestLinkedin
Author: tonyhughes