byteben | a technical blog

Azure AD Groups – in a nutshell

Not the longest post in the world but “Groups” are going to be quite pivotal in how you manage users and devices in Azure AD. In this post we will cover the basic Azure AD group and membership types. We will also look at how we can create Groups in both the Azure AD Portal and by using PowerShell.

We will cover:-

  • What is a Group and why should we use one
  • Group Types
  • Group Membership
  • Create a Group in the Azure AD Portal
  • Create a Group using PowerShell

1 . What is a Group and why should we use one ⏏

If you are reading this post, the chances are that you are fairly new to Azure AD. Like many of us, when we spin up our first tenant we assign resources to our test user/s. As we get more familiar with the products, assigning users to resources becomes more onerous. Many of us will have some kind of background in Active Directory and understand that we use Active Directory Groups to assign resources to users in our domain.

Azure AD is no different, the concept is identical. We assign users (or members) to groups and assign resources to those groups. Azure AD Groups have features that set them apart from their Active Directory cousins – we will go through these features in the following sections.

2 . Group Types ⏏

As of writing this post, we can create two types of Groups in Azure AD

what is assigned membership in azure

Security Groups

A Security Group will be used to collectively assign resources to users. For example, assigning Intune Configuration Policies. If we assign resources to Users, we have to manually update each resource assignment whenever we want to make a change. By using a Security Group, we assign the resource to the Group once and adjust the Group members to reflect who has access to the resource.

Office 365 Groups

An Office 365 Group will give any group member access to a Group email address (specified during creation) and SharePoint Site and is best suited for when collaboration is required between both internal and/or external users. Office 365 Group are one of the underpinning technologies of Microsoft Teams. Think of them like the traditional Active Directory mail enabled-security groups – with a “Nitro” button.

3 . Group Membership ⏏

This is where we set apart the differences between Active Directory and Azure AD Groups IMO. There are three different membership types availble to Azure AD Groups, depending on what Group type you choose to create

Dynamic User

Dynamic Device

what is assigned membership in azure

Before we go into each of these Membership types, let us first establish when they can or cannot be used.

An Assigned Group Membership Type indicates that members (users/devices) are manually added or removed from the Group

A Dynamic Group Membership Type allows you to dynamically add or remove users to the Group based on one or many of their account attributes. Once the Membership rules are defined, Users are added/removed dynamically.

A Dynamic Device Membership Type is not available for Office 365 Group Types. It allows you to dynamically add or remove Devices to the Group based on one or many of the Device attributes. Once the Membership rules are defined, Devices are added/removed dynamically.

You can create a dynamic group for either devices or users, but not for both. You also can’t create a device group based on the device owners’ attributes. Device membership rules can only reference device attributions. For more info about creating a dynamic group for users and devices, see  Create a dynamic group and check status . https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal

Membership rules are defined as expressions. Let’s have a look below at an example. You can find a list of supported properties and their values at https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/groups-dynamic-membership#supported-properties

You build the expression by selecting the properties and values and choosing + Add Expression

what is assigned membership in azure

In the example above, the Group will include all users who have an enabled account and the “Disable Password Expiration” flag set. You can manually edit the expression by clicking the Edit button

what is assigned membership in azure

More information can be found on creating Dynamic Groups at https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/groups-create-rule

4 . Create a Group in the Azure AD Portal ⏏

1 . Navigate to https://portal.azure.com , Sign in as a Global Administrator and select Azure Active Directory

what is assigned membership in azure

2 . Select Groups

what is assigned membership in azure

3 . Select  + New Group

what is assigned membership in azure

4 . Enter the following Information:-

Group Type: Security Group Name: Corporate Twitter Users Membership type: Assigned Members: Add some members to the group who will access the corporate social media Twitter app

what is assigned membership in azure

5 . Click Create

5 . Create a Group using PowerShell ⏏

To create Groups using PowerShell, you will need the Azure AD PowerShell module. If you have WMF 5 (Windows 10) or the MSI based installer for PowerShell 3 and 4 you can use PowerShellGet to install the module.

1 . Install the module from the PowerShell library using the following command. PowerShell will need to be running with local administrator credentials.

what is assigned membership in azure

Choose A or Y to accept the changes

The module will begin to install

what is assigned membership in azure

2. Either re-launch PowerShell to import the AzureAD module automatically or run the command Import-Module AzureAD

3 . Run Get-Module AzureAD to verify the module has installed and loaded

what is assigned membership in azure

4. To view all the 188 available command in this module, run Get-Help AzureAD

what is assigned membership in azure

5. Before we can run those commands, we have to authenticate our session and connect to to Azure AD. Lets run the following:-

When prompted enter your Administrator credentials for Azure AD and click OK

what is assigned membership in azure

Now lets connect to Azure AD with these credentials. Lets run the following:-

what is assigned membership in azure

6. Lets create a Security Group with an assigned membership type. We will create the same Group we created in section 4 for our Corporate Twitter Users

what is assigned membership in azure

7. And now we want to add some users to our new Security Group. The cmdlet will require the ObjectId of the Group and ObjectId of the member/s you are adding, referred to with the RefObjectId parameter. Going to grab the ObjectId of each member can be laborious but you can pass it much more simply by using the following code:-

what is assigned membership in azure

or we can iterate through an array of users

what is assigned membership in azure

and we can view the membership of our group by running the following command

what is assigned membership in azure

That post should give you a nice introduction to Groups in Azure Active Directory (Azure AD). We covered the Group and Membership Types available and how to create groups using the Azure Portal and AzureAD PowerShell module.

Hope to see you next time 🙂

Leave a Comment Cancel Reply

Your email address will not be published. Required fields are marked *

Notify me of follow-up comments by email.

Notify me of new posts by email.

  Notify me when new comments are added.

This site uses Akismet to reduce spam. Learn how your comment data is processed .

Guest

a blog by Sander Berkouwer

  • The things that are better left unspoken

Using Azure AD’s Dynamic Memberships for Groups to Assign Mutually Exclusive P1 and P2 licenses

Azure Active Directory

Azure AD’s Dynamic Memberships for Groups and Assigning Licenses to Groups features can be used to circumvent the overlap that might occur when user accounts are assigned both an Azure AD P1 and Azure AD P2 license.

In this blogpost, I’ll walk you through the scenario.

About Azure AD licensing

Today, Azure Active Directory offers three subscription licenses; free, premium and premium P2. The plain ‘Premium’ licenses are commonly referred to as P1 licenses to distinguish them from the more elaborate and costly P2 licenses.

The table on the Azure Active Directory pricing page details the differences between the free, premium P1 and premium P2 subscription licenses.

Azure AD Premium P2 subscription licenses include Azure AD Premium P1 subscription licenses. Therefore, for any organization using a mix of these two licenses in their Azure AD tenant(s), it’s important to make sure any account is not both assigned an Azure AD Premium P1 subscription license and an Azure AD Premium P2 subscription license. Dynamic groups are useful to make this distinction within an Azure AD tenant.

About Dynamic Memberships for Groups

The first Azure AD feature we use in this scenario is the Dynamic Groups feature. In Azure Active Directory, admins can create complex attribute-based rules to enable dynamic memberships for groups. Dynamic group memberships reduce the burden of adding and removing users to groups manually. You can set up a rule for dynamic membership on security groups and Office 365 groups.

The dynamic nature is delivered through continuous re-evaluation; when any attribute of a user or device changes, Azure AD evaluates all dynamic group rules to see if the change would trigger any group membership changes. If a user or device satisfies a rule on a group, they are dynamically added as a member of that group. If they no longer satisfy the rule, they are removed.

You can't manually add or remove a member of a dynamic group.

About Assigning Licenses to Groups

The second Azure AD feature we use is the ability assign licenses to groups. This feature makes it super-easy to not just assign licenses to groups, but also report on licenses, based on the number of members of a aptly-named group. When used with Access Reviews, the possibilities seem endless.

Getting ready

For this scenario, I’ll assume you have an Azure AD tenant with both a registered Azure AD Premium P1 subscription and a registered Azure AD Premium P2 subscription.

To perform the steps where we create a group below, you will need to sign in with an account that has the Global administrator role assigned. To perform the steps where we assign the license to the newly created group, the Global administrator role suffices, but the License administrator role is also good enough.

Getting the required information

To create the dynamic membership rules, we first have to get some information out of the Azure AD tenant.

Use the following lines of PowerShell on a system with the Azure AD PowerShell Module installed to get the Stock Keeping Unit (SKU) information on the available subscription licenses in the Azure AD tenant:

Get-AzureADSubscribedSku | select SkuId , SkuPartNumber | Format-Table

We need the SKU for the Azure AD Premium P2 subscription license. Copy the GUID for the ServicePlanID for the AAD_PREMIUM_P2 subscription license SKU. The GUID might be different between Azure AD tenants, depending on the way Azure AD Premium P2 subscription licenses are acquired, but it should look something like this:

eec0eb4f-6444-4f95-aba0-50c24d67f998

How to create the group to assign P2 licenses

The need for Azure AD Premium P2 licenses is based on a couple of scenarios:

  • User accounts for people who create, perform and/or finish Azure AD Access Reviews
  • Privileged accounts for admins who need to perform Privileged Identity Management (PIM) to gain access to their administrator roles
  • Admins who want to use the expanded Risk events and Risky users reports as part of Azure AD Identity Protection, admins who want to set risk-based Conditional Access policies in Azure AD Identity Protection and admins who want to require multi-factor authentication registration as part of Azure AD Identity Protection
  • Admins who want to use the Entitlement Management Public Preview features and other future Azure AD Identity Governance features

Create the group

Follow these steps to create the group in the Azure AD portal:

  • Sign in to the Azure portal using an account that has the Global administrator role assigned.
  • In the left navigation pane, click on (the icon of) Azure Active Directory .
  • In Azure AD’s navigation menu, click on Groups .
  • Click + New Group .
  • For Group Type select Security from the drop-down list
  • As the Group name specify a group name that fits the organization’s naming convention
  • Use the Group description to denote that this group assigns Azure AD Premium P2 licenses to its members
  • As the Membership type select Assigned .
  • Click Members , select the user accounts in the Azure AD tenant that you want to assign Azure AD Premium P2 licenses.
  • Click the Select button at the bottom of the pane to return to the New Group pane.
  • Click the Create button at the bottom of the New Group pane.

Assign the P2 license

Perform these steps toand to assign Azure AD Premium P2 subscription licenses to its members in the Azure Portal:

  • In the left navigation pane, click on (the icon of) Azure Active Directory again.
  • In Azure AD’s navigation menu, click on Licenses .
  • In the Licenses menu, click on All Products .
  • Select Azure AD Premium P2 or a subscription license that includes Azure AD Premium P2 from the list of All products by clicking on the selection square in front of it.
  • Click + Assign .
  • In the Assign license pane, select Users and Groups .
  • Select the previously created security group.
  • Click Assignment options in the Assign license pane.

License assignment options for EMS E5, inclusing the Azure AD Premium P2 subscription license

  • Click OK at the bottom of the blade.
  • Click the Select button at the bottom of the pane to go back to the Assign license pane.
  • Click the Assign button at the bottom of the Assign license pane.

How to create the group that assigns P1 licenses to other users without overlap

Now, let’s create the second group. This will be a group with dynamic user memberships. Perform these steps:

  • As the Membership type select Dynamic User .
  • Click Add dynamic query .
  • In the And/or column select And from the drop-down list.
  • In the Property column type assignedPlans
  • In the Operator column select Any from the drop-down list.
  • In the Value column type (assignedPlan.servicePlanId -neq " <PasteP2SKUHere> ")

The Dynamic membership rules pane

  • Click the Save button at the top of the Dynamic membership rules pane.

Assign the P1 license

Follow these steps to assign Azure AD P1 subscription licenses for users that do not have Azure AD Premium P2 subscription licenses assigned:

  • Select Azure AD Premium P1 from the list of All products.

Using two features for Azure AD groups, we can create a strong solution to tackle the scenario to mutually exclusively assign Azure AD Premium P1 subscription licenses and Azure AD Premium P2 subscription licenses.

Thanks to Daniel Stefaniak for his help tackling this scenario.

Further reading

Dynamic membership rules for groups in Azure Active Directory Create a dynamic group and check status Dynamic Group Membership in Azure Active Directory (Part 1)

' src=

Posted on August 29, 2019 by Sander Berkouwer in Entra ID , Systems Administration , Tools I Use

2 Responses to Using Azure AD’s Dynamic Memberships for Groups to Assign Mutually Exclusive P1 and P2 licenses

 

The above does not work, first -neq is not a valid syntax and secondly a user will be assigned many other SKU#'s that are -ne to the SKU# you are trying to not license them based on if they have is assigned, thus this rule will ALWAYS be true and include ALL enabled users regardless of if they are a member or not of SKU# below

(user.assignedPlans -any (assignedPlan.servicePlanId -ne "SKU#")

' src=

The below worked for me, the SKU is for PowerBi Pro, you can find your SKU here: https://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/licensing-service-plan-reference

user.assignedPlans -any (assignedPlan.servicePlanId -eq "70d33638-9c74-4d01-bfd3-562de28bd4ba" -and assignedPlan.capabilityStatus -eq "Enabled")

leave your comment cancel

This site uses Akismet to reduce spam. Learn how your comment data is processed .

Advertisement

NiCE Microsoft 365 Monitoring

Search this site

Dirteam.com / activedir.org blogs.

  • Strategy and Stuff
  • Dave Stork's IMHO
  • The way I did it
  • Sergio's Shack
  • Things I do
  • Tomek's DS World

Microsoft MVP (2009-2023)

Veeam vanguard (2016-2023), vmware vexpert (2019-2022).

VMware vExpert

Xcitium Security MVP (2023)

Xcitium Security MVP

Recent Posts

  • We're presenting at 2024's first Workplace Ninjas Netherlands meetup
  • Pictures of the Inaugural Dutch Microsoft Entra Community meetup
  • What's New in Entra ID for January 2024
  • On-premises Identity-related updates and fixes for January 2024
  • Five Truths in Veeam's 2024 Data Protection Trends Report

Recent Comments

  • Sander Berkouwer on Ten things you should know about Azure AD Connect and Azure AD Sync
  • Thanny Lopez on Ten things you should know about Azure AD Connect and Azure AD Sync
  • Bill on TODO: Move from the ‘Allow users to remember multi-factor authentication on devices they trust’ option to Conditional Access
  • ym on HOWTO: Add the required Hybrid Identity URLs to the Trusted Sites list of Internet Explorer and Edge
  • Juvenal on Backing up and Restoring Entra ID objects and their attributes in 2023

The information on this website is provided for informational purposes only and the authors make no warranties, either express or implied. Information in these documents, including URL and other Internet Web site references, is subject to change without notice. The entire risk of the use or the results from the use of this document remains with the user. Active Directory, Microsoft, MS-DOS, Windows, Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. All other trademarks are property of their respective owners.

what is assigned membership in azure

Assigning groups to Azure AD roles and Privileged access groups, a first look!

On August 13th 2020, Alex Simons (Microsoft Identity PM) announced that assigning groups to Azure AD roles in now in public preview . This feature is one of the most requested features to be found in the Azure AD feedback forum .

I have been following this feature request for a while now, and up until recently Microsoft stated that implementing Azure AD role assignment for Azure AD groups wasn’t the issue, the issue was more related to who is able to manage those groups. For example, if enabled how can we circumvent that someone with the “User Administrator” role (capable of adding users to groups) is capable of adding someone to the group used to assign Global Administrator rights. When implemented incorrectly, this new “feature” could then introduce a new security risk in your environment.

Assigning groups to Azure AD roles requires an Azure AD Premium P1 license at minimum, for the Privileged Identity Functionality an Azure AD Premium P2 license is needed.

Disclaimer:  This post reflects the status of assigning groups to Azure AD roles as of August 20, 2020. Functionality may change, even right after this post has been published.

So, let’s walk through on what was announced and see..

So, up until now when you wanted to assign a user an Azure AD role, you had to include the user account directly in the role. Verifying which account has what privileges is therefore hard, especially if you don’t have Azure AD Privileged Identity Management (PIM) licensed.

For a more in depth overview of what Azure AD Privileged Identity Management (PIM) is, please see another blogpost I wrote on this subject here: Lessons learned while implementing Azure AD Privileged Identity Management (PIM)

Changed behaviour while adding members to Azure AD Roles

On the topic of PIM, I also noticed some changed functionality when adding users when you have PIM enabled in your environment. If you don’t have PIM enabled you can assign a user to a role, but if you have PIM enabled there is another experience where when you want to assign an Azure AD role you are actually redirected to the Privileged Identity Management blade, where you can directly create an Eligible (must be activated) or Active (always active) assignment.

what is assigned membership in azure

Adding users to Azure AD roles via Group membership

In order to add users to Azure AD roles via Group membership you first have to create a new group, so it’s not possible to repurpose an existing group for this.

New groups have the option to set the “Azure AD roles can be assigned to the group (Preview)” option which can be set to either “No” or “Yes”. When you switch this setting to ‘Yes’ the group’s eligibility for role assignment is permanent. Besides that you can only have a membership type of Assigned, so using Dynamic Groups is not supported, and within the wizard you can only add users as member and not groups (group nesting). Interestingly, you can assign multiple Azure AD roles to the group.

what is assigned membership in azure

If you want to create the Group with the “Azure AD roles can be assigned to the group (Preview)” option enabled you will get an extra confirmation screen:

what is assigned membership in azure

The option “Azure AD roles can be assigned to the group (Preview)” is only visible if you are member of either the Global Administrator or Privileged Role Administrator role.

what is assigned membership in azure

Privileged access groups

Once a group with the option to enable Azure AD role assignments is created and you have PIM enabled, a new option becomes available called “Privileged access (Preview)”.

what is assigned membership in azure

Enabling this option gives us the following options:

Define Eligible or Active assignments to the group

On the group you can assign members or owners using the capabilities provided by PIM. So for example, while adding our user as a member of the group permanently earlier in this article, I now have the option to make the membership Eligible. Also notice that this assignment type is time bound, with a maximum of 1 year.

what is assigned membership in azure

It’s also interesting to notice that if you want to update an Active Assignment you will not be allowed to Permanently assign an Active role by default. And that assigning an Active role has a maximum allowed assignment duration of 6 months. Once the group is enabled for Privileged Access and you want to add a member, then you don’t have the option “Permanently assigned” available. Also notice that providing a justification is mandatory.

what is assigned membership in azure

The default options described above are configurable though, trough the settings, so you are able to configure these depending on your requirements.

what is assigned membership in azure

Activating your Azure AD role while using Privileged access groups

It’s interesting to see that once a user is set to Eligible for the privileged access group, that the Azure AD role doesn’t show up under Eligible Assignments when the user browses to My Roles in PIM. In order to active the Azure AD role in this scenario, the user must go to Privileged access groups (Preview) and active the role from there.

what is assigned membership in azure

Once the role is activated via the group, it will show up under Active assignments, and what’s interesting to see is that at this time it’s still displayed as being permanent. But I expect that to be fixed while the functionality is still in preview.

Within the PIM settings of the group you can also specify that any Activation request for the group must be approved. This works similar to approval in PIM as we already know it. You define that approval is mandatory and specify who can approve. This can either be a user or a group.

what is assigned membership in azure

If the user now requests to activate the privileged access group, he will receive the message that the request is pending for approval

what is assigned membership in azure

The approver doesn’t see the request under Privileged Identity Management | Approve requests but has to go to Privileged Identity Management | Privileged access groups (Preview) and select the group, from there the Approve Requests functionality is providing the ability to approve the request.

what is assigned membership in azure

I hope this walkthrough gave you an idea on the new possibilities as announced in the public preview. And there is much more to cover actually when it comes to PIM, like more in depth information about auditing and access reviews.

Microsoft has addressed its own concerns by only allowing Global Administrators and Privileged Role Administrators to create the groups enabled for Azure AD role assignment. And having this functionality combined with Privileged Identity Management (PIM) makes the solution even better. Another reason to buy an Azure AD Premium P2 license for your administrative accounts at least.

A winning feature is that by using Privileged access with Azure AD Groups is that you can enable multiple Azure AD roles at once, this could save you creation of a custom role in some cases when using PIM.

While there are still some little fixes which must be applied, for now this looks like a welcome addition for any Azure AD tenant using Premium functionality.

Assigning groups to Azure AD roles is now in public preview!

Use cloud groups to manage role assignments in Azure Active Directory (preview)

Management capabilities for privileged access Azure AD groups (preview)

2 thoughts on “ Assigning groups to Azure AD roles and Privileged access groups, a first look! ”

  • Pingback: Active Directory Identity Governance – Privileged Identity Management - JanBakker.tech

make the Security Admin Role a member Privilege Role Admin in Privilege Identity Management in Azure AD is this possible??

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed .

Privacy Overview

GoLinuxCloud

Azure AD Groups Examples [Create & Manage]

Getting started with azure ad groups.

In the simplest terms, an Azure AD group is a container for users. An Azure AD group helps organize users making it easier to manage their corresponding access level and permissions. Azure AD allows us to group a certain set of permissions and assign them further in the form of roles. There are a number of predefined roles available in Azure AD and if we have a Premium P1 or P2 subscription we could create our own custom roles as well. These roles can be mapped to groups.

The users that are members of a particular group will inherit the permissions from the role mapped to that group, rather than having to perform the tedious task of assigning a role to each individual user manually by hand. For example, we know that both Ram and Sham are going to be in the Finance group, we can give them the necessary role so that they have the appropriate permissions at the group level rather than assigning it to both of them individually.

Each group can have an owner of the group and an owner manages the properties of that group object.

Types of Azure AD Groups

Azure AD allows us to define two different types of groups.

1. Security groups

These are the most common and are used to manage member and computer access to shared resources for a group of users. For example, you can create a security group for a specific security policy. By doing it this way, you can give a set of permissions to all the members at once, instead of having to add permissions to each member individually. This option requires you to have Azure AD administrator rights.

2. Office 365 groups

These groups provide collaboration opportunities by giving members access to a shared mailbox, calendar, files, SharePoint site, and more. This option also lets you give people outside of your organization access to the group. Since this category of groups does not involve access to critical infrastructure resources, it’s made available to users as well as admins.

Different ways to add members to Azure AD Groups

There are basically three different ways you can assign access rights

1. Assigned

This option lets you add specific users to be members of this group and to have unique permissions.

2. Dynamic User

Interestingly this option allows you use dynamic membership rules to automatically add and remove members. If a member's attributes change, the system looks at your dynamic group rules for the directory to see if the member meets the rule requirements (is added) or no longer meets the rules requirements (is removed).

3. Dynamic Device (Security groups only)

The earlier two options are mainly used to assign group memberships to human users while with this category you could manipulate group memberships or permissions assigned to devices connected/authenticated with your Azure AD tenant. You use dynamic group rules to automatically add and remove devices. If a device's attributes change, the system looks at your dynamic group rules for the directory to see if the device meets the rule requirements (is added) or no longer meets the rules requirements (is removed).

Create and manage Azure AD groups Examples

Have you given some thought to which groups you need to create? Would you directly assign or dynamically assign membership? In the following section of the article, we will learn how to create groups in Azure Active Directory. So far, we’ve learned what are Azure AD groups and how they could be helpful. In this section we will have a practical demonstration on how we could create a dynamic security group and then assign ourselves as a member to that group.

Creating an “Assigned” membership type group

Let’s log in to the Azure portal and inside the search bar, type in Azure Active Directory . Click on the Azure AD service and this will take us to the Azure AD service management page.

Azure AD Groups Examples [Create & Manage]

We are now inside our Azure AD tenant and from here we will click on the U sers tab.

Azure AD Groups Examples [Create & Manage]

You might have some users already added here if you’re organization is already actively using an Azure AD tenant . For the purpose of our demonstration, we will create a new user and we will name this user demo . Under the Users section, click on the New User button.

Azure AD Groups Examples [Create & Manage]

Under the new user creation page, we will not go through all the different attributes for the user since we’ve already gone through the process in depth in a previous article . But we would like to show you the Job Info section as this could be used for dynamic group assignment at a later stage. Also, please note that we do not assign any group to the user at the moment at creation time.

Azure AD Groups Examples [Create & Manage]

Once we click on the Create button our user will be created and we may verify the same by going back to the users page.

Azure AD Groups Examples [Create & Manage]

Now that we have created our user, let’s go back to the Azure AD service page. Now, click on the Groups button under the Manage section of the page.

Azure AD Groups Examples [Create & Manage]

Once you open the groups page, here click on the New group button.

Azure AD Groups Examples [Create & Manage]

Here, we need to select the group name, group type and we may also add an optional description . We could specify an owner for the group as well if it’s warranted.

Azure AD Groups Examples [Create & Manage]

Once we have provided values for the mandatory fields, we’ll click on create . The group creation process will take a couple of seconds. Once it’s complete our group will be visible in the groups page as shown below.

Azure AD Groups Examples [Create & Manage]

To add members to our group, click the group name . This will show the group properties and on the left side of the page, a management pane is displayed. Under the manage section click on Members .

Azure AD Groups Examples [Create & Manage]

We did not add any members to this group during the group creation phase, therefore the list is empty for now.

Azure AD Groups Examples [Create & Manage]

Click on add members button which will open a search window where we could type the entity name we wish to add as a member to this group. In our case, we’ll search for the user we created earlier.

Azure AD Groups Examples [Create & Manage]

Click on demo user and then click the select button. This will add the user to our demo group .

Azure AD Groups Examples [Create & Manage]

There are a couple of things worth noting in the above demonstration. We used the free version of Azure AD to perform this demonstration and with the free subscription you cannot in fact associate roles with groups and you also cannot assign dynamic group memberships.

In order to use dynamic group assignments, you require a premium P1 or P2 subscription .

We will now share a scenario wherein we use an Azure AD Premium P2 subscription and demonstrate how we would create a group with dynamic member assignments.

Creating an “Dynamic” membership type group

Groups created with the membership type of assigned will always have fixed members and we would require administrator intervention to add or remove members from such groups. In a fluid fast paced organization where employees regularly change their job functions, modifying the group memberships every time this happens could be a cumbersome task.

To help mitigate this issue, Azure AD groups allow us to create groups with dynamic group memberships where in a group would have a property in the form of a key value pair likely a user attribute along with a condition to match. This property could then be used to query the users in our Azure AD tenant and those users which would or would not meet the query criteria would be added to or removed from the group automatically. This makes group administration much easier as long as the group query property is clearly defined. Also, we could have more than one criterion to match.

To create a group with dynamic membership, click on the new group button in the Azure AD groups page.

Azure AD Groups Examples [Create & Manage]

Keep the Group type as Security and Membership type as Dynamic User . Notice a mandatory filed called Dynamic user members along with the button titled Add dynamic query . This is where we specify our property to match for while assigning group memberships to users dynamically. Now add this query and then click on create to create the group.

Azure AD Groups Examples [Create & Manage]

In the above example, we are using the job title property to match the value of accountant. So, once this group is created, all users whose job title is accountant will be added to this group .

Mapping roles to groups in Azure AD

To manage roles, click on the Roles and Administrators tab in manage section of the Azure AD services page.

Azure AD Groups Examples [Create & Manage]

Here you can view the different pre-defined roles that are available to be assigned to users or mapped to groups.

Click on the role that you’d like to map to a group.

Azure AD Groups Examples [Create & Manage]

You would notice a tab titled Add assignments . But the tab is greyed out. This is because the ability to map roles to groups requires the user to have administrator access but in our case, our role is that of a user and therefore this option is greyed out for us.

Azure AD Groups Examples [Create & Manage]

In this article, we covered what are Azure AD groups, their different types and different types of group assignments. We went through a demonstration where in we created a user, created a group and then added the user as a member of the newly created group. In addition to this we also became aware of the fact that in order to use dynamic group members we require an Azure AD Premium P1 or P2 subscription and the fact that only users with administrator privileges could map roles in Azure AD to groups.

We referred to Microsoft Azures’ official documentation on creating and managing groups, links to which have been provided below. Create Azure users and groups in Azure Active Directory Manage users and groups in Azure Active Directory Assign Azure AD roles to groups

Can't find what you're searching for? Let us assist you.

Enter your query below, and we'll provide instant results tailored to your needs.

If my articles on GoLinuxCloud has helped you, kindly consider buying me a coffee as a token of appreciation.

Buy GoLinuxCloud a Coffee

For any other feedbacks or questions you can send mail to [email protected]

Thank You for your support!!

what is assigned membership in azure

  • WHY WORK HERE
  • We solve tough problems for organizations big and small. As a trusted partner to international brands, small firms, and colleges/universities, we need top-notch people to do what we do.

what is assigned membership in azure

  • GET STARTED WITH OUR AD HEALTH CHECK

what is assigned membership in azure

  • In Sync: Proper Time Configuration in AD
  • Identity & Access
  • Mobility & DaaS
  • Explore our resources for advice on boosting your organization's security.
  • Stay up-to-date — read our experts' unique takes on trends in cybersecurity.

what is assigned membership in azure

Improving Entra ID B2B User Management with Cross-Tenant Synchronization

  • Our experts are always ready to discuss your needs – whatever stage you’re at – and with no obligation.
  • AD HEALTH CHECK
  • We enhance your AD and improve its security with our holistic health assessment.

what is assigned membership in azure

How to Use Dynamic Group Memberships in Entra ID: Part 1

  • July 20, 2022
  • Blog , Identity Management

Many organizations control access to internal systems by simply relying on whether or not an account is enabled. However, users often change roles throughout their careers within a single organization. For example, a user might start as an intern in one department and then be hired full-time in another department. After a few years, they might go back to school for further training and then switch departments again. At this point, the user might still have access to resources in three different areas, even though most are no longer relevant to their role in the organization.

Another example of access control issues is in situations where the line between multiple roles on a single account is blurred (e.g., students, affiliates, and employees). Simply disabling someone’s account when they leave a role would mean a loss of access to resources they may still need as part of another role. For example, a university employee might quit their on-campus job but still be a student at the institution. Completely disabling this person’s account might prevent them from completing their coursework. Entra ID (formerly Azure Active Directory) access reviews can help with this problem by forcing the user, a manager, or an administrator to periodically attest to the user’s need for access. However, it could be several months before the user’s access is cleaned up. In addition, this approach does not scale well for groups that may include thousands of individuals.

Fortunately, Entra ID offers a solution to help automate access control.

Automated Access Control

You probably have a lot of attributes already set in your Entra tenant, such as department, manager, location, etc. You also have 15 built-in “extension” attributes that can contain whatever value you would like, along with the ability to extend the schema through a custom app registration . Ideally, these attributes are automatically maintained from a source of record, such as your HR system. This allows your Entra tenant to automatically update whenever someone in your HR department makes an update in the HR system for an employee. (As a side note, if you do not have automated inbound provisioning set up for either your on-premises AD or Entra ID environment, reach out to our experts for help.)

You can leverage your automated attributes to create an “access control methodology where authorization to perform a set of operations is determined by evaluating attributes associated with the subject, object, requested operations, and, in some cases, environment conditions against policy” ( NIST 800-162 ). In more informal language, you should set up access to be automatically controlled based on the values of those attributes, instead of using manually maintained groups.

Let’s get started!

Natural Language Policy

When automating access control policies, whether you are using dynamic membership rules on a group in Entra ID, a different automated group management tool, or even custom scripts, you should first think about and describe the access you want to grant in “natural language.”

For example, rather than saying “I want the group to be populated by all users that have extensionAttribute12 set to ‘yes’,” consider using clearer or more natural language such as “I want the group to be populated by all users who have completed security training.”

Outlining your access policies in natural language does two things. First, it allows you to talk about the policies at a level that everyone in the organization can understand. For example, how many people outside your identity and access management (IAM) team know what extensionAttribute12 means or what specific values mean? Second, outlining your policies keeps you from jumping to a technical solution before fully understanding and vetting with stakeholders what the policy might entail. For example, suppose there is more to completing compliance training than you originally thought—such as the training is only required for employees working in Wisconsin. Your original description of the policy on a technical level probably would not have met that requirement, but you wouldn’t have realized it if you had not discussed the potential policy in “natural language” first.

Once you have written out your policy in natural language and vetted it with the relevant stakeholders, you can use dynamic membership rules on a group in Entra ID to implement the policy.

Dynamic Membership Rules in Entra ID

Entra’s dynamic membership rules feature allows you to use any attributes from Entra ID’s base set or custom extension properties from an app registration to construct groups that automatically add and remove members based on those attributes’ values. Groups with dynamic memberships can be either Microsoft 365 or Security groups.

To use dynamic membership rules, you need at least enough Entra ID P1 or P2 licenses for the number of members that will be in the group. However, each user does not need a P1 license assigned in order to be added to a group with a dynamic membership as long as there are at least as many P1/P2 licenses as members to be added.

We have a variety of query operators to work with and are not constrained by simple attribute = value. For example, we can set up expressions based on an attribute containing a certain string, starting with a particular value, or being in a list of values. We can even use a match operator and use a regular expression for extra-complicated rules.

Membership rules can contain multiple expressions joined by or, and, and not. However, we discourage the use of not whenever possible and suggest constructing only positive rules in order to avoid accidentally removing someone.

For instance, suppose a user has two locations represented as “ Medical Center ; Business School ” in a single-valued attribute and we set up a rule to include everyone who is not in the medical school. Although our intention is to still include this person since they also have a location in the business school, we have accidentally removed them. In this case, it would be better to use the “-contains” operator on the location attribute to positively represent all the buildings joined together by “-or” instead of trying to subtract only the medical center.

In Part 2 of this blog post, we will dive into a couple of examples for building out access policies using Entra’s dynamic membership rules feature.

Final Thoughts

Now that you know the basics of what to consider and what tools to use to automate access control, are you ready to get started? Whether you want to clean up access in an existing environment or you are starting fresh, the experts at Ravenswood Technology Group have the business and technical expertise you need. We can take you through all the stages of making automated access control a reality in your organization. Contact our experts today!

Part 2 includes a follow-up on implementing your access policy as dynamic membership rules on an Entra group.

James Babb

[RELEVANT BLOG CONTENT]

what is assigned membership in azure

6 Tips to Harden Your Windows LAPS Deployment

In a previous blog post, we covered how to migrate to Windows Local Administrator Password Solution (LAPS). With Windows LAPS deployments gaining traction, it’s important

what is assigned membership in azure

Use Privileged Access Workstations to Increase Security

All organizations use privileged accounts to manage their environments. In many cases, administration is performed from productivity workstations, which are vulnerable to a substantial number

what is assigned membership in azure

Active Directory: The End of the Road? Not Quite Yet!

Microsoft announced several enhancements to Active Directory Domain Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS) that are included in the preview

what is assigned membership in azure

Migrating to Windows LAPS

Windows Local Administrator Password Solution (LAPS), now integrated into the OS, is the replacement for Microsoft LAPS, which was a separate installation. Windows LAPS is

what is assigned membership in azure

Virtual Machine Generation ID with Active Directory Domain Controllers

Active Directory (AD) domain controllers (DCs) have been around since Windows 2000. At that time, virtualization was in its infancy and almost every server was

what is assigned membership in azure

Deploying the eduPerson Schema to Active Directory

If you work in a higher education environment, there exists a set of standards that must be implemented to allow students and faculty to collaborate

B2B user management is a challenge for many organizations that utilize it for collaboration. In this blog, we discuss how to address this challenge using

what is assigned membership in azure

Flattening Group Memberships to a Single Group

In previous blog posts (Part 1, Part 2), we discussed a powerful feature in Entra ID (formerly Azure Active Directory) known as dynamic membership rules.

Leave a Comment Cancel Reply

Your email address will not be published. Required fields are marked *

Save my name, email, and website in this browser for the next time I comment.

This site uses Akismet to reduce spam. Learn how your comment data is processed .

Ravenswood Technology Group is based in Chicago, IL but with customers around the world. We help companies, universities, and other organizations with less than 100 employees to over 500,000 build secure, hybrid infrastructure that enable their users to work from anywhere. 

what is assigned membership in azure

[What we do]

  • Identity & Access

[Recent Blog Posts]

[Expertise]

  • Active Directory Health Check
  • Azure Government & Office 365 Government – GCC High
  • Microsoft Entra ID
  • Microsoft Sentinel

[Get in Touch]

© Ravenswood Technology Group, LLC

what is assigned membership in azure

Subscribe for Practical 365 updates

Please turn off your ad blocker and refresh the page to subscribe.

You may withdraw your consent at any time. Please visit our Privacy Statement for additional information

Simplifying Office 365 License Control with Azure AD Group-Based License Management

Avatar photo

Table of Contents

Managing the allocation of Office 365 licenses has been a pain point for many customers. For smaller tenants with simple requirements, the allocation of licensing can either be handled manually on an as-needed basis using the Office 365 admin portal, or built in to a provisioning script or system. For larger tenants, automation is essential, as manual methods are far too time-consuming for any environment with a high rate of change (e.g. dealing with new and departed users, or licensing sub-features and extra applications). In fact, quite a few Office 365 customers have remarked to me recently that managing licenses is one of their biggest challenges, and they’ve invested quite a lot of time into scripting solutions based on Active Directory group membership.

Well the good news, or perhaps bad news considering the investment of time they’ve already made, is that Microsoft has now released Azure AD group-based license management for Office 365. The feature is currently in Preview.

Getting Started with Azure AD Group-Based License Management

Microsoft has made group-based license management available through the Azure portal . Choose Azure Active Directory from the list of services in the portal, and then select Licenses .

Simplifying Office 365 License Control with Azure AD Group-Based License Management

The groups that you can assign licenses to can be created in Azure AD, or synchronized from on-premises Active Directory. The license assignments can be static (i.e. to the members of a group) or dynamic (e.g. based on user attributes such as ExtensionAttribute1). For this demonstration I’m using groups synchronized from on-premises Active Directory with static membership.

The groups I have created will allow me to demonstrate basic license assignment, as well as a more granular approach, and how license assignment is cumulative for users who are members of multiple groups. I’ve created groups named:

  • Licensing_Office365_E3_Base
  • Licensing_Office365_E3_Teams
  • Licensing_Office365_EMS_E3

My goals are:

  • To assign Office 365 E3 licenses with what my organization considers “base” functionality, which is all E3 features except for Yammer, Sway, StaffHub, and Teams
  • To assign Teams access only to specific users in the organization, due to Teams currently being in Preview
  • To assign EMS (Enterprise Mobility + Security) E3 licenses to specific users only

My tenant currently has licenses assigned to users, so I will need to transition users from direct license assignment to groups-based licensing without disrupting their existing services (e.g. Exchange Online mailboxes).

Assigning Licenses to Groups

After navigating to the Licenses section of Azure Active Directory in the Azure portal, you can view the list of products that your organization currently has licenses for.

Simplifying Office 365 License Control with Azure AD Group-Based License Management

Select a product license and click on the Assign button. From the Users and Groups selection, choose the group that you want to assign licenses to, and then click on Select . You can select multiple groups at this stage, for example if you were using department-based groups to assign product licenses to users. I am using product-based groups instead. Either approach will work, it really just depends on how your organization views license management.

Simplifying Office 365 License Control with Azure AD Group-Based License Management

In the Assignment options you can select the sub-features for the license that you’ve chosen to assign to the group. I’ve turned off StaffHub, Teams, Sway, and Yammer for this demonstration.

Simplifying Office 365 License Control with Azure AD Group-Based License Management

Click OK when you’re happy with your selections, and then click Assign to create the license assignment. If there’s any errors at this stage you’ll receive a notification in your Azure portal. On my first run through this feature I was getting a notification that “Licenses could not be assigned or removed due to an error”, which I was unable to work out a solution for.

Simplifying Office 365 License Control with Azure AD Group-Based License Management

It appears that the problem was that I was using a Microsoft Account associated with my Azure subscription, and even though the account has access to the Office 365 tenant’s Azure AD (and is a Global Admin) it is not able to be used for administering groups-based license management. Logging on to the Azure portal with the Office 365 tenant admin account allowed me to continue without errors. A strange issue that might impact partner or delegated permissions scenarios, but nonetheless I was able to proceed with the correct account.

After completing the steps above I went back through the same steps to create a license assignment for Teams only, and another for EMS E3. For Teams, I created a license assignment that only enables Teams, which will allow me to fully demonstrate the cumulative nature of groups-based license management.

Simplifying Office 365 License Control with Azure AD Group-Based License Management

Transitioning from Direct to Groups-Based License Management

A few minutes after setting up my group license assignments the Azure portal showed my users’ license status as below. Notice how most of the users have both direct and inherited assignment paths. The names of the groups that licenses are being inherited from, such as Licensing_Office365_E3_Base, are also displayed. Notice also that most users have the fully 13/13 services included in an E3 license showing as enabled.

Simplifying Office 365 License Control with Azure AD Group-Based License Management

To transition from direct to groups-based licensing, all we need to do is remove the direct license assignment. This is as simple as selecting one or multiple users who are assigned a specific type of license, and then clicking the Remove button. In the example below, the list of E3 license holders is shown, and I’m removing the direct assignment from the users who also have an inherited assignment via a Group.

Simplifying Office 365 License Control with Azure AD Group-Based License Management

After clicking Remove you’ll get one final prompt before the change is made.

Simplifying Office 365 License Control with Azure AD Group-Based License Management

This transition is best performed in stages so that you can be confident that you’re not disrupting your users’ access to services. If you’re transitioning a full E3 direct license to a full E3 group-based assignment, then the risk is fairly small. However in cases where you’re adjusting the number of services that the user has access to, you should be more cautious.

Cumulative License Assignments

As I mentioned already, I am using multiple groups to assign licenses. Most of the users in my organization will have a subset of the E3 license features, and a select few will also get access to Teams. After removing the direct license assignments, the groups-base licensing is in full effect. You can see below that:

  • Users who are only members of the Licensing_O365_E3_Base group get 9/13 services, for example Alannah Shaw
  • Users who are members of both Licensing_O365_E3_Base and Licensing_O365_E3_Teams get 10/13 services, for example Dave Bedrat
  • Users who are only members of the Licensing_O365_E3_Teams group get 1/13 services, for example David Abbott

Simplifying Office 365 License Control with Azure AD Group-Based License Management

This is the level of control that customers have been asking for, so it’s great to see Microsoft delivering on it.

The license assignments are also visible in the Office 365 admin portal, and reflect the same sub-feature license assignment that you can see in Azure. For example, Alannah Shaw has access to most E3 features except for Teams, Sway, StaffHub, and Yammer.

Simplifying Office 365 License Control with Azure AD Group-Based License Management

FAQs, Limitations and Caveats

Group-based license management is currently in Preview, and as I’m writing this article the following limitations and caveats apply:

  • The features, behaviors, or availability of group-based license management may change between now and when it becomes generally available.
  • If a user is assigned a license directly as well as via group membership, they only consume a single license.
  • An Azure subscription (trial or paid) is currently required to use group-based license management.
  • Although new and modified license assignments take effect within minutes (e.g. enabling Sway in an existing license assignment), there are situations where a license will not assign automatically, for example if you have more members of a group than available licenses, or when license assignments conflict. Notifications in the portal will advise you of how to remediate the issues, and there’s a Reprocess button available as well to reapply assignments after fixing issues.
  • Membership changes to groups synchronized from on-premises Active Directory will not take effect until after the next sync cycle.
  • Users can have a mix of direct and group-based licenses assigned, for example an E3 license that is group-based, and an EMS license that is directly assigned. Group-based license assignments can only be managed via the Azure portal, and will cause an error if you attempt to modify them via the Office 365 admin portal (at least for now).
  • When new sub-features (or sub-SKU features) are released, Microsoft may enable them automatically by default, requiring you to revisit your group-based license assignments to disable new features from time to time. This should encourage you to keep your group-based license assignments as simple as possible.
  • Nested groups are not currently supported.
  • Removing a user from a license group will result in services being set to a “suspended” stage instead of disabled. Microsoft is using this approach to avoid data loss issues due to accidental removal of group members. You can expect in future that suspended services will eventually age out to a disabled state and data will eventually purge as it does today for de-licensed users.

About the Author

Avatar photo

Paul Cunningham

Pingback: Microsoft Graph PowerShell SDK: User and Group Operations

' src=

quote: Removing a user from a license group will result in services being set to a “suspended” stage instead of disabled. Microsoft is using this approach to avoid data loss issues due to accidental removal of group members. You can expect in future that suspended services will eventually age out to a disabled state and data will eventually purge as it does today for de-licensed users.

This isn’t correct any more. We have AD groups in our tenant and multiple license tiers. This week we found that removing a user from A1 and putting them into A3 can result in an unrecoverable empty mailbox. A support ticket to MS confirms the data is unrecoverable as we “removed the old license, saved and then applied the new” as far as the audit logs show.

' src=

HI We run a hybrid environment do we create the groups in ONPrem AD and then let them synch up and then in azure assign the license to that group. Or do we creatw the group on azure assign the license? If so what do we do for the ONPREM AD group how does the correlation work? Also we already have 300+ users each assigned a license directly would we have to remove those licenses or can we leave them as they are?

' src=

We have a security group we add users to that syncs for licensing, which is already too large to parse in a normal time frame via powershell. We are going to expand our licensing to 25,000, do you just cram them into one security group? What is the best practice for this?

' src=

I’ve read the powershell sample page before and it’s only about getting groups with licenses and remove direct licenses assigned to user. Do you know any any way to assign lienses to a group with the options to disable some service plans?

For direct license assigning, it can be done with PS like below, but can’t find how to do it when using group based licensing.

Set-MsolUserLicense -UserPrincipalName $uUPN -AddLicenses $SKUID -LicenseOptions $options

' src=

Hello, This is good. Thanks. Once it is all configured as you need (I have mine configured for 39k users… my question, is there any way to powershell / export the configuration to CSV or some other fashion? I’d like to capture and monitor any changes that may happen from other admins, good or bad, and at the very least have something to rely on if it all fell apart for some reason.

' src=

are nested groups possible today?

' src=

I am currently using group-based licensing (from on-prem sync to the cloud) to “turn-on” specific plans within an E3 license. This part works great! But, when I remove someone from the Group I noticed that the plan is not being disabled/turned-off after the next sync? Is there something additional that I need to do in order to have the plan turn-off after removing the user from the group?

You could login to AzureAD, navigate to the group and hit the reprocess button manually if you needed it done quickly

' src=

For those who came across this post, reference the following Microsoft Docs links: https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/licensing-groups-migrate-users https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/licensing-groups-change-licenses (etc.)

' src=

This is a great feature… that is tied to an extremely overpriced Office365 Add-on. License management should be included for the crazy amount of money that E3 licenses add up to.

' src=

We’re moving to group based licensing. When I think I have all the groups done I want to pull the list of users and see their assignment paths to make sure there are no direct only users left. I cant find a way to export the list of users including assignment path. We have 80k accounts so trying to scroll through the gui is not an option. Do you know a way to do this? I was also hoping that you could select the group and click remove license and it would only remove the direct one like it says it will however it appears to remove the group instead.

' src=

This is indeed a very good process. However I would like to know what might happen in below situation 1. We create a group. the Members of this group will get licenses only for Sharepoint Online, Azure MFA and Office pro plus. We assign licenses to the group accordingly 2. Once we assign licenses, we no longer need this group . 3. Hence, we delete the group.

Will the members of the group lose all licenses ?

They would lose their licenses. The group is associated with the licenses, and the licenses are applied to the members. If you delete the group, you could run into problems. (I am looking at it from a synced group perspective).

If you have a group that was deleted, and if you have licenses associated with it, it will have trouble deleting in AzureAD. The best way to delete a group associated with licenses is to remove the license association with the group in AzureAD, then let a sync go through, then you can delete the group on prem. The next sync would then delete the group in AzureAD

' src=

Q1: What does a license in a “suspended” state entail. Does this take up an actual license in the portal? Will O365 automatically do something with this license?

Q2: If a user has both direct licenses and group assigned licenses.. will there be any issues with mailboxes be de-provisioned… Just need to ask as I need to make sure this will not impact business.

Better yet for Q2: Do I need to remove the direct licenses? And just make it so that all new users added from here on out are provisioned automatically?

' src=

I want to ask if the group based license management can also be done in powershell? I’m trying to find some scripts that could for example disable certain services within the inherited licenses, so far I am only able to find management on directly assigned licenses.

' src=

Is there a way to get an email alert when there is an issue with assigning licenses using this method? We have this setup for our organization (25k+ users) and there are issues occasionally where helpdesk will upgrade a user but fail to take them out of the orginal licensing group. So this causes an issue that we can only see by logging into the Azure portal and going to the section “groups with licensing assignment errors”. Is there any way to get alerted on this via email alert?

There’s PowerShell samples here:

https://docs.microsoft.com/en-us/azure/active-directory/active-directory-licensing-ps-examples

So it would just be a matter of taking that output and creating email messages via PowerShell to alert you to any results that you want to be alerted to.

' src=

Hey there Paul, thank you very much for posting this. Following along with your instructions I am trying to locate the Tenant Admin account.

“Logging on to the Azure portal with the Office 365 tenant admin account allowed me to continue without errors. A strange issue that might impact partner or delegated permissions scenarios, but nonetheless I was able to proceed with the correct account.”

I am not able to locate the tenant admin account, I have Global Admin role added to my separate admin account but I am unable to change the options here.

Would we need to use the billing administrator account for this, or do we use the actual account used to configure the tenancy.

By tenant admin I mean a global admin account in the tenant.

' src=

Sigh, created a group with my 1500 users took, almost 30 minutes before the Direct/Inherited started showing up on their objects.

Now is there a way to powershell remove any direct licensed objects without having to go through all 20 panels of the gui? I keep clicking a bunch of them, only to click the wrong spot and have all my selections disappear.

OK, I found when I run a

get-msoluser -userprincipalname (person) | select -expand licenses

… GroupsAssigningLicense : {7abf4c7a-8dbd-4d80-b693-50379774fbeb, a1a05b81-a72d-4b49-a277-e8a6f3607417} …

I can find that the ‘groupsassigninglicenses’ field has 2 groups populated, some random number (i.e. a direct assigned group), plus the group, ObjectID, that I created.

PS PS:\> get-msolgroup -all | ?{$_.displayname -like “AssignO365License*”}

ObjectId DisplayName GroupType Description ——– ———– ——— ———– a1a05b81-a72d-4b49-a277-e8a6f3607417 AssignO365… Security

By using a script to blanket remove licenses, it only removes the direct group object ID.

' src=

Is there a difference in Office Groups created in Azure AD and in the O365 Portal? Office Groups that I created in Azure AD can get a license, but I do not see Office Groups created on the O365 portal by licensing

Sounds like Groups (big) vs groups (little G) is the issue.

A Group is an Office 365 collaborative feature. It creates a shared mailbox, SharePoint site, OneNote, Teams, Planner, etc. It can’t be used to assign security permissions.

A group is a security group similar to what we have in on-prem AD, and can be used to assign security permissions.

Only groups (little G) can be used for Azure AD group-based licensing, not Groups.

Paul, thank you for your reply. When I’m in Azure AD and I create a group there I have the ability to enable Office features. When I do this, I have a Group. This G(g)roup has the same functionalities as a Group made in the O365 portal. However, I can now also use the G(g)roup, made in Azure AD, for the license piece.

When I compare in PowerShell a group created in Azure AD and in the O365 Portal, I do not see any differences except the alias.

How can I see the difference between a G(g)roup made in Azure AD and a Group made in the O365 Portal.

' src=

A group made in Azure will be only a security group. If you look in the O365 Admin portal under Groups, you’ll see a list of everything in the tenant. These will show if they are “Office 365” (Big G) Groups, or “Security” (Little g) groups.

' src=

In our environment we assign licenses using groups I would like to log the changes done to Licensing groups Is there any possibility to do it

Yes, look into auditing of Active Directory group membership changes.

' src=

Would be interested in your thoughts or insights on this issue – I work for a Higher Education institution and we utilize AAD Connect to sync our on-prem AD with Office 365. Our licensing is limited, and we have put together some procedures to utilize dynamic groups in Azure AD to take care of those. We recently obtained the license for Exchange Online for Alumni – this gives former students (inactive for 1 year) lifetime access to their email but not the Office 365 suite. We use an Extension Attribute to denote which license currently registered students receive as well as those that are in between current and alumni status. Those dynamic groups are working great and assigning licenses beautifully.

The process to change students to Alumni is to move them to a non-syncing OU – this puts them into the Recycle Bin in Office 365 on the next sync. We run a PowerShell script to restore those mailboxes to an In-Cloud only state. After that is complete, we change the CustomAttribute for the dynamic grouping via PowerShell for Exchange Online using the Set-Mailbox command. Although it successfully changes the value in the cloud, the dynamic group the students had before being deleted are still attached to their in-cloud only accounts and the dynamic grouping does not work. Therefore, the group licensing is incorrect – I have tried changing it by hand online as well, but no luck.

I have been unable to find any documentation online regarding whether or not this should work, but I have tested it every which way I know how, and it almost seems that only synced users modify appropriately even though the other users exist in Azure AD. Is there some sort of disconnect between Exchange Online and Azure AD? It is odd to me that all of the attributes reside with the mailbox and not with AD – completely backwards mindset than what I am used to on-prem.

My only thought on resolving the issue (if there is truly no way around it) would be to change the Extension Attribute on-prem, allow a sync to happen which would apply the group licensing as expected. After that is done, complete the process as previously mentioned so, when the student is reactivated from the recycle bin, the correct license group is already attached (since when I restored them before they kept the previous group).

You mention both extension attributes and custom attributes, which are two separate things (Get-Mailbox will list both). Which one are you using for the dynamic group?

AzAD and ExoDS are two separate directories but they are supposed to be in sync. But if you’re changing the wrong attribute that might explain the issue.

Another thing to consider is that maintaining the on-prem AD object for alumni might make things easier and more consistent for you to manage. This process you’re using of soft deleting and then recovering accounts seems awkward and risky to me.

' src=

Great article!! What happens to users who are on litigation hold? So when the user leaves the org and litigation hold is applied, will it still remove the license based on group membership or that will be a manual task for the administrator?

If you remove the license after applying lit hold the mailbox should still be preserved as an inactive mailbox. You should test that scenario though, if you’re depending on it.

https://technet.microsoft.com/en-us/library/dn144876(v=exchg.150) .aspx

' src=

I’ve started using this where customers have multiple profile groups of users who have various different licensing requirements or have thousands of users world wide.

Its great as when you create the on prem user and remote mbx you no longer need to then log into the portal to assign the license or script it like i had in the past.

1 question tho… a customer of mine had a paid Azure AD Subscription for 200 users, however this feature was then available to all 13,000 users in Azure AD. I looked through the above link but cannot see what the caveat is here. is there one? ie if I have a paid Azure AD Sub for even 1 user is this feature available for all users in the tenant? Thanks

Yeah for some features a single license is all it takes to light up a feature. But that isn’t the same thing as being license compliant, so your customer still needs to make sure they have the right number of licenses for the users they are using a feature with.

' src=

When this feature will go available?

' src=

How often does Azure Ad process the license assignment? How do you edit or remove the group based assignment? How did you get to where it displays the users and their licenses? I did not see where I could choose an extensionattribute only groups. Is that a licensing feature? Did you use Azure AD Premium? I only have Azure AD Basic perhaps it is less functional?

Processing is nearly instantaneous.

Editing, removing, and all other navigation for this feature is found in the Licenses section of Azure Active Directory in the Azure portal.

There’s an example of using extension attributes here: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-licensing-group-advanced#use-group-based-licensing-with-dynamic-groups

I don’t have Azure AD Premium in the tenant I used for this demo.

' src=

I’m not seeing anything close to instantaneous, whether I let AD sync the group membership or attempt to force the situation by triggering the reprocessing manual in Azure.

I’m having this issue also. I need a way to “reprocess” through powershell so it can be automated.

' src=

Hi Paul, Great Article. Just one question that you might know the answer to.

Lets say Exchange on-prem is setup in a hybrid environment with Exchange Online. In this case it is best practise to create all mailboxes on-prem first and then migrate to Exchange Online. Otherwise if the mailbox is created directly in Exchange Online, the on-prem exchange doesn’t know anything about the mailbox.

Picture the scenario where Group Based Licensing is setup. In this case members of the group get assigned an Exchange Online license.

The user account gets created on-prem and added to the appropriate security group that assigns a license. Prior to their mailbox being created on-prem, Azure AD Sync runs, and syncs the user to Azure AD. A license then gets assigned through the automatic group membership. Since there is no on-prem mailbox for the user (yet anyway), Office 365 automatically provisions a Exchange Online mailbox. the IT team finish the new user setup by creating a mailbox on-prem, and attempt to migrate. But now you end up in the situation whereby there is both a mailbox on-prem and in Exchange Online.

In an ideal world, the setup procedure on-prem would be scripted so that it creates a AD user and mailbox at the same time. But lets say it’s not. Do you see a way around the above scenario?

Regards, Peter

There’s no real magic here. Either change your provisioning workflow to assign them to a licensing group after the mailbox is created, or change your provisioning workflow to account for the mailbox being created in EXO instead of on-prem.

There’s nothing that says mailboxes should be created on-prem then moved to EXO as a best practice. Create them wherever you want them to live. The only caveat is shared mailboxes, which don’t need a license anyway so that’s not applicable to your situation.

' src=

Does Azure AD also provision other attributes (like msExchRecipientType or other Exchange specific attributes)? Because if mailbox is created directly in Office 365 without setting up msExchRecipientType, these won’t be visible in on premises EAC and we’d end up with another script still running (though smaller).

' src=

You can assign the group membership by verifying few attributes that indicates that the mailbox is created onprem For example you can look for the homeMDB attribute Get-ADUser -filter {((homeMDB -notlike “$null”) -and (enabled -eq “true”))

' src=

Great article. We have a few test environments here that we would like to time box the use of licenses in. For example, allow the user to have access to a license for 180 days and then reclaim it, or reclaim a license that has not been used in 180 days. Have you come across a way to do this with Azure Ad Group Based Licensing?

Groups-based licensing assigns and removes licenses based on group membership. If you can orchestrate the adding/removing of group members based on those 180 day blocks of time, then groups-based licensing will handle the licensing back end stuff for you. But right now it doesn’t have timer-based licensing as a native capability.

' src=

Hi Guy Do we need azure ad license to assign this policy (Office 365 License Control with Azure AD Group-Based License ) ? Thanks

See my answer to the comment above yours.

' src=

Hi How is this licensed? Do i need to pay for this functionality? regards peter

Check the end of Microsoft’s post here: https://blogs.technet.microsoft.com/enterprisemobility/2017/02/22/announcing-the-public-preview-of-azure-ad-group-based-license-management-for-office-365-and-more/comment-page-1/

' src=

When I’m at the group selection window I can’t find any of my On-premises AD Groups. We have an hybrid configuration and only have Dirsync. Is it possible that this feature only works with Azure native groups?

It works fine with groups synchronized from on-prem AD, in fact that’s what I demonstrated in my post.

' src=

We want to set up F5 Load balancer for the office 365 SMTP traffic. Please let us know if there is any solution to implement this

You should ask F5, I’m sure they’ll have documentation to guide customers on that any many other scenarios.

Leave a Reply Cancel reply

Latest articles.

Practical Protection: Should You Allow User Application Consent? 

Practical Protection: Should You Allow User Application Consent? 

User consent is a great example of the tension between improved security and user convenience. Users want to be able to consent to applications without requiring the help of IT, which also allows the potential for a breach. In this blog, Paul reviews your options to solving the user consent problem.

Detecting Midnight Blizzard using Microsoft Sentinel

Detecting Midnight Blizzard using Microsoft Sentinel

This blog reviews the Midnight Blizzard Attack, providing some hypothetical scenarios of what actually happened and how it could've been prevented.

  • Microsoft 365

Creating a Complete Teams Policy Assignment Report

Creating a Complete Teams Policy Assignment Report

An article published in 2021 about creating a Teams policy assignment report didn't include group-based assignments. With some adjustments to the PowerShell code fills the gap and we now have a complete report, which is always nice.

Assign Office 365 licenses with Azure group-based licensing

  • Updated on August 7, 2023
  • Azure , Microsoft 365

What is an excellent way to manage and assign Microsoft 365/Office 365 licenses? If you have a small organization with a few users, you can assign Office 365 licenses directly to the user. If you manage a large environment and want structure, your best way is to assign Office 365 licenses with Azure group-based licensing. In this article, you will learn how to configure Azure group-based licensing.

Table of contents

Add office 365 license directly to user, azure group-based licensing, azure group-based licensing requirements, 1. create office 365 security groups on-premises, 2. sync security groups to azure ad, 3. verify security groups in azure ad, 4. assign licenses to group, 5. add user to security group.

If you don’t have many users in the organization, you can select the Microsoft 365/Office 365 license directly for the user:

  • Sign in to Microsoft 365 admin center
  • Click on Active users and select the user
  • Select the tab Licenses and apps
  • Enable the Microsoft 365 license
  • Click Save changes

Add office 365 license to user in Microsoft 365 admin center

A better situation is to create groups and manage the Office 365 licenses from there. How will that work? Let’s see in the next step.

You can assign one or more product licenses to a group. Azure AD ensures that the licenses are assigned to all members of the group. Any new members who join the group are assigned the appropriate licenses. When they leave the group, those licenses are removed. This licensing management eliminates the need for automating license management via PowerShell to reflect changes in the organization and departmental structure on a per-user basis.

Read more: What is group-based licensing in Azure Active Directory?

You must have one of the following licenses to use group-based licensing:

  • Paid or trial subscription for Azure AD Premium P1 and above
  • Paid or trial edition of Microsoft 365 Business Premium or Office 365 Enterprise E3 or Office 365 A3 or Office 365 GCC G3 or Office 365 E3 for GCCH or Office 365 E3 for DOD and above

How to configure Azure group-based licensing

Go through the below steps to set up Azure group-based licensing in Microsoft 365.

We recommend you create a base group, which you will assign the must-have Office 365 products. Create other groups for products that not everyone needs to use.

In this example, we will create two groups in Active Directory Users and Computers:

  • O365_Licenses_E3_Base
  • O365_Licenses_E3_Exchange

The security groups will look as below.

Create security groups on-premises

Sign in on the Azure AD Connect server and start the Azure AD Connect application.

Verify in Azure AD Connect that the OU where you placed the security groups is enabled for syncing.

Microsoft Azure Active Directory Connect sync groups

You can wait a maximum of 30 minutes, and it will synchronize the objects. Another option to speed it up is to force sync Azure AD Connect by running the below command.

Sign in to Microsoft Azure with your admin credentials.

Click on Menu > Azure Active Directory .

Azure Active Directory

Click on Groups .

Assign Office 365 licenses with Azure group-based licensing groups

Search for the groups and verify that they appear in Azure AD.

Assign Office 365 licenses with Azure group-based licensing groups synced

The O365 groups are synced successfully in Azure AD.

Click on the group .

In our example, it’s the group O365_Licenses_E3_Base .

Assign Office 365 licenses with Azure group-based licensing base group

Click Licenses > + Assignments .

Assign Office 365 licenses with Azure group-based licensing add license assignments

Select the license and check which license options you want to assign to the group. Click Save .

Assign Office 365 licenses with Azure group-based licensing update license assignments first group

Do the same, but this time add the group O365_License_E3_Exchange .

Select the license option Exchange Online (Plan 2) and click Save .

Assign Office 365 licenses with Azure group-based licensing update license assignments second group

Add a user to the group O365_License_E3_Base .

Assign Office 365 licenses with Azure group-based licensing add member

Force sync with Azure AD.

Click Members and verify you see the synced user .

Assign Office 365 licenses with Azure group-based licensing members

Go to the Microsoft 365 admin center and navigate to the user. Select License and apps tab and verify that the below text appears under Licenses :

This is inherited by group-based licensing and can’t be changed here. Manage group-based licenses in the Azure portal.

Assign Office 365 licenses with Azure group-based licensing inherited message

Everything looks great!

You can assign Office365/Microsoft 365 licenses in bulk by adding all the users to the security group on-premises.

In the next article, we will look at Exchange Hybrid test plan .

You learned how to assign Office 365 licenses with Azure group-based licensing. This setup will help user management and licensing for every organization significantly. There are no more challenges when assigning licenses, and everything is organized in groups.

Did you enjoy this article? You may also like the complete course Exchange Hybrid . Don’t forget to follow us and share this article.

ALI TAJRAN

ALI TAJRAN is a passionate IT Architect, IT Consultant, and Microsoft Certified Trainer. He started Information Technology at a very young age, and his goal is to teach and inspire others. Read more »

What Others Are Reading

Create AD DS Connector account

Microsoft Azure Active Directory Connect is a great tool to sync on-premises objects to the…

Find Azure AD Connect accounts

Azure AD Connect uses 3 accounts to synchronize information between Windows Server Active Directory and…

Azure

You have a subscription for Azure AD Premium, and you want to take full advantage…

This Post Has 7 Comments

Hi, I am looking for a similar Group based licensing, but for cloud only accounts. Can you suggest a way in which we can do that through Dynamic Grouping?

You can check below document where Dynamic grouping is explained also you need to create Security group with “Membership type” is “Dynamic user”

Docs: https://learn.microsoft.com/en-us/azure/active-directory/enterprise-users/groups-dynamic-membership

I did not had this configured. Now I do. This will help a lot. Thanks.

Your attention to detail is perfect. Great work as always.

Just what I needed. So much easier to manage. Thanks!

I ask out of curiosity .

1. I created a group “Communication_Basic” with Business Basic licenses with plan: Exchange, MS Teams and SharePoint 2. I added user to that group and after while he got Business Basic license with Exchange, Teams and SP.

And question is –

3. If I want assign another (additional) license for user – for example Whiteboard – the group assign licenses won’t override this and remove that licenses?

Greetings, Przemek

Hi Przemek,

You can’t assign the “Whiteboard” license directly to the user because the licenses section is greyed out and shows the message:

“This is inherited by group-based licensing and can’t be changed here. Manage group-based licenses in the Azure portal.”

It’s best for you to:

1. Create a new security group. For example, give it the name “Communication_Whiteboard”. 2. Assign the license “Whiteboard” to the group that you created in step 1. 3. Assign the security group to the user.

The user will have “Communication Basic” assigned licenses and “Communication_Whiteboard” assigned license. These are the licenses for Exchange, MS Teams, SharePoint, and Whiteboard.

It’s the same example as I did in the article. Only I used Exchange Online instead of Whiteboard.

Thanks for reply. Great blog by the way

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

  • previous post: Exchange Hybrid management tools
  • next post: Check free disk space on Windows with PowerShell script
  • An introduction to administrative units
  • Manage administrative units
  • How inheritance works for groups in administrative units
  • Administrative units and Privileged Identity Management
  • My Staff portal
  • Limitations of administrative units

A Complete Guide to Azure AD Administrative Units

twitter

Azure Active Directory (Azure AD) is Microsoft’s cloud-based identity and access management (IAM) service, with over 420 million daily active users.IT admins use Azure AD to manage role permissions and control users’ access to apps and resources. This article looks at administrative units, an Azure AD resource used to limit administrative scope within Azure Active Directory.

An introduction to Azure AD administrative units

Microsoft  defines an administrative unit as an Azure Active Directory (Azure AD) resource that can be a container for other Azure AD resources. Administrative units allow an organization to grant admin permissions that are restricted to a department, region, or any other segment of the organization that you define. An administrative unit can contain only users and groups.  

Note: To use Azure AD administrative units, you need to have an  Azure AD Premium license  in addition to your Microsoft 365 licenses.

Why do you need administrative units?

For example, assigning a user to the “User Administrator” role in Azure AD will give them the rights to manage all the users in the organization, which might not always be required. This goes against  Microsoft’s principle of least privilege , which states that users and applications should be granted the minimum level of access needed to perform required tasks.  

Azure AD without administrative units

The above diagram shows the Azure AD structure without administrative units. Here, both the Password and Authentication admins have global scope, which means they have respective administrative rights over all the users and groups in the organization, similar to that of a global admin.   Whereas in the below diagram which shows the Azure AD structure with administrative units, only the Global admin has control over the entire organization, while the Password and Authentication admins can only manage users and groups within their respective administrative units. For example, Authentication admin 2 can manage users and groups belonging to AU 2. 

Azure AD with administrative units

Note: Only the following Azure AD roles can be assigned to an administrative unit: Authentication administrator, Password administrator, User administrator, Helpdesk administrator, License administrator, and Groups administrator 

Manage administrative units in Azure Active Directory

Note:  You need to be a Privileged Role Administrator or Global Administrator to manage (create, remove, populate, and add roles to) administrative units. 

Licensing requirements

Azure AD Premium P1 or P2 license for each administrative unit administrator 

Azure AD Free licenses for administrative unit members 

Note:  Administrative units can also be managed by using  PowerShell cmdletsand scripts , or  Microsoft Graph . For more information, see  Prerequisites to use PowerShell or Graph Explorer .

Create an administrative unit

To create an administrative unit, follow the below steps: 

Step 1: Sign in to the  Azure AD admin center . (You can also  sign into the Azure portal , go to Azure Active Directory, and follow the same steps mentioned below) 

Step 2 : Navigate to  Azure Active Directory  ->  Administrative units . 

create an administrative unit

Step 3: Select the  +Add  button at the top of the pane, enter a name and description for the administrative unit, and click on the  Review + create  button at the bottom. This will take you to the  Assign roles  section

add azure administrative unit

Step 4: You can select an administrative role from the given list and assign a user to the role. You can skip this step if you want to only create an administrative unit for now, and assign administrative roles later. 

add administrative unit

Step 5: Click either  Review + create  or  Next : Review + create  button to review the properties and assignments, and click on the  Create  button. This will create a new administrative unit in the Azure Active Directory. 

add administrative unit

Note:  Administrative units can also be created using  PowerShell  or  Microsoft Graph API . 

Add users to an administrative unit

Note : You can only manually add users to an administrative unit. Adding users to an administrative unit dynamically based on an object property is not supported.

You can assign users to an administrative unit following the below steps. 

Step 1: Sign in to the  Azure portal  or  Azure AD admin center .

Step 2: Select  Azure Active Directory - >  Administrative units , and then select the administrative unit to which the user needs to be added. 

Step 3: Select  Users  ->  +Add member  and on the  Add member  pane, select one or more users that you want to add to the administrative unit.

add users to azure administrative unit

Alternatively, you can add users from their user profiles in the Azure AD admin center. The following steps are convenient if you need to add a single user to multiple administrative units.

Step 1: Sign in to the  Azure portal  or  Azure AD admin center . 

Step 2: Select  Azure Active Directory  >  Users  and select the user to be assigned to an administrative unit. This will open the user’s profile. 

Step 3: Select  Administrative units. To  assign the user to one or more administrative units, select  +Assign to administrative unit  and on the right pane, select the administrative units to which you want to assign the user. 

what is assigned membership in azure

To assign users as a bulk operation:

Step 1: Sign in to the  Azure portal  or  Azure AD admin center . Select  Azure Active Directory  ->  Administrative units . 

Step 2: Select the administrative unit to which you want to add users. 

Step 3:  Select Users -> Bulk activities -> Bulk add members . Upload the CSV file containing all the users.  

bulk add users to an administrative unit

Note : PowerShell or Microsoft Graph API can also be used to add users to administrative units.

Learn how to view a list of administrative units for a user

Learn how to remove users from an administrative unit. 

Add groups to an administrative unit

Note : Dynamic groups cannot be added to an administrative unit. 

You can only assign groups individually to administrative units. There is no option to assign groups as a bulk operation. 

To assign groups to an administrative unit, follow the below steps. 

Step 1: Sign in to the  Azure portal  or  Azure AD admin center . 

Step 2: Select  Azure Active Directory -> Administrative units . Click on the administrative unit to which you want to add groups.. 

Step 3: Navigate to  Groups -> +Add. The  right pane lists all the available groups in your organization. Select the groups you want to add to the administrative unit.

add groups to an azure administrative unit

Alternatively, you can add a group to an administrative unit from the Groups pane in Azure AD admin center. The following steps are convenient if you need to add a single group to multiple administrative units.

Step 1:  Sign in to the  Azure portal  or  Azure AD admin center . 

Step 2: Select  Azure Active Directory -> Groups . Open the group that you need to add and navigate to  Administrative units-> +Assign to administrative unit . This will display a list of administrative units in your organization. 

add a group to administrative units

Step 3: Select the administrative units to which you want to assign the group. This will add the group to the selected administrative units. 

You can also assign groups to administrative units using  PowerShell  or  Microsoft Graph API . 

Note: When you add a group to an administrative unit (AU), only the group is added and not the members of the group. This means that the AU admin can manage the properties of the group alone, not that of the members of the group. Learn more

Assign admin roles for an administrative unit

View  the roles that are available to be assigned with administrative unit scope. Each role is independent from the global roles (roles with global scope) in Azure AD. Therefore, by using scoped roles, you can easily delegate administrative privileges to users who should only administer a specific administrative unit. 

Step 2: Navigate to Azure  Active Directory -> Administrative units , and then select the administrative unit to which you want to assign a user role scope. On the left pane, select  Roles and administrators  to view a list of all the available roles. Select the role that you need to assign to a user, for example, User administrator role.

assign admin role for an administrative unit

Step 3: Click on the  +Add assignments  button. On the  Add assignments  pane, select the user(s) to be assigned to the role. 

assign admin roles for azure administrative units

Note: To assign admin roles at an administrative unit level, your organization needs Azure AD Premium P1 or P2 license. If not, the " +Add assignments " button will be greyed out as shown in the above screenshot.

You can also assign scoped roles to users using  PowerShell  or  Microsoft Graph API . 

Learn  how to view a list of the administrators assigned to an administrative unit. 

Once a group is added to an administrative unit, group properties, members, and licensing settings can be updated by the assigned admins.  However, the users in that group are not included in the scope of management. In other words, when you add a group to an administrative unit, the users belonging to that group will not come under the administrative unit’s control. This means that the admins assigned to the administrative unit will only be able to manage the group object, not the user objects within the group. Only users that are directly added to the administrative unit can be managed by the assigned admins.  

scope of azure administrative unit

For example, consider the administrative unit (AU) New Jersey, which contains two users, David Rose and Sheldon Cooper. 

azure administrative unit with two users

New Jersey AU also contains a group named Test, which has two members, Jack Prichett and Phil. 

group inside administrative unit

A User administrator (Chris Green) has been assigned to the New Jersey AU.

administrative-unit scoped role

Chris, being the User administrator of New Jersey AU, can reset the password for both Sheldon and David. Whereas, when Chris tries to reset the password for either Jack or Phil, an error message is displayed. 

error message

This is because Jack and Phil are not members of the New Jersey AU, rather, they are members of the Test group which is a member of the New Jersey AU. Chris can therefore update the settings of the Test group, not that of the users within the group.  Lack of dynamic membership and group inheritance may appear to be significant limitations at first, but there are good reasons for these restrictions, as mentioned below: 

If dynamic membership were allowed, it would be possible for anyone who can modify the user attribute to change administrative unit membership. For example, if an attribute such as "department" were considered to manage administrative unit membership, a User administrator could modify certain users’ departments, and thereby change the administrative unit membership.  

If group inheritance were allowed, someone who had the ability to change group membership could also modify the administrative unit membership. For example, a Groups administrator or Groups owner could add more users to a group, and thereby change the administrative unit membership. 

Click here  to view the current support provided by Microsoft for various administrative unit scenarios, via the Azure portal, Microsoft 365 admin center, and Graph/PowerShell.

Privileged Identity Management (PIM) is a service in Azure Active Directory (Azure AD) that enables you to manage, control, and monitor access to important resources in your organization, including administrative units. It provides time-based and approval-based role activation.  With PIM, organizations can give users just-in-time privileged access to Azure AD resources and can oversee what those users are doing with their privileged access. 

Key features of Privileged Identity Management 

Provide just-in-time privileged access to Azure AD and Azure resources 

Assign time-bound access to resources using start and end dates 

Require approval to activate privileged roles 

Enforce multi-factor authentication to activate any role 

Use justification to understand why users activate 

Get notifications when privileged roles are activated 

Conduct access reviews to ensure users still need roles 

Download audit history for internal or external audit 

What is Privileged Identity Management?   

Plan a Privileged Identity Management deployment

Assign Azure AD roles in PIM   

Note:  Using Privileged Identity Management requires an Azure AD Premium P2 license. For details, see   License requirements to use Privileged Identity Management . 

Assign scoped roles in Privileged Identity Management

With the Azure Active Directory Privileged Identity Management (PIM) service, Privileged role admins or Global admins can make permanent or time-bound admin role assignments. They can also assign users as active or eligible administrators. (Refer to the steps below)  Since Azure AD administrative units are integrated with Privileged Identity Management, you can define whether you want the role assignment to be active/eligible and permanent/time-bound when you assign an AU-scoped role to a user.   To assign an administrative unit scoped role using PIM service, follow the below steps: 

Note:  You need to be a Privileged role admin or Global admin for this. 

Step 1:  Open the administrative unit for which you need to assign an admin. Navigate to  Roles and  administrators , and select the role you need to assign. 

Step 2: Click on  +Add assignments.  This will take you to the  Add assignments  page. Select the member to be assigned to the role, and click  Next .

assign AU scoped roles in PIM

Step 3:   In the Assignment type list on the  Setting  pane, select the required assignment type. 

Eligible assignments  require the member of the role to perform an action (after the role has been assigned to them) to use the role. Actions might include performing a multi-factor authentication (MFA) check, providing a business justification, or requesting approval from designated approvers. 

Active assignments  don't require the member to perform any action to use the role. Members assigned as active will have the privileges associated with the role immediately after the assignment has been made. 

select assignment type

Step 4:  Specify the assignment duration and click  Assign  to create the new role assignment. 

Permanent assignments  : Have no expiration date. Use this option for permanent workers who frequently need the role permissions. 

Time-bound assignments:   Expires at the end of a specified period. Use this option with temporary or contract workers who require the role only for a specified duration. 

Administrative units and My Staff portal

My Staff portal ( mystaff.microsoft.com ) is based on administrative units, and it allows delegated administrators to perform a limited set of account maintenance actions, including password reset, without signing into the Azure AD portal. Using this portal, an AU administrator can manage the members of the specific administrative unit (AU).  

Add and update phone numbers 

Reset passwords 

Enable phone sign-in 

For example, a local team manager can reset passwords or edit phone numbers of their team members, so that the users who can't access their accounts can regain access in just a couple of clicks, with no helpdesk or IT staff involvement.

How to enable My Staff in Azure Active Directory

The My Staff feature has to be enabled in the Azure Active Directory so that team managers can access the portal to manage common tasks for their team members. To enable My Staff, follow the below steps: 

Step 1: Sign in to the  Azure portal  or  Azure AD admin center  as a User administrator or Global administrator. 

Step 2: Select  Azure Active Directory  ->  User settings  ->  Manage user feature settings . 

manage user feature settings in azure active directory

Step 3: Enable the feature for all users or a group of users, and click  Save .

enable my staff portal

Note:  Only users who've been assigned an admin role can access the My Staff portal . If you enable My Staff   for a user who is not assigned an admin role, they won't be able to access the portal. 

How My Staff works

When a delegated administrator goes to the My Staff portal, they are shown the names of the administrative units over which they have administrative permissions. If an administrator's permissions do not have an administrative unit scope, the permissions apply across the organization. After My Staff has been enabled for your organization, the users who are enabled and have been assigned an administrative role can access it at  https://mystaff.microsoft.com . They can select an administrative unit to view the users in that unit, and select a user to open their profile. 

user administrator for administrative unit

Chris can now use the  My Staff portal  to manage all the members in the New Jersey administrative unit.  

my staff portal

How to reset a user password 

A delegated admin can reset the password of a user in their administrative unit by following the below steps:

Step 1: Sign in to the  My Staff portal . All the administrative units in the respective admin’s scope will be displayed. 

Step 2: Select the administrative unit that contains the team member whose password has to be reset. This will display all the members in the selected administrative unit. (Refer to the screenshots in the above section) 

Step 3: Open the member’s profile. Click on  Reset password -> Continue  to reset the password. 

reset user password in my staff portal

Note: The “Add phone number” option is greyed out in the above screenshot since the selected admin (Chris Green, in this case) has only User admin permissions assigned. A user admin can only reset the password, not add or edit phone numbers. To manage the phone numbers of users in an administrative unit, one needs to be assigned as an Authentication admin for that administrative unit. Learn  how to manage users’ phone numbers from the My Staff portal. 

You can search for administrative units and users in your organization using the search bar in My Staff. You can search across all administrative units and users in your organization, but you can only make changes to the users who are in the administrative unit over which you have been given admin permissions.  You can view audit logs for actions taken in My Staff in the Azure Active Directory portal. If an audit log was generated by an action taken in My Staff, you will see this indicated under "Additional Details” in the audit event. 

audit logs

Read the  My Staff user documentation  provided by Microsoft to learn more on how a team manager can use the My Staff portal. In the documentation, the term “locations” is used to refer to administrative units.  

An administrative unit can contain only users and groups. Devices cannot be added to administrative units. Therefore, scoping management of devices is not possible. 

Not all Azure AD administrative roles are available for administrative units. You can only assign one of the following six roles to an administrative unit: Authentication administrator, Password administrator, User administrator, Helpdesk administrator, License administrator, Groups administrator 

Administrative units require Azure AD premium licenses

AU-scoped administrators cannot manage their users’ MFA settings in the Microsoft 365 Admin Center. (See  currently supported scenarios ) 

Administrative units apply scope only to management permissions. They don't prevent members or administrators from using their default user permissions to browse other users, groups, or resources outside the administrative unit. Admins can browse other users in the Azure AD portal, PowerShell, and other Microsoft services. However, in the Microsoft 365 admin center, users outside a scoped admin's administrative units are filtered out. 

You can only assign groups individually to an administrative unit. There is no option to assign groups as a bulk operation. 

Frequently asked questions on Azure AD administrative units

1. I am a delegated Password/User administrator for an administrative unit. Why am I unable to reset a specific user's password?

(a) An AU-scoped admin can only manage users who belong to that administrative unit. Make sure that the user belongs to the administrative unit to which you've been assigned. 

2. Can a user or a group belong to more than one administrative unit? 

Yes, a user or a group can belong to multiple administrative units. This is one of the major differences between Azure AD administrative units and  Google organizational units . 

3. I added a group to an administrative unit. Why are the group members not showing up in the administrative unit?

When you add a group to an administrative unit, that does not result in all the group members being added to it. Users must be directly assigned to the administrative unit.  Learn more

4. Can administrative units be nested? 

5. How are administrative units different from groups in Azure Active Directory?   

Azure AD administrative units are used to restrict the scope of administrative role assignments whereas Azure AD groups are used to manage users’ access to apps and resources. Using groups lets the resource owner (or Azure AD directory owner) assign a set of access permissions to all the members of the group, instead of having to provide the rights one-by-one. Read  Manage app and resource access  using Azure Active Directory groups to learn more. 

Used to manage users’ access to apps and resources 

Members of the group inherit the permissions assigned to the group

Assigning an admin role to a group will result in all the group members having that admin role.  Learn more  

Administrative units 

Used to restrict the scope of administrative role assignments in the Azure Active Directory

Adding members to an administrative unit (AU) does not change their permissions by default. Rather, it gives permission to the AU–scoped admin to manage the members of the AU. 

A user who is assigned as the administrator for an administrative unit will be able to manage all the members of the administrative unit. 

Azure Active Directory Groups

Azure Active Directory is a cloud hosted directory availble for authentication and authorization of many services including Microsoft 365. Azure Active Directory (AAD) groups are useful for authorization of various services configured to access Azure for authentication. Many Azure AD groups are created by Microsoft 365 services like Teams and Distribution Lists as well as some campus systems like Grouper. Many Exchange related groups are synchronized from on-premises Active Directory and these groups can only be updated locally with changes replicated up to Azure. Azure AD groups can be manually created by Departmental Resource Coordinators using the Resource Coordinator Tools. When an Azure AD group is created, the requester is set as an owner. Group owners have the ability to manage group membership and the owners list using the Azure Portal . Azure AD group membership types includ assigned membership, dynamic users and dynamic devices. Assigned membership is the default group type and Resource Coordinators can request the membership type be chaged using the Resource Coordinator Tools website. Note: Azure AD groups created via the Resource Coordinator Tools should be renamed or deleted via the campus website, not the Azure management portal. Azure AD groups renamed using other methods are periodically reset to their original name by script.

Azure Active Directory Group FAQs

Who can create Azure AD groups?

Azure AD Groups can be created by departmental Resource Coordinators . The resource coordinator is set as the owner and can use the Azure management portal to add owners and members.

Note for Azure AD Group Owners: Do NOT use the Azure management portal to change group names (automated processes will set it back to the original name) or to delete the group. If a group needs to be removed, it should be deleted using the "Delete Azure AD Group" tool in the Resource Coordinator Tools .

How can owners manage Azure AD groups?

Azure AD groups manually created via the Resource Coordinator Tools are managed by group owners using the Azure Management Portal or with PowerShell modules provided by Microsoft. Note that name changes and deletes should only be done using the Resource Coordinator Tools .

What is the difference between Azure Group type "Security" and "M365"?

All Azure AD groups managed via the Resource Coordinator Tools are security groups. M365 groups have special mail related function and are used by services like Teams. Azure AD group type cannot be changed after creation.

What is the difference between "Assigned" vs "Dynamic user" vs "Dynamic device" group membership?

Azure AD Group membership is controlled in one of several different ways. The default method is "Assigned" where an owner specifies what obects are group members. "Dynamic user" and "Dynamic device" membership types allow the owner to define a rule to automatically populate group members based on directory attributes like display name. Groups with Dynamic membership rules are updated automatically as new objects matching the rules are added to the directory. Group membership type is changed via the Modify Azure AD Group link in the Resource Coordinator Tools . That generates a ticket for ACNS staff to review and implement the change. Check this Microsoft article on building dynamic membership rules.

Can the Azure AD group membership type be changed (e.g. Assigned, Dynamic user, Dynamic device?

Resource Coordinators can change manually created Azure AD groups using the Azure Management Portal or using PowerShell modules provided by Microsoft. Group type is set to 'Assigned' by defalt and can be changed using the 'Modify Azure AD Group' link in the Resource Coordinator Tools .

Can e-mail be sent to an Azure AD group?

Azure AD security groups are not mail enabled. If you need a group that can serve as a mail list, use the Resource Coordinator Tools to create a Distriubtion List

Microsoft 365

M365/exchange resources.

Division of IT Home | Disclaimer | Equal Opportunity | Privacy Policy | Search CSU

All about Microsoft 365

Quickly list all groups a user is member of or owner of in Office 365

Continuing the “how to do this with the new Azure AD PowerShell module” series, in this article we will explore some useful cmdlets that quickly list all Groups a user is member of, or is configured as Owner/Manager.

To get the latest version of the AzureAD PowerShell module, click here . To get the documentation on installing and using the module, click here .

Getting group membership

As a reminder, here’s how to quickly get a list of all groups a user is member of via the EO Remote PowerShell cmdlets:

where ‘CN=user,OU=tenant.onmicrosoft.com,OU=Microsoft Exchange Hosted Organizations, DC=EURPR03A001, DC=prod, DC=outlook, DC=com’ is the DistinguishedName of the user, obtainable for example via:

Now, there’s also one caveat you might want to consider when using the above cmdlet. Namely, the Get-Recipient cmdlet in EO doesn’t return Office 365 Groups objects (the new, “modern” groups) unless you specifically include them. An updated version of the above cmdlet that accounts for Groups will look like this:

and will return all Distribution groups, Mail-enabled security groups and Office 365 groups the user is member of. Dynamic distribution groups are something else you might want to consider, but those aren’t a subject for the current article. You can add other recipient types to the above example as needed.

If you want to return membership of Exchange Role Groups as well, use the Get-Group cmdlet:

So, after covering the Exchange side, can we also do the same with the Azure AD cmdlets? The answer is yes, thanks to the Get-AzureADUserMembership cmdlet. Here’s an example:

As usual, one probably wants to avoid using ObjectIds, so here’s an example that takes care of that:

The next problem you will run into is handling the output, which is also full of ObjectIds. We can use calculated properties to work around this:

where we have also excluded the Role groups from the output. If you want to keep them, change the above cmdlet to:

Overall, the number of objects returned by the Get-AzureADUserMembership cmdlet should be greater compared to the Exchange cmdlets, because of the inclusion of objects such as Security groups and User Roles.

Get list of objects the user is Owner for

Similarly to group membership, we can also use PowerShell cmdlets to quickly get a list of all objects a user is configured as Owner for (or Manager in the Exchange world). Here’s how to do this with EO remote PowerShell:

To get the Owner information with the Azure AD PowerShell, one can use the Get-AzureADUserOwnedObject cmdlet. Example use of the cmdlet:

or the more useful version sans the ObjectId obscurity:

A note is due here – the Azure AD cmdlet doesn’t look at the “ManagedBy” property. If you want to include Exchange related recipients in the output, such as (dynamic) distribution groups, use the Exchange cmdlet above.

An updated version of the article can be found here , with examples utilizing the Microsoft Graph SDK for PowerShell.

34 thoughts on “ Quickly list all groups a user is member of or owner of in Office 365 ”

' src=

I need some help with the Filter. The “Members -eq ‘DN'” works fine when the DN does not contain single quote. When it does, the Get throws an exception. Can someone please show me, if possible, how to escape the single quote in the filter?

P.S. Let ‘s not discuss the merit of NOT having special characters in a name. 🙂

' src=

Escape any special chars as detailed here: https://www.michev.info/blog/post/737/using-filters-against-objects-containing-special-characters

  • Pingback: Quickly list all Groups and Teams a user is member of in Microsoft 365 - Blog
  • Pingback: Quickly list all groups or teams a user is member of or owner of in Microsoft 365 - Blog

' src=

As of January of 2022 the sad reality is that you still need to perform two calls — one to Graph and one to EO to get all group members/owners:

1) Graph won’t show you distro groups 2) EO won’t show you security groups (not mail-enabled)

Luckily, now with REST-compatible interface for EO we can talk directly to https://outlook.office365.com/adminapi/beta/$tenantId/InvokeCommand without the extra luggage of PSremoting (that is — we finally can use a platform/language of our choice), but we still need two queries.

^^^^ Correction, the comment above applies only to group OWNERS, not members. All MEMBERSHIPS of a given account can be obtained with one request — https://graph.microsoft.com/beta/users/ {userID}/memberOf/ (determining the group type in this case would require some heuristics with mailEnabled, securityEnabled and groupTypes attributes). Apologize for multiple messages.

You still don’t get the full picture unfortunately, for example the ManagedBy property for DGs will not be returned by Graph. And the list of owners is separate from the ManagedBy list :/

' src=

Your article helped me a lot but, how to get the Distribution group as type because the AAD one is only giving Microsoft 365 groups in output. Could you please help for the other Distribution group type with AAD command it will be very helpful.

Use the Exchange cmdlets (Get-Recipient), not the AAD ones.

' src=

I have 100+ DL list and need to check particular person ownership/approver details of them. is this possible? we have set a particular person as approver for multiple DL list. need report all of them DL’s.

' src=

Still helpful five years later, thank you for this!

' src=

Very good information, helped me when I needed it. Thanks Vasil.

' src=

I just want to be able to export the User groups to CSV>> oh, but, is that a DG, or a Group created from Teams or what?= type of 365 Group are they a member of? Many tenants getting 365, but still need someone that can Powershell to reach all the buttons!

There’s a more robust solution here: https://practical365.com/how-to-inventory-membership-of-exchange-groups-recursively/

' src=

hello! i need your help i have 270 groups in my organisation suddenly the manager asked me to add him as owner in all groups. is there an easy way to do it?? using powershell or so? please help

' src=

yes, there is..

use Add-teamuser command, and write it on excel

Paste it to PS and run it.

  • Pingback: Sitecore Identity Server and Azure AD security groups limit – a system administrator

' src=

Thats really awesome

' src=

Any idea how I can do the same with Azure CLI? That limitation to .NET (_not_ “Core”) is a serious impediment on Linux / OS X.

' src=

I use a win10 jumphost (a virtual machine), install powershell 7.2 on it, set up ssh access to it (protect access by some AD group and firewall if needed), and then allow PS-remoting to it using Enter-PSSession -hostname

Any commands that follows will be able to use the full windows powershell capabilities.

In short, steps to do are:

Install OpenSSH Server and Client: OpenSSH for Windows is available directly in Windows 10 (1809 or higher) and Windows Server 2019 as an optional feature.

Install PowerShell 7 on all systems

Configure the SSH subsystem to host a PowerShell process on the remote machine

Configure password or key-based authentication

more infor here : https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/ssh-remoting-in-powershell-core?view=powershell-7.2

' src=

This is simple and quick – good stuff!

' src=

This worked brilliantly for 3 of our O365 admins, but when I checked for a normal user, no results. I tried multiple users with no luck.

We sync on premise AD to O365 (AzureAD) and I was hoping to find which a simple command to see which groups (cloud or synched) a user was a member of. For the admins it looked great. I also noticed that my queries for the admins only work with our very basic LANID. None of my attempts to use the full UPN ([email protected]), e-mail address, hierarchical naming, etc. did a thing.

Any thoughts on how I can make this work consistently?

The Exchange method (Get-Recipient) will only work if you use the full DN of the user. The AAD one can be used with a variety of identifiers, but in general you should be using the objectID.

  • Pingback: Generating a report of users’ group membership (MemberOf inventory) | Blog

' src=

Thank you, it is helpful for me. Is it possibles to export the same like all users and DL they are members of. Ex. Name DL Kumaresan IT – Tech,IT – dept Jacop All – Techies

Sure, simply put a foreach loop and go over every user.

  • Pingback: Script to remove user(s) from all groups in Office 365 | Blog

' src=

Really good, impressed

' src=

How can we do the same to get SharePoint groups cross sites/subsites ?

' src=

Same question! and Teams. Basically, where does a single user have access to?

Teams uses Office 365 Groups as membership, the above examples work just fine.

' src=

How would you perform the same task including Dynamic groups?

As dynamic DGs don’t have a preset membership, there is no shortcut to include them in the list of groups give user is a member of. Instead you have to cycle over each DDG and expand the membership based on the recipient filter, then compare it against the user at hand.

' src=

Thank you, this article does help me in much simpler way than others. Love it!!

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Save my name, email, and website in this browser for the next time I comment.

This site uses Akismet to reduce spam. Learn how your comment data is processed .

This browser is no longer supported.

Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.

Assign licenses to users by group membership in Microsoft Entra ID

  • 8 contributors

This article walks you through assigning product licenses to a group of users and verifying that they're licensed correctly in Microsoft Entra ID, part of Microsoft Entra.

In this example, the Microsoft Entra organization contains a security group called HR Department . This group includes all members of the human resources department (around 1,000 users). You want to assign Office 365 Enterprise E3 licenses to the entire department. The Yammer Enterprise service that's included in the product must be temporarily disabled until the department is ready to start using it. You also want to deploy Enterprise Mobility + Security licenses to the same group of users.

Some Microsoft services are not available in all locations. Before a license can be assigned to a user, the administrator has to specify the Usage location property on the user.

For group license assignment, any users without a usage location specified inherit the location of the directory. If you have users in multiple locations, we recommend that you always set usage location as part of your user creation flow in Microsoft Entra ID. For example, configure Microsoft Entra Connect configuration to set usage location. This recommendation makes sure the result of license assignment is always correct and users do not receive services in locations that are not allowed.

Step 1: Assign the required licenses

Steps in this article might vary slightly based on the portal you start from.

Sign in to the Microsoft Entra admin center as at least a License Administrator .

Select Microsoft Entra ID.

Browse to Identity > Billing > Licenses to open a page where you can see and manage all licensable products in the organization.

Under All products , select both Office 365 Enterprise E5 and Enterprise Mobility + Security E3 by selecting the product names. To start the assignment, select Assign at the top of the page.

Screenshot of selecting products to assign licenses.

On the Assign license page, select Users and groups to open a list of users and groups.

Select a user or group, and then use the Select button at the bottom of the page to confirm your selection.

When assigning licenses to a group with service plans that have dependencies on other service plans, they must both be assigned together in the same group, otherwise the service plan with the dependency will be disabled.

On the Assign license page, click Assignment options , which displays all service plans included in the two products that we selected previously. Find Yammer Enterprise and turn it Off to disable that service from the product license. Confirm by clicking OK at the bottom of License options .

Screenshot of select service plans for licenses.

To complete the assignment, on the Assign license page, click Assign at the bottom of the page.

A notification is displayed in the upper-right corner that shows the status and outcome of the process. If the assignment to the group couldn't be completed (for example, because of pre-existing licenses in the group), click the notification to view details of the failure.

When assign licenses to a group, Microsoft Entra ID processes all existing members of that group. This process might take some time, varying with the size of the group. The next step describes how to verify that the process has finished and determine if further attention is required to resolve problems.

Step 2: Verify that the initial assignment has finished

Go to Microsoft Entra ID > Groups > All groups . Select the group that licenses were assigned to.

On the group page, select Licenses . This lets you quickly confirm if licenses have been fully assigned to users and if there are any errors that you need to look into. The following information is available:

Service licenses that are currently assigned to the group. Select an entry to show the specific services that have been enabled and to make changes.

Status updates of the latest license changes, which are available if the changes are being processed or if processing has finished for all user members.

Information about user license assignments that are in an error state.

Screenshot of licensing errors and license status.

See more detailed information about license processing under Microsoft Entra ID > Groups > All groups > group name > Audit logs . Check the following activities:

Activity: Start applying group based license to users . This is logged when the system picks up the license assignment change on the group and starts applying it to all user members. It contains information about the change that was made.

Activity: Finish applying group based license to users . This is logged when the system finishes processing all users in the group. It contains a summary of how many users were successfully processed and how many users couldn't be assigned group licenses.

Read this section to learn more about how audit logs can be used to analyze changes made by group-based licensing.

Step 3: Check for license problems and resolve them

Go to Microsoft Entra ID > All groups > Groups , and find the group that licenses were assigned to.

On the group page, select Licenses . The notification on top of the page shows that there are 10 users that licenses couldn't be assigned to. Open it to see a list of all users in a licensing error state for this group.

The Failed assignments column tells us that both product licenses couldn't be assigned to the users. The Top reason for failure column contains the cause of the failure. In this case, it's Conflicting service plans .

Screenshot of licenses that couldn't be assigned.

Select a user to open the user's Licenses page. This page shows all licenses that are currently assigned to the user. In this example, the user has the Office 365 Enterprise E1 license that was inherited from the Kiosk users group. This conflicts with the E3 license that the system tried to apply from the HR Department group. As a result, none of the licenses from that group has been assigned to the user.

Screenshot of the view of all license conflicts for a user.

To solve this conflict, remove the user from the Kiosk users group. After Microsoft Entra ID processes the change, the HR Department licenses are correctly assigned.

To learn more about the feature set for license assignment using groups, see the following articles:

  • What is group-based licensing in Microsoft Entra ID?
  • Identifying and resolving license problems for a group in Microsoft Entra ID
  • How to migrate individual licensed users to group-based licensing in Microsoft Entra ID
  • How to migrate users between product licenses using group-based licensing in Microsoft Entra ID
  • Microsoft Entra group-based licensing additional scenarios
  • PowerShell examples for group-based licensing in Microsoft Entra ID

Submit and view feedback for

Additional resources

  • Manage your subscription
  • Manage payment method
  • Renew your subscription

Turn recurring billing on or off

  • When subscription expires
  • Cancel Microsoft 365
  • Share Microsoft 365 Family
  • Stop sharing Microsoft 365 Family
  • You received an invitation to share
  • Switch between Microsoft 365 subscriptions
  • Switch to a business subscription
  • Transfer to a different Microsoft account
  • About accounts
  • Sign in to Microsoft 365
  • Why you need to sign in
  • Forgot account or password
  • Get started at Microsoft 365.com
  • Meet the Microsoft 365 app launcher
  • Check version
  • Microsoft 365 for home or business
  • What business product do I have?
  • Difference between Microsoft 365 and Office 2021
  • Difference between home and business plans
  • Difference between Microsoft 365 and free web apps
  • Can't install or manage Office or Microsoft 365
  • Parental permission when signing in to Office or Microsoft 365

what is assigned membership in azure

Manage your Microsoft 365 subscription or Office product

For most Microsoft 365 subscriptions and versions of Office (2013 and later), you need to associate an account with your product. This is the account you use to sign in to Microsoft365.com and what you use to install or reinstall the apps, or to manage your subscription. Depending on your product, this account can be a personal Microsoft account (such as Hotmail.com, Outlook.com, Live.com), or a work or school account assigned by someone in your organization.

Note:  Some products purchased through an employee  Microsoft Workplace Discount Program  (formerly known as Home Use Program) benefit or volume license versions (managed by an organization's IT department) might not require an account. The information below doesn't apply to these Office versions or Microsoft 365 subscriptions.

Sign in to the dashboard for your account

Open a desktop app like Word or Excel, or go to Microsoft365.com .

Tip:  You might be prompted to sign in. Make sure to sign in with the account associated with Microsoft 365 or Office. If you can’t remember which email address you associated with your subscription or Office product, see I can't remember the Microsoft account I use with Microsoft 365 .

From the header, select your Account manager .

Depending on your account type, select  My Microsoft account or  View  account .

Your account dashboard is displayed and what you can do next depends on if you're signed in with a Microsoft account , or a work or school account .

Select the tab below for the type of account you're signed in with.

If you selected My Microsoft account , the Microsoft account dashboard will open. This is where you manage your Microsoft account and any Microsoft products associated with this account.

On the Microsoft account dashboard, select  Services & subscriptions to view all Microsoft products associated with this account. 

For non-subscription versions of Office (such as Office 2013 and later): Find your Office product and select Install . Follow the prompts to install or reinstall the desktop apps.

For Microsoft 365 Family or Personal subscriptions: Select Install premium Microsoft 365 apps and follow the prompts to install or reinstall the desktop apps.

On the Microsoft 365 subscription tab, select Manage . From here you can:

Renew your subscription with a prepaid code or card

Cancel a subscription

For Microsoft 365 Family subscriptions, you can start sharing your subscription, and add or remove people you're already sharing with. If you're not the subscription owner, you can see who's sharing Microsoft 365 with you, or choose to leave the subscription.

If you selected View account , the  My Account dashboard for your work or school account will open. Here you can:

Install and manage your apps. On the Office apps card, select Manage , and select Install to install or reinstall the latest desktop apps, or other apps such as Project or Visio. (An install option is available as long as your admin assigned you a license and gave you permission to self-install.)

Manage your devices.

View your subscriptions, and any other licenses assigned to you.

Note:  For Microsoft 365 admins only     If you're the Microsoft 365 admin in your organization, you control what you want your users to have access to. Go to the Microsoft 365 Admin help center for more information about setting up users.

Facebook

Need more help?

Want more options.

Explore subscription benefits, browse training courses, learn how to secure your device, and more.

what is assigned membership in azure

Microsoft 365 subscription benefits

what is assigned membership in azure

Microsoft 365 training

what is assigned membership in azure

Microsoft security

what is assigned membership in azure

Accessibility center

Communities help you ask and answer questions, give feedback, and hear from experts with rich knowledge.

what is assigned membership in azure

Ask the Microsoft Community

what is assigned membership in azure

Microsoft Tech Community

what is assigned membership in azure

Windows Insiders

Microsoft 365 Insiders

Find solutions to common problems or get help from a support agent.

what is assigned membership in azure

Online support

Was this information helpful?

Thank you for your feedback.

IMAGES

  1. Use Microsoft Entra groups to manage role assignments

    what is assigned membership in azure

  2. SC-300 : Microsoft Identity and Access Administrator : Part 03

    what is assigned membership in azure

  3. Azure AD there two ways to manage the membership of groups.docx

    what is assigned membership in azure

  4. Using a user-assigned managed identity for an Azure Automation account

    what is assigned membership in azure

  5. Azure AD Administrative Units: Dynamic Membership Rules

    what is assigned membership in azure

  6. Create an Azure SQL Managed Instance using a user-assigned managed identity

    what is assigned membership in azure

VIDEO

  1. Azure apply

  2. 26 Microsoft Azure

  3. Episode #269

  4. Episode #268

  5. DP-203 Azure Data Engineering 🎯🚀Certification Notes (NEW) #shorts #azure #dataengineering 🌈

  6. Azure Serverless Conf (AMERICAS)

COMMENTS

  1. Learn about groups and group membership

    Members of a security group can include users, devices, service principals, and other groups (also known as nested groups), which define access policy and permissions. Owners of a security group can include users and service principals. Note

  2. What is a dynamic group in Azure or Microsoft 365?

    Adding a dynamic membership rule to a group in the Azure Portal Operator precedence is where we want a part of the query to be evaluated before another part. For example, we can use parenthesis to build a list of matching department names (finance or HR) and add that to the Brisbane location:

  3. Dynamic membership rules for groups in Microsoft Entra ID

    You can set up a rule for dynamic membership on security groups or Microsoft 365 groups. When the attributes of a user or a device change, the system evaluates all dynamic group rules in a directory to see if the change would trigger any group adds or removes. If a user or device satisfies a rule on a group, they're added as a member of that group.

  4. Ten things you need to know

    This means that the groups you want to use the assign groups to Azure AD roles functionality with need to be new groups. No support for Dynamic Groups. When you create a new group to use use the Assign groups to Azure AD roles functionality with, it must be created with the Assigned membership type. Dynamic Groups are not supported with the ...

  5. Azure AD Groups

    We assign users (or members) to groups and assign resources to those groups. Azure AD Groups have features that set them apart from their Active Directory cousins - we will go through these features in the following sections. 2 . Group Types As of writing this post, we can create two types of Groups in Azure AD Security Office 365 Security Groups

  6. Using Azure AD's Dynamic Memberships for Groups to Assign Mutually

    Azure AD's Dynamic Memberships for Groups and Assigning Licenses to Groups features can be used to circumvent the overlap that might occur when user accounts are assigned both an Azure AD P1 and Azure AD P2 license. In this blogpost, I'll walk you through the scenario. About Azure AD licensing

  7. Assigning groups to Azure AD roles and Privileged access groups, a

    The option "Azure AD roles can be assigned to the group (Preview)" is only visible if you are member of either the Global Administrator or Privileged Role Administrator role. Create group experience for non Global Administrator/Privileged Role Administrator members Privileged access groups

  8. Azure AD Groups Examples [Create & Manage]

    Creating an "Assigned" membership type group. Let's log in to the Azure portal and inside the search bar, type in Azure Active Directory. Click on the Azure AD service and this will take us to the Azure AD service management page. We are now inside our Azure AD tenant and from here we will click on the Users tab.

  9. How to Use Dynamic Group Memberships in Entra ID: Part 1

    To use dynamic membership rules, you need at least enough Entra ID P1 or P2 licenses for the number of members that will be in the group. However, each user does not need a P1 license assigned in order to be added to a group with a dynamic membership as long as there are at least as many P1/P2 licenses as members to be added.

  10. Create "nested" groups with Azure AD Dynamic Groups

    The groups that define the membership of the dynamic group can be any group type represented in Azure Active Directory, such as user or device security groups, Microsoft 365 groups, and groups synced from on-premises, or a mix of all three! And, unlike existing nested security groups today, memberOf dynamic groups return a flat list of members ...

  11. Office 365 Admin: Azure AD Group-Based License Management

    The groups that you can assign licenses to can be created in Azure AD, or synchronized from on-premises Active Directory. The license assignments can be static (i.e. to the members of a group) or dynamic (e.g. based on user attributes such as ExtensionAttribute1).

  12. Assign Office 365 licenses with Azure group-based licensing

    How will that work? Let's see in the next step. Azure group-based licensing You can assign one or more product licenses to a group. Azure AD ensures that the licenses are assigned to all members of the group. Any new members who join the group are assigned the appropriate licenses. When they leave the group, those licenses are removed.

  13. Assign eligibility for a group in Privileged Identity Management

    Assign an owner or member of a group Update or remove an existing role assignment Next steps In Microsoft Entra ID, formerly known as Azure Active Directory, you can use Privileged Identity Management (PIM) to manage just-in-time membership in the group or just-in-time ownership of the group.

  14. A Complete Guide to Azure AD Administrative Units

    To assign groups to an administrative unit, follow the below steps. Step 1: Sign in to the Azure portal or Azure AD admin center . Step 2: Select Azure Active Directory -> Administrative units. Click on the administrative unit to which you want to add groups.. Step 3: Navigate to Groups -> +Add.

  15. Central Exchange at Colorado State University

    Assigned membership is the default group type and Resource Coordinators can request the membership type be chaged using the Resource Coordinator Tools website. Note: Azure AD groups created via the Resource Coordinator Tools should be renamed or deleted via the campus website, not the Azure management portal.

  16. Quickly list all groups a user is member of or owner of in Office 365

    Getting group membership As a reminder, here's how to quickly get a list of all groups a user is member of via the EO Remote PowerShell cmdlets: 1 Get-Recipient -Filter "Members -eq 'CN=user,OU=tenant.onmicrosoft.com,OU=Microsoft Exchange Hosted Organizations,DC=EURPR03A001,DC=prod,DC=outlook,DC=com'"

  17. How to check which Azure Active Directory Groups I am currently in?

    1 For Portal, simply click on the user for which you want to find this detail and then click on "Groups" button. If you want to use PowerShell, the Cmdlet you would want to use is Get-AzureADUserMembership. Share Follow answered May 27, 2022 at 5:25 Gaurav Mantri 131k 12 221 257

  18. Get Azure Active Directory application users and roles

    Azure portal (preview) In the new Azure portal, under "Enterprise applications" > (your app) > "Users and groups", you'll now see only the list of users who are assigned to the application, as well as the app role they are assigned to. You can also filter and sort by app role.

  19. This News Story Convinced Me Not to Cancel My Costco Membership

    Some meat may become pricier. An excellent article in DealNews explained why the price of pork may be on its way up this year. It can be traced back to California's Proposition 12, a law that ...

  20. Create a form in Word that users can complete or print

    Show the Developer tab. If the developer tab isn't displayed in the ribbon, see Show the Developer tab.. Open a template or use a blank document. To create a form in Word that others can fill out, start with a template or document and add content controls.

  21. Assign licenses to a group

    Step 1: Assign the required licenses Step 2: Verify that the initial assignment has finished Step 3: Check for license problems and resolve them Next steps This article walks you through assigning product licenses to a group of users and verifying that they're licensed correctly in Microsoft Entra ID, part of Microsoft Entra.

  22. Manage your Microsoft 365 subscription or Office product

    If you selected My Microsoft account, the Microsoft account dashboard will open.This is where you manage your Microsoft account and any Microsoft products associated with this account. On the Microsoft account dashboard, select Services & subscriptions to view all Microsoft products associated with this account. For non-subscription versions of Office (such as Office 2013 and later):