Using Active Directory Dynamic Groups to manage Owners and Members of Microsoft Teams

Dataflex for Teams, Microsoft Teams, Power Platform 3 Minutes

With the announcement of Microsoft Dataflex for Teams announced last week, and the ability to create Power App solutions with a relational database back-end within Microsoft Teams, it got me thinking about how organisational wide access to these solutions from within a Microsoft Team would work.

“If you add an Active Directory Security Group to a Microsoft Team, it’ll only add the users that are members of that group at that point in time.”

Typically, Microsoft Teams is used by small/medium groups of colleagues to collaborate with one another. e.g. Project sites or Department sites. Adding members or owners to the Team is a relatively easy job and doesn’t require IT involvement or complex provisioning processes.

However… .

What if the HR department creates an employee holiday request Power App solution and everyone in the organisation needs access to?

With a traditional Power App solution created in the native Power Apps ‘maker’ studio, with a Common Data Service (or Dataflex Pro) back-end, the App Maker could publish the app to anyone. But with a Power App solution created from inside Microsoft Teams, everyone will need to be a member of the Team to access it.

Unlike adding permission to a traditional Power App, adding users to a Microsoft Team is slightly different.

Firstly, we need to understand how Microsoft Team membership is managed. Obviously, adding every employee individually into a Team isn’t realistic, so Active Directory Group membership seems like a good idea, however, adding a Microsoft Active Directory Security Group only adds the members of that group at the point in time; it doesn’t keep the membership up to date.

“You can use Microsoft Dynamic Group membership to handle new members or members being removed for the Active Directory group.”

So how will this work in reality?

Microsoft Teams supports teams associated with Microsoft 365 groups by using dynamic membership. Dynamic membership enables the membership of a team to be defined by one or more rules that check for certain user attributes in Azure Active Directory (Azure AD). Users are automatically added or removed to the correct teams as user attributes change or users join and leave the Microsoft 365 tenant.

How to configure a Dynamic Group

1. Sign in to the Azure AD admin center with an account that is in either the Global administrator, Intune administrator, or User administrator role in the Azure AD organization.

2. Search for and select Groups.

3. Select All groups, and select the Group associated to your Microsoft Team.

4. From the left hand menu, click Properties.

5. Change the Membership type from ‘Assigned’ to ‘Dynamic User’

6. When the membership type has been selected, a new option will appear at the bottom of the page that will allow you to specify a dynamic membership rule.

7. Define your dynamic rule; in my example I’ve added all accounts that begin with ‘Aaron’.

8. After creating the rule, select Save.

9. Wait for your dynamic membership rule to process. Depending upon the complexity of the rule and the size of the Azure Active Directory, this may take a few minutes.

10. Membership to this group will now be reflected in your Microsoft Teams, Team!

Considerations:

  • Until a user logs into Teams, they won’t appear in the ‘Members’ or ‘Owners’ group.
  • Microsoft Teams may take anywhere from a few minutes to up to 24 hours to reflect dynamic membership changes once they take effect in the Microsoft 365 group for a team.
  • Owners will not be able to add or remove users as members of the team, since members are defined by dynamic group rules.
  • Members will not be able to leave teams backed by dynamic groups.
  • A user can only be a member of up to 1000 Teams.
  • There can only be 10,000 members in a Team (5,000 for Org Wide Teams).

Published by Aaron

I am an experienced, commercially aware, Microsoft 365 Solution Architect / Technology Leader with a strong and demonstrable background within the Collaboration, Productivity and Low-Code / Pro-Code Development platforms of Microsoft 365 and Azure. With over 15 years of experience working with Microsoft technology, I have worked with many organisations - from SMEs through to Enterprise, working to digitally transform their businesses with the successful implementation and adoption of Microsoft 365 and Azure products. This includes managing the lifecycle of the project from visioning exercises, discovery, solution design through to implementation and user adoption and change management strategies. More recently, my current roles include: Technology Development: - Development and implementation of the company’s technical strategy - Implementation of products and services relevant to the Microsoft Business Applications, Modern Workplace and Development technology areas within Microsoft 365 - Manage and develop technical media assets, including product Service Catalogues and GTM related content - Monitor and evaluate new technology and make recommendations for required technological solutions - Deliver technical marketing activities, ensuring events are suitably presented with appropriate content. Pre-Sales: - Manage and deliver Pre-Sales activities - Review and approve sales proposals, for the viability and appropriateness of proposed solutions - Understand and interpret requirements and provide deliverable solutions based on the product portfolio - Provide technical input and validation during the creation of Sales proposals, and in response to RFIs / RFPs.

Published

One thought on “Using Active Directory Dynamic Groups to manage Owners and Members of Microsoft Teams

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s