Azure AD Dynamic Group Membership on Custom attributes

In Azure Active Directory you have the option to create dynamic groups. These are groups where members are added based on a formula that uses the attributes known on a user object in Azure AD. For example you can create a dynamic group of all users that have a specific job title:

But what if you want to create a group based on for example employeeType? By default this attribute is not available in Azure AD (https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnectsync-attributes-synchronized).

You could dive into the inner workings of the sync engine and create your own new sync rules, but luckily you can use the latest AAD Connect to create your own extensions to the AAD Schema, and configure the entire synchronization for these custom attributes.

How to configure

Open AAD Connect and select Customize Synchronization Options. Login with your tenant admin account and walk through the wizard until you see the Optional Features. Select the Directory extension attribute sync and click next.

The next window shows you all the attributes that are available on your local Active Directory. Find the attribute you need and add it to the selected attributes box

Click next and the sync engine will automatically configure itself to enable synchronization of your attributes. Note however to ensure uniqueness, the attribute created in Azure AD also has an application ID in the name.

And that’s it.. that’s how you can create dynamic groups in Azure AD (and thus Office 365) using custom attributes in your on-premises Active Directory.

On a sidenote; Azure AD also has an attribute called UserType this attribute can be used to distinguish Guests. Guests are remotely invited users into your Azure AD. So it would be simple to create a new group just for your guests and use that group to assign permissions to for example SharePoint.

Tagged , ,