How to Create and Configure a Group in Azure Active Directory

To create a group in Azure Active Directory, start by logging in to the Azure portal and navigating to the Azure Active Directory section.

From there, select the "Groups" tab and click on the "New group" button.

Choose the group type that best suits your needs: security, Microsoft 365, or unified.

Security groups are used for authorization and access control, while Microsoft 365 groups are used for collaboration and communication.

Microsoft 365 groups also include a shared mailbox and OneDrive folder for the group.

You might enjoy: Azure Blob Storage Security

Before we dive into creating a group in Azure AD, make sure you have the necessary foundation in place.

To get started, you'll need to have an Azure subscription, which is a straightforward process - simply create a free account if you don't already have one.

Next, you'll need to create a Microsoft Entra tenant. For more information on how to do this, check out the article on accessing the portal and creating a new tenant.

In order to proceed, you'll need to associate an Azure subscription with your account.

Recommended read: Create an Ai Model in My Azure Tenant

To create a group in Azure AD, you'll need to log onto the Azure Portal as an Administrator. You can do this by searching for Azure Active Directory.

Once you're logged in, click the [Groups] button in the left menu to open the "All Groups" blade. From here, click the [New Group] button to display the "New Group" dialog.

In the "New Group" dialog, select the Group type. You can choose between "Security" or "Microsoft 365." If you select "Microsoft 365", you'll need to enter a Group email address. This email address will be used to send messages to all members of the group.

Enter a unique name for your group in the "Group name" field. For a Microsoft 365 Group, you'll also need to enter an email address in the "Group email address" field.

You can add a brief description of your group in the "Group description" field. This can be helpful for other administrators who may need to understand the purpose of the group.

Intriguing read: Azure Devops Create New Area

If you want to assign Azure AD roles to your group, select "Yes" in the "Azure AD roles can be assigned to this Group" prompt. This will allow you to add roles to the group in addition to users and groups.

To add owners to your group, click the "Owners" link and select the group's owners using the dialog that appears.

If you've selected the "Assigned" Membership Type, you can add members to the group by clicking the "Members" link and selecting the users and groups that will be members of the group.

If you've selected the "Dynamic User" or "Dynamic Device" Membership Type, you can add a dynamic query by clicking the "Add dynamic query" link. This will allow you to build a query that will automatically assign users or devices to the group based on certain criteria.

You might like: Azure Blob Storage Roles

To manage AAD Groups, log onto the Azure Portal as an Administrator and search for Azure Active Directory.

Click the [Groups] button to open the "All Groups" blade, and then click the [New Group] button to display the "New Group" dialog.

At the "Group type" dropdown, select the Group type, either "Security" or "Microsoft 365", and enter a unique name for the Group at the "Group name" field.

For a Microsoft 365 Group, enter an email address at the "Group email address" field, which will receive messages addressed to this email address.

You can assign Owners to the Group, who will be able to manage the Group, such as adding and removing Users from the Group.

If you selected the "Assigned" Membership Type, you can add Users and Groups to the Group, or if you selected the "Dynamic User" or "Dynamic Device" Membership Type, you can build a query to automatically assign Users or Devices to the Group.

You might like: Azure Create New App Service

AAD provides two kinds of Groups: Security Groups and Microsoft 365 Groups. A Security Group is used to set security permissions on the entire Group, allowing or denying specific actions on assets.

A different take: Azure Create Security Group

A Microsoft 365 Group is used for communication, enabling you to send email messages to an entire Group of Users at once. This replaces what was once called a Distribution Group.

You can choose between two types of Groups when creating a new one: Security or Microsoft 365. The type you select will determine the prompts that appear in the "New Group" dialog.

Here are the key differences between Security and Microsoft 365 Groups:

A Security Group allows you to set security permissions on the entire Group, while a Microsoft 365 Group is used for communication and email messaging.

API Permissions are crucial for group management, and the required permissions vary depending on the authentication method.

To use this resource with a service principal, you'll need one of the following application roles: Group.ReadWrite.All or Directory.ReadWrite.All.

Alternatively, if the service principal is also an owner of the group being managed, Group.Create is a valid application role.

Take a look at this: How to Create Service Principal in Azure

If you're using the assignable_to_role property, you'll also need the RoleManagement.ReadWrite.Directory application role.

Specifying owners for a group, which are user principals, requires one of the following application roles: User.Read.All, User.ReadWrite.All, Directory.Read.All, or Directory.ReadWrite.All.

When authenticated with a user principal, you'll need one of the following directory roles: Groups Administrator, User Administrator, or Global Administrator.

To create this resource in administrative units exclusively, the role Groups Administrator must be scoped on any administrative unit used.

Some properties, such as external_senders_allowed, auto_subscribe_new_members, hide_from_address_lists, and hide_from_outlook_clients, can only be configured when authenticating as a user, not as a service principal.

Check this out: Azure Create Custom Role

Dynamic Groups are a powerful feature in Azure AD that allow you to create groups based on specific criteria, such as device models or virtual machine types.

You can create a dynamic group by selecting "Security" as the group type and entering a group name, description, and selecting "Dynamic Device" as the membership type.

To add a dynamic query, click on the "Add Dynamic Query" button and enter a rule that specifies the criteria for membership, such as "device.deviceModel -eq "Virtual Machine"".

Be careful to copy the content into Notepad first to avoid any malformed characters that might cause the query to fail.

You can use an advanced rule to specify multiple conditions, such as "(device.deviceModel -eq "Virtual Machine") -or (device.deviceModel -eq "VMware Virtual Platform") -or (device.deviceModel -eq "VMware7,1")".

Dynamic AD group membership updates will complete after some time, and you can check the status by clicking on the group name and reviewing the update status in the upper right corner.

AAD allows a Group to be either Assigned or Dynamic, and for a Dynamic Group, you will enter a set of criteria, such as device model, to add users or devices that match that criteria.

Here are the key differences between Assigned and Dynamic Groups:

You can make changes or additions to the Dynamic Rule by clicking on the Dynamic AAD group and clicking the "Dynamic Membership Rule" button.