Users and Groups in Azure AD

In this particular post, we will be talking about how to manage users and groups in Azure Active Directory.

Create users in Azure AD

In Azure AD you can create a user either from Microsoft Entra admin center or from Azure AD by accessing it from Azure portal (process will remain same).

If you want to create a new user account from Microsoft Entra admin center, click Azure Active Directory, click Users, click All users and then click New user.

add user from Microsoft Entra

Here you can either create a new user or you can create an external user by sending an invitation to that user.

And if you want to create a new user from Azure Active Directory, login to portal.azure.com and then go to Azure Active Directory. Go to Users and click New user.

create user from azure ad

Now let’s understand the groups in Azure AD.

Types of groups in Azure AD

In Azure Active Directory, we can create 2 types of groups. Security group and Microsoft 365 group.

A security group is used to assign bulk permissions to users or devices. You can assign policies on the users or devices like, conditional access or Microsoft Intune policies.

Microsoft 365 group is used to collaborate with each other by sharing documents and emails. Microsoft 365 group has a mailbox to store emails and documents but a security group do not have a mailbox. And the other difference between security group and Microsoft 365 group is, you do not need to assign email address to security group. But Microsoft 365 group requires an email address while creating it.

Create groups in Azure AD

To create a security group in Azure AD, go to Groups, click New group and under Group Type, select if you want to create a security group or Microsoft 365 group.

create group in azure ad

Next, you can add a description to this group under Description field.

If you want to assign Azure AD roles to this group, click Yes under “Azure AD roles can be assigned to the group” field. Now, when you will click Yes under this field, “Membership type” field will be greyed out.

So if you are planning to add users or groups in this group, select No for “Azure AD roles” field, and then select “Membership type”.

Under Membership type field, you will see 3 options:

Assigned: If you select assigned membership type, that means you can add members in a group manually. You can search for the users and then can add them.

Dynamic User: If you select dynamic user field, you need to create a dynamic query to add users. Dynamic query gives you a flexibility to add members with the help of conditions.

Dynamic Device: Similar to dynamic user, f you select dynamic device field, you need to create a dynamic query to add devices in group. Dynamic query gives you a flexibility to add members with the help of conditions.

What is dynamic query

With the help of dynamic queries, you can create attribute-based rules to enable dynamic membership for a group in Azure Active Directory.

Every dynamic query has a rule, that includes 3 parameters. Property, Operator, and Value.

If you want to add a user basis on certain conditions, under “Membership type” select “Dynamic User” and click “add dynamic query” under “Dynamic user members”. Under “Configure Rules”, add a property like displayname, select operator like, equals and type a value like “John Smith.

So the user that has display name “John Smith”, will be added within the security group.

If you want to add a device within security group, under “membership type” select “Dynamic Device”, and click “Add dynamic query”. On “Dynamic membership rules”, create a new query to add device within the security group. For example, if you want to add a device to a group that has a display name HPWin10, you will create a query similar to this:

Property = displayname, Operator=equals, and Value will be HPWin10.

So this is how you create security groups in Azure Active Directory.

Happy Learning!!