How to configure group accounts and assignment types in Microsoft Entra ID?

Configuring group accounts and assignment types in Microsoft Entra ID (formerly Azure Active Directory, or Azure AD) is an essential part of managing access to resources, applications, and services in a cloud-based environment.

Groups in Microsoft Entra ID are used to manage collections of users, devices, and service principals, and these groups can be assigned to roles, applications, and policies.

There are different assignment types to control how access is granted to group members.

Types of Groups in Microsoft Entra ID

Before diving into the configuration and assignment, it's important to understand the types of groups available in Entra ID:

1. Security Groups

Primarily used to manage access to resources and services in Microsoft Entra ID or other Azure services (like Azure Virtual Machines, Azure Storage, etc.).

Can be used for group-based access control (RBAC) or to assign resources, like licenses and applications, to a group.

2. Microsoft 365 Groups

Used primarily for collaboration scenarios, such as providing access to shared mailboxes, calendars, SharePoint sites, and other Microsoft 365 services.

Can also be used for resource access but primarily designed for communication and collaboration purposes.

3. Mail-Enabled Security Groups

Similar to security groups but can also be used as distribution lists in email scenarios.

4. Dynamic Groups

Groups that automatically include users, devices, or service principals based on rules (e.g., if a user’s department is "Marketing," they automatically join the "Marketing" group).

Steps to Configure Group Accounts in Microsoft Entra ID

1. Create a New Group

You can create groups using the Azure portal or PowerShell.

Here are the steps to create groups in the Azure portal.

1.1. Sign in to the Azure Portal

Go to the Azure portal and sign in with your admin credentials.

1.2. Navigate to Microsoft Entra ID (Azure AD)

In the left-hand navigation pane, select Microsoft Entra ID (or Azure Active Directory).

1.3. Go to Groups

Under the Manage section in the left menu, select Groups.

1.4. Create a Group

Click the + New group button at the top of the Groups page.

1.5. Configure Group Settings

• Group type: Choose the group type. Options include:

  • Security: For managing access to resources.

  • Microsoft 365: For collaboration features like email, calendars, and SharePoint.

• Group name: Enter a unique name for the group (e.g., SalesTeam or ITAdmins).

• Group description: Optionally, add a description of the group.

• Membership type: Choose between:

  • Assigned: Members must be manually added to the group.

  • Dynamic User: Members are added based on rules you define (e.g., users from the Sales department).

  • Dynamic Device: For devices that meet certain criteria (e.g., devices with specific configurations).

1.6. Assign Members (for assigned groups)

After selecting the membership type, you can add users or other groups as members.

For dynamic groups, you’ll need to configure membership rules.

1.7. Set Group Owner (Optional)

You can assign group owners who can manage the group's membership.

Group owners have the ability to add or remove members.

1.8. Create the Group

Once you've filled in the necessary details, click Create to create the group.

2. Assigning Group Memberships

Once a group is created, you need to assign users or devices to it.

This is done differently based on the membership type.

2.1. Assigned Groups

You can manually add or remove users or devices to/from the group by selecting the group from the Groups list, then clicking Members > + Add members.

2.2. Dynamic Groups

Dynamic groups automatically add members based on rules.

For example, you could create a dynamic rule that adds all users in the "Sales" department to a group.

To create dynamic membership rules:

1. Go to the group’s Membership type.

2. Select Dynamic User or Dynamic Device.

3. Define the membership rule using Azure AD rules syntax (e.g., user.department -eq "Sales").

Group Assignment Types in Microsoft Entra ID

Group assignments refer to the ability to assign users or devices in a group to different resources like applications, roles, and licenses.

There are different ways in which groups can be assigned:

1. Assigning Groups to Applications

You can assign a group to an application, giving all members of the group access to the application.

To assign a group to an application:

1. Go to Enterprise Applications in the Azure portal.

2. Select the application you want to assign to a group.

3. In the application pane, select Users and groups.

4. Click + Add user.

5. Choose the group (you can select multiple groups) to assign to the application.

2. Assigning Groups to Roles

Microsoft Entra ID supports role-based access control (RBAC), which allows you to assign groups to Azure roles for resource access management.

To assign a group to a role:

1. Go to Azure AD > Roles and administrators.

2. Select a role (e.g., Global Administrator, User Administrator).

3. Click + Add assignment.

4. Select the group you want to assign to the role.

3. Assigning Groups to Licenses

You can assign a license to a group, which automatically applies the license to all members of the group.

To assign a license to a group:

1. Go to Azure AD > Licenses.

2. Select All products or a specific license.

3. Click + Assign.

4. Choose Groups and select the group to assign the license.

4. Assigning Groups to Conditional Access Policies

You can also assign groups to Conditional Access policies, which define how users and devices must authenticate and access resources under different conditions.

To assign groups to Conditional Access:

1. Go to Security > Conditional Access in the Azure portal.

2. Create or select an existing Conditional Access policy.

3. Under Assignments, choose Users and groups.

4. Select the group to include in the policy.

Managing Group Properties

Once you’ve created and assigned groups, you can manage their properties and settings.

Some of the common group properties that can be managed include:

1. Group Name: The name of the group.

2. Description: A textual description of the group.

3. Membership Type: Whether the group is static (assigned) or dynamic.

4. Ownership: You can set owners who can manage the group’s membership.

5. Membership Rules (for Dynamic Groups): You can update dynamic membership rules.

6. Group Visibility: You can control who can view the group (e.g., Private, Public, Hidden from address lists).

Managing Group Settings via PowerShell

You can also manage groups and group memberships using PowerShell.

Here’s how you can create and assign groups via PowerShell:

1. Install AzureAD Module

xxxxxxxxxx
1
1
Install-Module -Name AzureAD

2. Create a Group

xxxxxxxxxx
5
1
New-AzureADGroup `
2
   -DisplayName "Marketing Team" `
3
   -MailEnabled $false `
4
   -SecurityEnabled $true `
5
   -MailNickname "Marketing"

3. Add Members to the Group

xxxxxxxxxx
3
1
Add-AzureADGroupMember `
2
   -ObjectId <GroupObjectId> `
3
   -RefObjectId <UserObjectId>

4. Assign Group to an Application

xxxxxxxxxx
4
1
Add-AzureADGroupAppRoleAssignment `
2
   -ObjectId <GroupObjectId> `
3
   -ResourceId <ApplicationObjectId> `
4
   -Id <RoleId>

5. Assign Group to a License

xxxxxxxxxx
3
1
Set-AzureADGroupLicense `
2
   -ObjectId <GroupObjectId> `
3
   -AssignedLicenses <LicenseObjectId>

Conclusion

Managing group accounts and their assignment types in Microsoft Entra ID (Azure AD) is crucial for access management and resource allocation in your environment.

By creating security or Microsoft 365 groups and assigning them to applications, roles, licenses, and policies, you can ensure that users and devices have appropriate access to resources.

The ability to create dynamic groups and configure group-based assignments helps automate access management, streamlining the process for administrators.