Dynamic group membership in Microsoft Teams

Microsoft Teams is gaining more and more popularity. Right now, for most regular users it is not only a Skype successor for basic communication, like chat & calls, but it’s a whole collaboration platform where you can share files or even configure assistant bots. I guess in a lot of companies, Microsoft Teams just lives its life, and users can create new Teams, be an owner, and manage access to the specific Team. But what if someone wants to have a Team with dynamic membership just to don’t forget to add/remove someone? In that case, you can create a Team based on a dynamic group in Azure AD!

Create a Team and change the group membership type using GUI

At first, you have to create a Team as you do usually. For example, you can use the Microsoft 365 admin center (office.com).

1. After successful login, go to Teams & Groups -> Active teams & groups.

2. Click Add a group while Microsoft 365 tab is active.

3. Select Microsoft 365 as a group type.

4. Set Name and Description.

5. Choose a group owner.

6. As we want to create a dynamic group, you don’t have to add any members for now.

7. Provide a group email address and check “Create a team for this group”.

8. Confirm group creation in the last step.

Right now, you created a Team as usual, with a standard manually assigned group. It’s time to change that!

9. Switch portal to Microsoft Azure, go to Azure Active Directory -> Groups, and search the group we already created.

10. Open that Microsoft 365 group and go to the Properties.

11. The group membership type is set to Assigned, so let’s change it to “Dynamic User” and click “Add dynamic query”.

You can define your dynamic query using a drop-down list, but be aware there might be more options available when you create a rule syntax manually, using Microsoft documentation. For example, you can create a dynamic query based on another Azure AD group by providing this query:

 user.memberof -any (group.objectId -in ['XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX'])

where X is an Azure AD group ID.

12. In the Validate rules tab, you can check if created query works as expected. You have to add users and click validate. This option is in preview and while writing this article it’s not working with the “user.memberof” example that I mentioned.

13. If everything looks fine, click Save. Remember to click Save also in the edited group.

Right after saving settings, you can open the Overview tab of the group, where you see empty fields for “Dynamic rule processing status” and “Last membership change”.

Depending on the size of your Azure AD organization, the group may take up to 24 hours for populating for the first time or after a rule change. Typically, directories with small numbers of users will see the group membership changes in less than a few minutes. Directories with a large number of users can take over 30 minutes to populate.

In my case, it took less than 1 minute, as I have a small test environment.

14. Right now we can check who is a member of that group.

When one of the members of that group logs in to the Teams application, will see a new Team available.

The main difference is the user can’t leave the Team.

Create a dynamic group and a Team for the existing group using MS Graph

There is another way how to get the same final result. Of course, you can use the Microsoft Azure portal as I showed above, but let’s check if it’s not faster by PowerShell and MS Graph.

0. If you don’t have the Microsoft Graph module installed (or you have an old version), you can install/update using the below command:

Install-Module Microsoft.Graph -Scope AllUsers -AllowClobber -Force

1. Right now it’s time to connect to the MS Graph:

Connect-MgGraph -Scopes "Team.Create, Group.ReadWrite.All, Directory.ReadWrite.All"

Above listed scopes will be needed for group and team creation. If you are using those scopes for the very first time, you will be asked for admin consent. Admin consent needs Global Administrator permissions, so if you are not a global admin you can just send a request for admin consent that needs to be approved before you can continue.

2. OK. We need to define a few things. Please be aware that our group needs an owner.

# Variables for Dynamic Azure Active Directory Group
$GroupName = "DynamicTest2"
$GroupMailName = "DynamicTest2"
$GroupQuery = "(user.department -eq ""Sales"")"
$OwnerID = (Get-MgUser -ConsistencyLevel eventual -Search '"DisplayName:Artur Kukula"').ID

3. Then we can parametrize whole settings for a new group. Because we need a Microsoft 365 group, ready for Team creation, it has to be mail enabled, non-security enabled, and unified. In our case, the group type will be “Unified” and “DynamicMembership”.

$params = @{
    Description = "$($GroupName)"
    DisplayName = "$($GroupName)"
    MailEnabled = $true
    SecurityEnabled = $false
    MailNickname = "$($GroupMailName)"
    GroupTypes = @(
	"Unified",
	"DynamicMembership"
    )
    MembershipRule = "$($GroupQuery)"
    MembershipRuleProcessingState = "On"
    "Owners@odata.bind" = @(
	"https://graph.microsoft.com/v1.0/users/$($OwnerID)"
    )
}

4. It’s time for group creation.

New-MgGroup -BodyParameter $params

5. The group is ready, so right now we need the ID of the newly created group.

$Search = "DisplayName:$($GroupName)"
$GroupID = (Get-MgGroup -ConsistencyLevel eventual -Search $search).ID

6. We have a group ID, so we only need a Team. Let’s put the ID as a parameter, together with Teams template – we will use the standard one.

$params2 = @{
    "Template@odata.bind" = "https://graph.microsoft.com/v1.0/teamsTemplates('standard')"
    "Group@odata.bind" = "https://graph.microsoft.com/v1.0/groups('$GroupID')"
}

7. The last step is just Team creation based on a specific group (defined in the params2).

New-MgTeam -BodyParameter $params2

8. In the end, don’t forget to close your MS Graph session.

Disconnect-MgGraph

That’s it. Which way was quicker? Do you see a need for Teams based on dynamic groups? Please leave a comment below πŸ™‚

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Scroll to Top