10 ready-to-implement PowerShell scripts to make AD management easy!

Azure AD Fundamentals

How groups work in Azure AD

The straightforward way to provide users with resources is directly assigning the relevant resources to a user, but doing this for hundreds and thousands of users can be quite taxing. This is where the concept of Groups enters the fray in Azure Active Directory (Azure AD).

Groups are a way of assigning resources to users, only this time, users are added to a group and the group is allotted with resources that can be accessed by all the users in that domain. Standard AD groups and Azure AD groups work in a similar manner, with differences in the distinct features offered specifically by Azure AD when compared to other ADs in the market. Azure AD groups are just another way of managing access and permissions for a group of users in contract to every single user. The important point here being that Zero Trust principles are being incorporated by users and bolstered by Microsoft, in specific, the core principle- granting and limiting user-access to resources and to only the users who require that access to carry out their job.

Following the mentioned principle, you can use Azure AD to use groups as a means to access management of data, applications and resources. Resources in Azure AD can be any of the following:

  • Azure AD organizational part, like object management permissions via Azure AD roles
  • External organizational components like software-as-a-service (SaaS) applications
  • Services on Azure
  • Sites of SharePoint
  • Resources that are on-premises

On the other hand, there are a few groups that cannot be managed in the Azure AD portal:

  • Management of groups that are synced from on-premises AD is only possible in on-premises AD
  • Management of distribution lists and mail-enabled security groups is only possible in Microsoft 365 (M365) admin center and Exchange Online

Note: You are required to sign-in M365 admin center or Exchange Online for managing groups.

Prior to the creation of groups

There are two points of information you need to know before you can start creating groups, namely, the different types of groups and the different types of memberships.

Types of groups

There are two types of groups you can have in Azure AD:

  1. Security Group: This group type is used for the management of user and computer access to shared resources.
  • Exemplary usage: Security groups can be created in such a way that the same set of security permissions are applicable to all the members of the group.
  • Types of members: Devices, users, other groups, service principals (defines policy and permission for access).
  • Types of owners: Users and service principals.
  1. Microsoft 365 Groups: This group type is used for greater level of collaboration as it allows the provision of access to group members to shared mailboxes, files, SharePoint sites, etc.
  • Exemplary usage: M365 Groups enables the action of providing access to people external to the organization.
  • Types of members: Only users.
  • Types of owners: Users and service principals.

Types of memberships

There are three types of memberships you can select in Azure AD groups, each with its own use:

  1. Assigned membership: Allows the addition of specific users as group members with special permissions.
  2. Dynamic user membership: Allows for automatic addition and removal of users using the dynamic membership rules. A change in the attributes of a member will lead to either of the outcomes: addition or removal of that member; and the outcome depends on whether that member meets the requirements of the rule (if they meet, then they will be added, and if they don’t, they will be removed). This check is determined by the system which checks the dynamic group rules for the directory.
  3. Dynamic device membership: Allows for the automatic addition and removal of devices using the dynamic membership rules. A change in the attributes of a device will lead to either of the outcomes: addition or removal of that device; and the outcome depends on whether that device meets the requirements of the rule. If the device meets the requirements, it will be added, and if the device doesn’t, it will be removed). This check is carried out by the system which checks the dynamic group rules for the directory.

Prior to granting access rights to a group

After the creation of an Azure AD group, the next step is to provide necessary and pertinent access. As the permissions for an application, resource and service may not be the same for the other, the management of an application, resource and service that requires access permissions needs to be separate.

Note: It is recommended that access should be granted based on the principle of least-privilege in conjunction with Zero Trust for the reduction of security risks.

How access management works in Azure AD

In Azure AD, the act of providing access to organizational resources is done by granting access rights to an individual user or to a whole Azure AD group. Via groups, a set of access permissions can be assigned to every member of the group by the resource owner or the owner of the Azure AD directory. Granting management rights to someone like a help desk administrator is also possible by the resource or directory owner, which means that the person who received the management rights has the power to add and remove members of the group.  

Ways to assign access

Once it has been determined what access needs to be provided, the next step is determining how you are going to provide that access. Discover the four ways to grant access rights and decide on the one that is the best fit in accordance to circumstance or task:

  1. Direct assignment: The user is directly assigned to the resource by the resource owner
  2. Group assignment: An Azure AD group is assigned to the resource by the resource owner. By this way of assignment, all the group members are provided with access to the resource.

Note: Both the resource and group owner can manage group memberships, which means that both owners have the power to add and remove group members.

  1. Rule-based assignment: In this type of assignment, a group is created by the resource owner and they defined which users are assigned to a particular resource using a rule. Attributes that are assigned to each is managed by the resource owner and they ascertain which of the attributes and values are necessary for the allowance of access to a resource.
  2. External authority assignment: An external source like an on-premises directory or a software-as-a-service application assigns the access. In this case, access to a resource is provided by a group assigned by the resource owner, and the group members are managed by the external source.

Creating and managing a group

As we’ve learnt, Azure AD Groups are utilized for the management of all users who are in need of identical access and permissions for a resource. Azure AD allows the creation of a group with special permissions which are then applied to all the group members instead of assigning special permissions to every single user. With that out of the way, let’s take a look at the steps involved in creating a group.

Group creationPre-requisite:

Prior to creating an Azure AD Group, you will need to create an Azure AD tenant. After the creation of an Azure AD tenant, follow the following steps to create an Azure AD Group:

  • Step 1: Using a global administrator account for the directory sign-in to the Azure portal.
  • Step 2: Navigate to Azure ADGroupsNew Group.
  • Step 3: Decide and select what type of group you want to create (Note: The group email address option will be enabled if and after the creation of a M365 group type).
  • Step 4: Decide on a group name (Note: It is recommended to choose a group name that can be recalled easily by all members. The system will then perform a check to determine whether a group with a similar name exists. If it does, then you will be prompted to change the group name).
  • Step 5: Choose a group email address. You can either manually enter an email address of your choice, or choose to use an email address formed by the system based on the provided Group name (Note: This option is exclusive to M365 Group type).
  • Step 6: Add a description for your group. This is optional.
  • Step 7: If you want to assign Azure AD roles to members, assign Switch AD roles to the Group setting to yes (Note: Only Premium P1 or P2 licenses have this option. Having a Privileged Role Administrator or Global Administrator role is required. If you choose to enable this option, the Assigned Membership type is automatically selected. Adding roles while creating the group is made available in the process).
  • Step 8: Choosing the type of Membership.
  • Step 9: Add Members or Owners. This is optional. (Note: To populate a list of every user is your directory, select the link displayed under Members or Owners. Subsequently, from the list displayed, choose the users to be added and then click on the Select button located at the bottom of the tab.
  • Step 10: Click on Create. Once clicked, the creation of your group is complete and you are free to configure other management settings.

Related posts
Active Directory FundamentalsAzure AD FundamentalsRecent Posts

Before migrating to Active Directory Domain Services (AD DS) 2022

Azure AD Fundamentals

Azure AD Pass-through - On-premises authentication in the cloud

Azure AD Fundamentals

How to unlock Azure AD account

Azure AD Fundamentals

What is Azure Kubernetes Service (AKS) - An overview


There are over 8,500 people who are getting towards perfection in Active Directory, IT Management & Cyber security through our insights from Identitude.

Wanna be a part of our bimonthly curation of IAM knowledge?

  • -Select-
  • By clicking 'Become an insider', you agree to processing of personal data according to the Privacy Policy.