In the next steps, we connect to our Azure AD and generate the test users and groups.
Start the Azure AD PowerShell console and connect to Azure AD by executing the following cmdlets and scripts:
$msolcred = get-credential # Enter your global administrator credentials connect-msolservice -credential $msolcred C:\Configuration\HRExports\HRImportToAAD.ps1
Note
Alternatively, you can also use connect-msolservice directly to connect without the use of a variable.
After starting the script, go directly to https://portal.azure.com with your [email protected] credentials. Select the users' section under your Azure AD. You should find the users from the HireUsers.csv file under the All users tab:
Azure AD portal user management
Open https://portal.office.com | Admin | Active Users, and you can see your users with active licenses in Office 365:
Office 365 user management
Let's create three example groups to represent the company organization with the following script:
C:\Configuration\HRExports\AddOrgGroups.ps1Now, you will see the created groups:
Azure AD group management
Test your configuration, open https://myapps.microsoft.com, and log in with the user [email protected], and you should see Office 365 SharePoint, Outlook, and many applications in the access panel UI. Click Outlook, and you should be able to open the app without additional login information to access your mailbox:
User Inbox dialog
In the next steps, we provide an owner to our organizational groups.
To provide group management by the manager of a department, we will assign the following users as owners of their department groups:
Accounting:[email protected]
Group - user assignment
Do the same for:
HR:[email protected]Sales:[email protected]
Now that we have configured the owners, we will start to delegate management.
The default configuration of Azure AD allows an owner of a security or Office 365 group to manage the group members based on the data owner concept in the Azure AD Access Panel and the Azure portal.
Furthermore, you can limit this functionality, based on your needs:
Group options in Azure AD
Log in as [email protected] to https://myapps.microsoft.com. Click on the HR group and add [email protected] to the HR group:
Group view in Azure AD access panel UI
Review the Join policy under Edit details.
In the next section, we will configure the group self-service options.
Another request may be that users need to be able to create request-based security or Office 365 groups, for instance for projects or distribution groups. For this, they need the capability of an approval process. You can provide this functionality by activating the option under the group management general section. The feature set requires Azure Active Directory Premium:
Self-Service Group Management options
An Office 365 group includes a distribution list but also consists of these shared tools:
- Inbox for group email communication
- Calendar for scheduling group meetings and events
- Library for storing and working on group files and folders
- OneNote notebook for taking project and meeting notes
- Planning tool for organizing and assigning tasks and getting updates on project progress
- Guest access (set up by the administrator)
Note
Practical note: Use a different browser or the Private Browsing option for handling the different user sessions: one session on https://portal.azure.com as [email protected] (Admin) and another session as the explicit user (User) under https://myapps.microsoft.com.
Log in as [email protected] to https://myapps.microsoft.com and create the Sales Internal News group as an Office 365 group. Check that the Group policyshows This group is open to join for all users:
Azure AD access panel UI - group creation
Review the Join policy of your newly created group:
Group dialog - Azure AD access panel UI
In your Azure AD, under Groups, you will also find the newly created group:
Group overview - Azure AD access panel UI
Now, as the group owner, we change the group to request a managers' approval with the group policy setting:
Group editing dialog
Test the new configuration and log in as [email protected] to https://myapps.microsoft.com. Navigate to groups. Choose Sales Internal News:
Join group dialog
Join the Sales Internal News group and type a Business justification, click Request, and the process should be started.
Log in as [email protected] to https://myapps.microsoft.com.
Check your inbox. You should have received the join request mail and a notification, shown in the Access Panel UI.
Click on this request and approve it:
Group join - Notifications
Log in as [email protected] on https://myapps.microsoft.com.
Check your inbox, and you should have received a successful approval message:
Approval message - group membership
Check your group membership, and you should be a member of the Sales Internal News group:
Group management in Azure AD access panel UI
Next, we will configure dynamic group memberships.
In the next section, we will configure straightforward dynamic group memberships to use the department attribute to add users to their department group and build up a dynamic licensing assignment. Group-based licensing currently does not support groups that contain other groups (nested groups).
Note
An Azure AD Premium P1 license is needed for every user in a dynamic group. When enabling dynamic groups, current memberships will be lost. The usage location of a user needs to be set to assign a license.
As the [email protected], choose the Accounting group, navigate to properties, and change the membership type to Dynamic User.
Create a simple rule, department Equals (-eq) Accounting:
Dynamic group membership rule configuration
Set the department attribute (profile section) on the accounting users Brian Cox and Jeff Simpson to Accounting:
Filling user attributes for dynamic group usage
The member should be added automatically. Check the group membership and verify the two new members:
Freshly calculated dynamic group membership
Next, we will provide an automatic licensing solution.
Create the following security group:
- Office 365 full feature licensing
Group description:Automatic Office 365 Full Feature LicensingMembership type:Dynamic UserDynamic query:userType -eq Member:
Group properties dialog
Under Licenses | Products, assign the Office 365 E5 plan. Don't choose any assignment options at the moment:
Group assignment options
Wait until the membership has updated and check the license assignment for [email protected].
You will see that the user gets the license through a direct and group-based assignment:
License assignment overview
Note
This license solution is to give you a starter. You should remove the directly assigned licenses from all users that get licenses from group membership.
In the next section, we will configure role assignments to administrative units.