Using AD groups in Microsoft Teams – Dynamic groups in practice
Companies and organizations that rely on Microsoft Teams frequently map their groups from Active Directory to Teams. This allows local organizations to be structured more quickly and easily. Since a structure is already established through Active Directory memberships, managing permissions in Azure AD and maintaining Teams becomes much simpler. In this article, you will learn how to use AD groups most effectively in Microsoft Teams.
Index
Initial situation: Synchronized AD groups in Azure AD
Administrators currently face the following situation:
The synchronized groups from Active Directory (AD) cannot be edited in Azure Active Directory (AAD). These groups are static and can only be used as they were imported from AD.
Azure P1 and P2 licenses promise greater flexibility, but they are costly and often not flexible enough. Additionally, when companies subscribe to P1 licenses, they receive features they may not need but still have to pay for. These extra costs reduce budgets in other areas where funds are urgently needed. However, there are alternative options, which we will explore in more detail in this article.
Why use AD groups in Microsoft Teams?
Well-maintained groups in Active Directory are excellent for:
-
Structuring Teams within an organization
-
Managing permissions for accessing files in different locations
For years, AD groups have been a proven method for managing permissions through memberships. They can be used in various areas, such as:
-
Permissions in Active Directory
-
Distribution groups in Exchange
-
Shared resources like printers and file shares
By synchronizing AD groups with Azure AD, these groups are also available in the cloud and can be used for permission management. When users are added to the group, they immediately receive the necessary permissions (or lose them when removed), without administrators needing to make additional changes. This method is convenient, efficient, easy to maintain, well-documented, and secure. However, synchronized groups in AAD cannot be easily edited or changed, making their use inflexible and impractical.
AD groups can also be used in Microsoft Teams, for example, to create a Team for an AD group. Companies can work directly with the synchronized AD groups imported into Azure AD from their local AD. Microsoft offers several ways to do this, which we have covered in previous articles, such as “Azure AD Connect and Azure AD Connect Cloud Sync.”
What are the options for using AD groups in Microsoft Teams?
There are different ways to integrate local Active Directory groups into Azure AD, such as connecting them to Teams. Each option has its own advantages and disadvantages, which must be carefully considered. Synchronization should function properly while remaining flexible and easy for administrators to manage.
Option 1: Using static AD groups in Teams
Through the synchronization of groups between AD and Azure AD, AD groups are available 1:1 in Azure AD. It may seem tempting to use them in Teams as well, and initially, this works without issues. When creating a new Team based on a synchronized AD group, all members of that group automatically receive access.
However, Teams does not update when changes occur in AD or Azure AD. The members assigned when the Team was created or permissions were set remain static in the group. No further synchronization occurs, and the entire setup remains unchanged. Additionally, AD-synchronized groups in AAD cannot be modified later. This limitation also applies to synchronization between Azure AD groups and Microsoft 365 groups. Therefore, this approach is unsuitable for most organizations as it does not allow any adjustments.
Option 2: Using dynamic groups from Azure AD P1/P2 subscription in Teams
The second option is the use of dynamic groups in Azure AD. This approach appears ideal for dynamic Teams, and while it does work as described, it comes with some challenges.
First, dynamic groups require an Azure AD Premium P1/P2 subscription. This subscription is not cheap and is only worthwhile if a company uses other Azure AD Premium P1 features. The cost for an Azure AD Premium P1 license is approximately €5.40 per user per month, while a P2 license costs about €8 per user per month.
One of the features of Azure AD Premium P1 is dynamic groups. Azure AD does not synchronize complete groups from AD but rather reads attributes and fields. Based on these fields, Azure AD creates appropriate groups that can be dynamically maintained at any time. Microsoft Teams can also utilize these dynamic groups.
However, managing these groups is quite complex, and everything only works correctly if the rules are set up properly. Additionally, when using dynamic groups, manually adding users to a team is no longer possible. This means that a team owner must request IT support to add a new colleague. Static groups in AD are not supported in this case. Administrators must create new groups, maintain fields and attributes, and ensure that the data is correctly synchronized to the cloud.
Option 3: Group-based synchronization with DynamicSync
With the cloud service DynamicSync by FirstAttribute, dynamic groups in Azure can also be maintained.
However, there are some key advantages: First, no Azure AD P1 subscription is required to use the service. The cloud service itself is significantly more affordable and offers more features and flexibility than dynamic groups in Azure AD Premium P1/P2. DynamicSync does not require local installation; it operates entirely in the cloud. The basis can also be static groups in Active Directory, which can be effectively utilized in the cloud with DynamicSync.
By dynamically managing groups between AD and Azure AD, all Microsoft 365 services can rely on dynamic groups. These groups are maintained in the local AD and made available in Azure AD via Azure AD Connect. DynamicSync then ensures meaningful synchronization of cloud groups and their members.
Membership synchronization with DynamicSync is automated and can be scheduled as needed. Admins can continue to manage their groups in the local AD. With DynamicSync, synchronized AD groups can be further utilized in various areas. For example, employees can be regularly and automatically synchronized in Teams with DynamicSync, ensuring that memberships remain up to date.
Simply put, companies can use their existing static AD groups dynamically for Teams membership with DynamicSync. Changes in static AD groups automatically result in changes in Teams membership. This is not possible with Azure AD Premium P1/P2!
DynamicSync goes even further in group-based synchronization: It allows different types of cloud groups to be synchronized into other cloud groups. DynamicSync can use already synchronized groups, Microsoft 365 groups, and security groups as sources.
Option 4: Attribute-based dynamic groups with DynamicSync in Teams
As another useful feature, DynamicSync offers the synchronization of attribute-based AAD groups using dynamic filters. These groups build memberships based on user fields and attributes. Based on predefined selection criteria, DynamicSync can regularly and automatically synchronize dynamic groups in Azure AD, particularly in Microsoft 365 Teams.
In general, DynamicSync can access AD attributes and fields in the same way as Azure AD Premium P1 dynamic groups. However, this access is easier to maintain, more affordable, and offers significantly more configuration options. When admins create new Teams based on dynamic groups, team owners can still manually add members when using DynamicSync. This is not possible with Azure AD Premium P1 dynamic groups.
Conclusion
DynamicSync provides group-based synchronization for various source and target groups in the cloud. At the same time, the cloud service can filter members based on attributes and use them for dynamic groups. Both functions can be combined within DynamicSync. These options are not available with Azure AD P1/P2. Here, admins are limited to dynamic groups, which are also less flexible than what DynamicSync offers.
Table: Comparison of Azure AD P1/P2 and DynamicSync
The table below summarizes the key differences between Azure P1/P2 and DynamicSync.
| Options | Advantages | Disadvantages | |
|---|---|---|---|
| 1 | Using Static Groups from AD Directly in Teams | Group is available 1:1; can be used immediately as an M365 group for Teams | Static team; no updates possible; no further synchronization |
| 2 | Dynamic Groups from AAD P1/P2 Subscription in Teams | Azure AD reads attributes/fields from AD groups and creates groups (Teams); dynamic updates possible | Requires AAD P1/P2 subscription (high cost); no direct group synchronization; time-consuming group management; Team owners cannot add members (only IT can) |
| 3 | Group-Based Synchronization with DynamicSync | Synchronization of cloud groups into other cloud groups possible; custom scheduling; always up-to-date group memberships; AD group changes automatically sync to Teams memberships; no AAD P1/P2 subscription needed (much cheaper) | Not achievable with Microsoft built-in tools |
| 4 | Attribute-Based Dynamic Groups with DynamicSync in Teams | DynamicSync filters members sharing a specific attribute and synchronizes them into an AAD group (e.g., M365 group/Team); Team owners can still add members; custom scheduling; include and exclude lists; no AAD P1/P2 subscription needed (much cheaper) | Not achievable with Microsoft built-in tools |
Leave a Reply
Thank you for your suggestions, questions, and feedback. You can find our privacy policy here: https://activedirectoryfaq.com/privacy-policy/