Creating a Dynamic Office 365 Group for Global Administrators

Dynamic Group Membership Rules are Limited

A reader asks if it is possible to create a dynamic Office 365 Group for all the global administrators in a tenant. Sounds like an interesting request, so let’s dive in and do some research.

A dynamic Office 365 Group is like any other dynamic Azure Active Directory group. It depends on a membership rule to define the membership. Azure Active Directory runs background processes to use the rule to query the directory and return a list of members. The key to the answer therefore lies in if it is possible to construct a membership rule to query Azure Active Directory to find the accounts who are global administrators.

Membership Rules for Dynamic Groups

The Microsoft documentation for how to build membership rules for dynamic groups tell us the set of supported properties for rules. Reading through the list, we quickly discover that there’s no way to query the roles held by accounts. Azure Active Directory supports a set of roles that can be assigned to users; the one we’re interested in is the Company Administrator role, which is also known as a global or tenant administrator. To find the accounts that hold the role in a tenant, we can execute the PowerShell command:

# Discover the set of global administrators
Get-AzureADDirectoryRoleMember -ObjectId (Get-AzureADDirectoryRole |?
{$_.DisplayName -eq "Company Administrator"}).ObjectId |Format-Table ObjectId, DisplayName

These cmdlets are in the Azure AD Module (V2).

Finding a Property to Use

Good as it is to be able to find the set of global administrators, it doesn’t help us build a membership rule for a dynamic Office 365 group. But what we can do is find a property in the set supported by membership rules and use it to mark our tenant administrators.

For example, we could use the JobTitle property and say that anyone with a job title of “Office 365 Global Administrator” should be included in the dynamic group. With this decision made, we can update the accounts of the current global administrators to have the correct value:

# Make sure that tenant administrators have the correct job title
$Admins = Get-AzureADDirectoryRoleMember -ObjectId (Get-AzureADDirectoryRole |? {$_.DisplayName -eq "Company Administrator"}).ObjectId | Select ObjectId, DisplayName
ForEach ($Admin in $Admins) {
    If ($Admin.DisplayName -ne "Microsoft Rights Management Services") {
    Set-AzureADUser -Object $Admin.ObjectId -JobTitle "Office 365 Global Administrator" }}

The Microsoft Rights Management Services account is excluded because it’s not used by humans.

Hybrid is Different

Note: If you are in a hybrid organization, you can use the fifteen extended properties synchronized from Active Directory and populate these values by running the Set-Mailbox cmdlet. These properties are not available in a cloud-only tenant because the schema isn’t extended to allow synchronization of the properties from the on-premises directory.

Creating a Dynamic Office 365 Group with PowerShell

Now we can create our dynamic Office 365 group. It’s easiest to do this through the GUI of the Azure AD portal, but here’s how to create the dynamic group with PowerShell:

# Create Dynamic Office 365 Group
New-AzureADMSGroup -DisplayName "Global Tenant Administrators" -Description "Dynamic Office 365 Group for all the global tenant administrators" -MailEnabled $True -SecurityEnabled $True -MailNickname Office365GlobalAdmins -GroupTypes "DynamicMembership", "Unified" -MembershipRule "(User.JobTitle -eq ""Office 365 Global Administrator"")" -MembershipRuleProcessingState "On 

After a short while, the background job to calculate the group membership will complete and you can check if the correct members are present. Again, the GUI is the easiest way to check the membership (Figure 1)

Checking the membership of a dynamic Office 365 group
Figure 1: Checking the membership of a dynamic Office 365 group

Checking the overview for the group will tell us when Azure Active Directory last calculated the membership (Figure 2).

Checking when the membership of a dynamic Office 365 group was last calculated
Figure 2: Checking when the membership of a dynamic Office 365 group was last calculated

Imperfect Solution

This is an imperfect solution albeit one that works: if the job title for a global administrator is set correctly, they will be part of the dynamic Office 365 group. It would be better if Azure Active Directory supported the ability to include a more extensive set of queries in dynamic groups. That might happen in the future, but for the moment we can only work with what we have.

And if a dynamic distribution group will work for you, the solution described by Vasil Michev works because Exchange Online is more flexible than Azure Active Directory in terms of the recipient filters it supports.

This is the kind of practical challenge we discuss in many places in the Office 365 for IT Pros eBook. If you run an Office 365 tenant, can you afford to be without a copy of Office 365 for IT Pros?

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.