At a customer I needed to generate quite a few Azure AD dynamic groups, in order to create groups for each department, with users having a set of job titles. This is a good method to automatically assign application roles to a set of users based on their attributes, given that the attributes are managed by a sync from HR or similar. Here is how I did it.
Essentially, loop through an array of departments, generate a filter and create the group as follows.
PS: The script is actually perfectly safe to run in any tenant for test. It will create groups called “Dyn – Department 1” and “Dyn – Department 2”.
$departments = @(
"Department 1"
"Department 2"
)
$jobTitles = @(
"Marketing title 1"
"Marketing title 2"
"Photographer"
)
$WhatIfPreference = $true
$VerbosePreference = "Continue"
$departments | ForEach-Object {
# Generate DisplayName and Filter
$DisplayName = "Dyn - {0}" -f $_
$Filter = '(user.department -eq "{0}") -and (user.jobTitle -in ["{1}"])' -f $_, ($jobTitles -join '","')
# Find existing any group
$existingGroup = Get-AzureADMSGroup -Filter "displayName eq '$($DisplayName)'"
if(!$existingGroup) {
if(!$WhatIfPreference) {
Write-Verbose "Creating $($DisplayName)"
New-AzureADMSGroup -MembershipRule $Filter -DisplayName $DisplayName -SecurityEnabled:$true -MailEnabled:$false -MailNickname ([guid]::NewGuid().ToString()) -MembershipRuleProcessingState "On" -GroupTypes @("DynamicMembership") | Out-Null
} else {
Write-Verbose "WHATIF: Creating $($DisplayName)"
}
} else {
if($existingGroup.MembershipRule -cne $Filter) {
if(!$WhatIfPreference) {
Write-Verbose "Updating membershiprule for $($DisplayName)"
Set-AzureADMSGroup -Id $existingGroup.Id -MembershipRule $Filter
} else {
Write-Verbose "WHATIF: Creating $($DisplayName)"
}
}
}
}
