Microsoft Azure Security Technologies (AZ-500): Azure AD Group Accounts

Types of Group Accounts

Azure AD allows us to define two different types of groups:

• Security Groups.

You can use this group to manage member and computer access to shared resources for a group of users.

For example, you can create a security group called “Service Desk” and later on create a Virtual Machine Contributor role and assign the role to “Service Desk”.

By doing this way, you can give a set of permissions to all the members at once. This option requires an Azure AD administrator.

• Microsoft O365 Groups.

You can use this group to provide collaboration opportunities by giving members access to shared mailbox, calender, SharePoint and more.

This option also give people outside of your organization access to the group.

Ways to Assign Group Access Rights

There are different ways you can assign group access rights:

• Assigned

Lets you add specific users to the group.

• Dynamic User

Lets you use dynamic membership rules to automatically add and remove members.

If a member’s attributes change, the system reviews your dynamic group rules for the directory to determine if the member meets the rule requirements (is added) or no longer meets the rules requirements (is removed).

For example, you can create a group called “Sales” for employees under “Sales Department. If the department attribute for an employee has changed, it should automatically remove the user from the group.

• Dynamic Device (Security groups only)

Lets you use dynamic group rules to automatically add and remove devices.

If a device’s attributes change, the system reviews your dynamic group rules for the directory to determine if the device meets the rule requirements (is added) or no longer meets the rules requirements (is removed).

IMPORTANT!!!

You can create a dynamic group for either devices or users, but not for both.