Organizations large and small struggle with managing membership of groups. When I state ‘groups’, this means Active Directory security groups, Exchange distribution lists, the new Office 365 Groups, SharePoint groups, and many more.
The fundamental problem is that keeping group membership up-to-date and accurate is tough. It is common practice to have membership based on department or project team. These naturally change over time. I’ve written in the past how this impacts Active Directory attributes, like Job Title and Department, but it also impacts groups. When updating these attributes, this does not in turn change the membership of groups. Typically in an organization, this is managed manually by the owner of the group or individuals electing themselves as a member. This often leads to owner and individuals not being removed when their responsibilities, department, location, etc change.
Managing group memberships can be like sheep herding (Photo by Evelyn Proimos)
Exchange Server has had a feature called dynamic membership for distribution lists for many years now. This has been commonly used to automatically define the members in a group based on conditions.
Examples of the most common conditions are:
- if the users’ department attribute is ‘marketing’ add them to the ‘Marketing Group’
- if the users’ department attribute is ‘marketing’ and location contains ‘USA’ add them to the “USA Marketing Group”
- if the users’ job title attribute includes ‘Director’ or ‘Partner’ add them to the “Executive Group”
- if the users’ skills attribute contains ‘Project Management’ add them to the “Project Management SME Group”
Azure added a new Premium SKU last year. It costs USD $6 per user per month, which is considered expensive to most organizations. Some of the key features are dynamic membership, self service password management, multi-factor authentication, and conditional access.
Now I’m not suggesting your organization should cough up six bucks a user just to get dynamic membership. I think you’ll want to be lighting up at least three of these main features to warrant that. If you do, you should definitely take advantage of it.
One interesting license note though is that if only N number of your users added to groups dynamically, only those N users needed to have the Premium SKU. So it may work in your favor if you do want to leverage this feature alone.
Dynamic configuration of security-group membership for Azure Active Directory is available in public preview.This allows members to be automatically added to or removed from a security group. These groups can be used to provide access to applications or cloud resources, and to assign licenses to members.
With the speed that Microsoft is moving with Office 365. The concept of a security group membership management becomes even more compelling. As I’ve written before about Delve, document and people discovery is key. Ensuring that your SharePoint sites, Yammer Groups, Microsoft Teams, and underlying Office 365 Groups are secured down accurately, is essential for Information Security. An organization does not want documents accessible to employees that shouldn’t see them.
I personally think this is a very compelling feature for large organizations. Of course is does require that users attributes are up to date, but that is where Hyperfish can come in. Check out our quick four minute video to see how we can help.