Soo, a long name, but a common use case 🙂
I have a client, which has a lot of Departments in their organization. These Departments are connected to various different policies and Applications, which are deployed by Intune, as well as scripts.
However, assigning each new user to different Groups in Azure Active Directory can be a pain, especially, when there are so many of them.
So the client asked me if we could automate the process and this is how I did it. The following screenshots are just from my Demo tenant, where I replicated the settings
All of my Users are based in Switzerland, so the usageLocation attribute is always “CH”
In M365 Admin Center (admin.microsoft.com), go to Users->Active Users->User Templates->Add Template
On the first page, give a name to the template, like “Team Member Switzerland HR” and a description for other Admins, who may want to use it
On “Set up the basics” select the settings, which best suit your organization in regards to the Password, and click “Next”
Under “Assign Licenses” I selected “Don’t assign” as this is just a demo tenant and I have no free ones, but you can assign one, based on your Org purchased services
On “Optional Settings” add the department under “Department” (in my example “HR”) and the Country (which later will be the usageLocation attribute) and click “Next”
Click “Finish” and complete the template creation.
Now you should be able to see the Template under “User Templates”. To create new users from it, just click on it.
You need to give the users just a Display Name and User Name and all other fields will be populated as per the template (Department and Location)
Now it’s time for the Groups in Azure AD
Create a new Group (mine is called Department-HR) with Dynamic Membership Type. In the query submit (user.department -eq “HR”) and (user.usageLocation -eq “CH”)
in a few minutes you should be able to see the members being populated as per their department
Tip: If there are users, which are part of two or more departments (Like Finance and HR) you can edit the Group membership query and replace the operator to “contains” and then under the user Department edit it with something like (HR, Finance) , so that the user is a member of more groups.
Make sure that there are no conflicting policies between the groups.
Thanks for reading 🙂
