Dynamic Security Groups are possibly one of my favourite things for so many reasons. Not only do they allow you to automate access, policies, user licensing, but in SharePoint you can use them to target content to specific audiences. Dynamic Security groups and Audience Targeting are a match made in heaven and can provide a rich, customised experience across SharePoint. It does, however, rely on you having reliable and up-to-date security groups that contain the right users. Therefore, in this post, I will show how to bulk create dynamic security groups in PowerShell using any user attribute you choose. This will allow you to start making use of dynamic groups without having to manually create them!
Bulk Create your Groups
As you probably already know, dynamic groups let you define a set of rules that determine who becomes a member. For use with things like audience targeting in SharePoint you generally just want a set of groups for each department, region or office location etc. These are all user attributes that you most likely have available in Azure AD it’s just a case of creating the groups – but that is an extremely boring and tedious task!
I have therefore written a little script that will let you select a user attribute and automatically create a dynamic group for each value for that attribute in your Azure AD directory. If you just want to download the script, a link to the GitHub can be found at the end of this post.
The Script
First, assign the name of the user attribute you would like to use to the attribute variable. You can also optionally define a standard prefix and/or suffix for the names of the groups that will be created. In this example, I am going to use Department as the user attribute and give the group names a standard prefix of ‘sg-dyn-dept-‘.
$attribute = "Department" # Change to the attribute you would like to use
$displayNamePrefix = "sg-dyn-dept-" # Optionally set a Prefix for the group name
$displayNameSuffix = "" # Optionally set a Suffix for the group name
Next, the script will go off and get all users from your directory and extract a unique list of the values of the attribute you have defined above. In this example, I will get a unique list of all departments currently assigned to users.
$users = Get-AzureADUser -All $true
$uniqueList = $users | select $attribute -Unique | ? $attribute -ne $null
Now the script will loop through each of these unique values and create a dynamic group for each one. Before it does so, it first defines the name of the group by removing illegal characters and spaces, and the adding the prefix and suffix as defined at the start.
$cleanName = ($_) -replace '[*\\~;(%?.:@/,&+-]' -replace ' '
$displayName = $displayNamePrefix + $cleanName + $displayNameSuffix
Then just does the creation.
$args = @{
DisplayName = $displayName
Description = "Dynamic Group for $($_)"
MailEnabled = $false
MailNickname = "dynamicGroup"
SecurityEnabled = $true
GroupTypes = "DynamicMembership"
MembershipRule = "(user.$($attribute) -eq ""$($_)"")"
MembershipRuleProcessingState = "On"
}
$dg = New-AzureADMSGroup @args
Write-Host "Group Created: $displayName"
Easy as that. I never claimed it was a complicated or clever script!
Download
To download the full script and any future updates I may make, you can find it on GitHub here.