Skip to main content

help.mail.colostate.edu logo

CSU Logo - click to visit the CSU homepage


Azure Active Directory Groups

Azure Active Directory is a cloud hosted directory availble for authentication and authorization of many services including Microsoft 365. Azure Active Directory (AAD) groups are useful for authorization of various services configured to access Azure for authentication. Many Azure AD groups are created by Microsoft 365 services like Teams and Distribution Lists as well as some campus systems like Grouper. Many Exchange related groups are synchronized from on-premises Active Directory and these groups can only be updated locally with changes replicated up to Azure. Azure AD groups can be manually created by Departmental Resource Coordinators using the Resource Coordinator Tools. When an Azure AD group is created, the requester is set as an owner. Group owners have the ability to manage group membership and the owners list using the Azure Portal. Azure AD group membership types includ assigned membership, dynamic users and dynamic devices. Assigned membership is the default group type and Resource Coordinators can request the membership type be chaged using the Resource Coordinator Tools website. Note: Azure AD groups created via the Resource Coordinator Tools should be renamed or deleted via the campus website, not the Azure management portal. Azure AD groups renamed using other methods are periodically reset to their original name by script.

Azure Active Directory Group FAQs

Who can create Azure AD groups?

Azure AD Groups can be created by departmental Resource Coordinators. The resource coordinator is set as the owner and can use the Azure management portal to add owners and members.

Note for Azure AD Group Owners: Do NOT use the Azure management portal to change group names (automated processes will set it back to the original name) or to delete the group. If a group needs to be removed, it should be deleted using the "Delete Azure AD Group" tool in the Resource Coordinator Tools.

How can owners manage Azure AD groups?

Azure AD groups manually created via the Resource Coordinator Tools are managed by group owners using the Azure Management Portal or with PowerShell modules provided by Microsoft. Note that name changes and deletes should only be done using the Resource Coordinator Tools.

What is the difference between Azure Group type "Security" and "M365"?

All Azure AD groups managed via the Resource Coordinator Tools are security groups. M365 groups have special mail related function and are used by services like Teams. Azure AD group type cannot be changed after creation.

What is the difference between "Assigned" vs "Dynamic user" vs "Dynamic device" group membership?

Azure AD Group membership is controlled in one of several different ways. The default method is "Assigned" where an owner specifies what obects are group members. "Dynamic user" and "Dynamic device" membership types allow the owner to define a rule to automatically populate group members based on directory attributes like display name. Groups with Dynamic membership rules are updated automatically as new objects matching the rules are added to the directory. Group membership type is changed via the Modify Azure AD Group link in the Resource Coordinator Tools. That generates a ticket for ACNS staff to review and implement the change. Check this Microsoft article on building dynamic membership rules.

Can the Azure AD group membership type be changed (e.g. Assigned, Dynamic user, Dynamic device?

Resource Coordinators can change manually created Azure AD groups using the Azure Management Portal or using PowerShell modules provided by Microsoft. Group type is set to 'Assigned' by defalt and can be changed using the 'Modify Azure AD Group' link in the Resource Coordinator Tools.

Can e-mail be sent to an Azure AD group?

Azure AD security groups are not mail enabled. If you need a group that can serve as a mail list, use the Resource Coordinator Tools to create a Distriubtion List