Scenario
You wish to deploy the Signature 365 Add-in to your users in an automated method, but wish to retain the ability to exclude users from the deployment
Solution
It is possible to create a security group using dynamic group membership to accomplish this. This will ensure that group membership is updated automatically by Entra ID for new users, and enable you to exclude specific users to remove the add-in if required.
You can also use this method with on-premise Active Directory extension attributes syncronised with Entra ID.
Warning!
This guide is intended for use by Entra ID Administrators, and will require Administrative rights for your Entra ID tenant to complete these steps.
- Log on to your Entra ID tenant at the Azure Portal
- Select Microsoft Entra ID
- Select Manage then Groups
- Select the New group option to create a new group
- Ensure the group type is set as Security, and set the group name as you require
- Set the Membership type dropdown to Dynamic User
- Select the add dynamic query link
Selecting a property to filter users allows you to exclude or include specific users or groups. The following query examples detail how this can be used.
- Match all users based on email domain
- Add an additional expression to exclude a specific user from the group
- Use an extension attribute to match all users based on an on-premise AD attribute
Using the Validate Rules function, the dynamic rule can be tested to ensure the correct users are being included in the rule
- Once you have confirmed the rule is correct, hit the Save button to create the new rule.
Dynamic rules can be modified to include additional expressions after they are created.
Please note that dynamic rules are not immediately processed by Entra ID. Microsoft advise that updates are expected to process for all dynamic groups within 24 hours of changes being made. You can learn more about this here: Microsoft Learn