Microsoft Entra ID dynamic groups using AD ORGANIZATION UNIT

We always wanted to create dynamic groups in Azure based on the organizational units in on premises active directory.

In this post, I will explain how we can do that. Earlier, the barrier with dynamic query is always whether a particular attribute is supported in dynamic query of the group. I see that now  onpremisesdistinguishedname  is coming as a supported attribute.

Let's see how we can use onpremisesdistinguishedname to our rescue.

Let's say that we want all users in the IT OPS organizational unit to be added dynamically in Azure AD aka Entra ID.

Now since the supported attribute is onpremisesdistinguisedname, we cannot put the whole DN path as this will result in error like below as there will be a mismatch in the rule/condition we have put.

What we need is advanced rule builder, using which we can use an operator like "Contains" to match with our rule.

Example: User.property -contains "string"

This will result in true if the property contains our string.

While trying different methods, I thought this is the easiest way to just replace the string with the OU path. The full DN path of the user contains CN as well which we don't need/cannot include. Hence just copy the DN path till your OU and put it in the rule.

Our Rule: (user.onPremisesDistinguishedName -contains "OU=IT OPS,DC=raman,DC=tk")

Use the Edit button in advance rule builder to edit the rule.

Let's Validate this rule now:

Let's try to validate it to another OU, HR. I have created a user Rangoli maker in HR OU (PUN INTENDED)

Let's validate: As expected the rule is working fine.

Conclusion: KEEP COOKING IN YOUR LABS AND KEEP BAKING YOUR SCRIPTS.