Sometimes organizations want to make certain data available to dynamic groups. The good news is: SharePoint Online supports Dynamic Groups. Here is a step-by-step guide to show you how it works.
With Dynamic Groups, members can be grouped based on specific characteristics, for example if a user property exists, they are assigned to a certain department and more. This is very useful if only certain users should be members of such a group, especially in large companies. In this short article, we create a new Dynamic Group in Azure AD, and assign the Group to a SharePoint Online site.
Create a Dynamic Group
First, we create a new Dynamic Group in the Azure portal in the Azure Active Directory of the M365 tenant. Open Azure Active Directory, and navigate to Groups. We click on New group, as here.
We select Group type Security, assign a name (here: EmployeesOnly), and select Membership type Dynamic User.
Then, we add a dynamic query that defines the rules for the dynamic membership.
Now we can create an expression - the filter(s) - by modifying the existing first row, or by clicking on Add expression for multiple rules. In this sample, we want our group EmployeesOnly to include only users who have an EmployeeId set, similar as here.
Since this is a special case here with the comparison of $null - we only want users who have any value in the EmployeeId property - we need to modify the rule syntax by clicking on the Edit link. We need to remove the quotes here. The expression should be like this:
(user.employeeId -ne $null)
We can use the $null for almost all user properties, like (user.extensionAttribute1 -eq "$null"), and of course, direct expressions like user.department -eq "IT", regular expressions like user.displayName -match "ch.*", etc. You can find a list for the rule syntax and samples at Dynamic membership rules for groups in Azure Active Directory.
We click Ok, and Save the dynamic rule.
The group will be created with the Create button.
Check the membership
Important: Give the group some time! Usually, the group shows the members within some minutes. If you don´t see the expected result, wait and retry.
In this sample, we see that there are 3 users who have an EmployeeId set: Adele, Alex and Megan.
Assign the Dynamic Group to a SharePoint site
Now we open the SharePoint site, and click on the Share link on the top right corner.
Now we search for the Dynamic Group EmployeesOnly.
Then, we define what permissions the group members shall get in that site. If necessary, we change the permission to Edit.
We click on Share. When done, we can check (and modify) the permission in the default SharePoint groups.
Well. Now let´s test the permissions. The Administrator is owner of the site, and Adele, Alex and Megan should have access to the site as members as well. while other users will have no access.
Test the access
If we log in as Adele, her membership in the Dynamic Group gives us access to the website.
Note: It might take some minutes until the access works. If the user does not get access, wait and retry!
Other users, like Diego, who do not have permission to the site (users who are not members of the Dynamic Group) get a message saying "You need permission to access this site.". They can request access, and the SharePoint site owner has to grant permissions if needed.
Note: When we set an EmployeeId for user Diego, this usually takes about two minutes (depending on the tenant size and the rules), that the user shows up as a member in the Dynamic Group. Also, the SharePoint site may need additional time to receive the new member. Diego can sign out and sign-in again and retry. So if access doesn't work, be patient and try again a little later.
Use the Everyone group in SharePoint Online
There´s another predefined Dynamic Group in every M365 tenant named Everyone. We can use this group to share a SPO site with all users (no guests) in the tenant.
Note: If the Everyone group is not showing up in SharePoint for some reason… Here's an untested solution from the techcommunity allowing to see this group in SharePoint with PowerShell : "Everyone" Dynamic Group not appearing for share in Sharepoint Online:
Set-SPOTenant -ShowEveryoneClaim $true
We see that dynamic groups can be very helpful, also for assigning permissions in SharePoint sites. I hope this step-by-step article will help administrators reduce their administration overhead with permissions in SharePoint Online.