Create a dynamic group with all your global and user admins

Few days back, a question over at the MTC prompted me to ponder a bit on the subject of adding all (or some of) your administrative accounts to a dynamic group in Office 365. The dynamic part being a key here – meaning you should not be required to manually adjust the membership of the group as new admins are added or removed.

Those of you that are using the MCAS solution are probably familiar with the default Office 365 administrator group, which includes all the Company administrators, user account administrators, helpdesk administrators, service support administrators, and billing administrators in the tenant. That was actually the example used for the question, however the ask was to include just some of those admin accounts, for example all the Global Admin and User management admin accounts. The way MCAS populates the membership of said group is by periodically importing the relevant role members from Azure AD. It’s not that hard to come up with a PowerShell script that does the same and runs on a say one hour schedule, which is certainly one of the options you could consider.

If you are looking for a truly dynamic group however, things are a bit messier. As the Office 365/Azure AD roles are governed by the corresponding MSOnline/Azure AD PowerShell cmdlets or API calls, the obvious starting point for this tasks would be the Dynamic membership feature for groups in Azure AD. However, the list of properties we can build the membership rule with is somewhat limited, and none of them can be used to directly filter out members of a particular admin role. Sure, you can assign a custom value to some other attribute and filter based on it, but that still involves manually touching the objects, so it’s not what I was looking for.

The same applies to using dynamic groups in Exchange Online – none of the attributes we can filter on directly can be used to single out just the admin accounts we are interested in. But, those of you that are familiar with Exchange Online RBAC controls know that few very special groups exist there. Similarly to the MCAS Office 365 administrator group, the membership of these groups is automatically synced across the service. To get the list of such groups, you can use something like:

Get-RoleGroup | ? {$_.Name -match "TenantAdmins_|HelpdeskAdmins_"} | ft Name,DisplayName,Description

Name                     DisplayName            Description
----                     -----------            -----------
TenantAdmins_-25616952   Company Administrator  Membership in this role group is synchronized across services and managed centrally. This role group is not manageable through Microsoft Exchange.
HelpdeskAdmins_458699984 Helpdesk Administrator Membership in this role group is synchronized across services and managed centrally. This role group is not manageable through Microsoft Exchange.

Or the same via the Get-Group cmdlet:

Get-Group | ? {$_.Name -match "TenantAdmins_|HelpdeskAdmins_"}

Name                     DisplayName            SamAccountName           GroupType
----                     -----------            --------------           ---------
TenantAdmins_-25616952   Company Administrator  TenantAdmins_-25616952   Universal, SecurityEnabled
HelpdeskAdmins_458699984 Helpdesk Administrator HelpdeskAdmins_458699984 Universal, SecurityEnabled

Although you cannot use the Get-DistributionGroupMember cmdlet to list members of these groups, you can examine the Members property or use a filter based on the MemberOf property:

Get-User -Filter "MemberOfGroup -eq 'CN=TenantAdmins_-25616952,,OU=Microsoft Exchange Hosted Organizations,DC=EURPR08A007,DC=PROD,DC=OUTLOOK,DC=COM'"

Name             RecipientType
----             -------------
MODAdministrator User
NestorW          User
IsaiahL          User
MeganB           User
LidiaH           User

Or the same via the Get-Recipient cmdlet:

Get-Recipient -RecipientPreviewFilter "MemberOfGroup -eq 'CN=TenantAdmins_-25616952,,OU=Microsoft Exchange Hosted Organizations,DC=EURPR08A007,DC=PROD,DC=OUTLOOK,DC=COM'"

Not every admin will have an Exchange license however, so you shouldn’t expect all of them to appear in the output of the last cmdlet, as they might not be recognized as valid recipients.

So where does all this leave us? Well, based on the filter used above, we can create a new Dynamic distribution list:

New-DynamicDistributionGroup AdminsDDG -RecipientFilter "MemberOfGroup -eq 'CN=TenantAdmins_-25616952,,OU=Microsoft Exchange Hosted Organizations,DC=EURPR08A007,DC=PROD,DC=OUTLOOK,DC=COM'"

The membership of the list should match the membership of the role group and more importantly, should be updated to reflect new users added to the corresponding admin role. If needed, you can combine more than one role in the filter by using the -or operator.

The only problem is that, being an distribution group and not a security principal, you cannot use the newly created dynamic group to delegate any sort of permissions. The only use you have for it is to send mail, which after all might be something you want for configuring various types of alerts and notifications. Don’t forget that you can always amend the filter of the dynamic group to include other recipients, for example members of other “synced” groups:

Get-RoleGroup | ? {$_.Name -match "Admins_|Readers_"}

Name                         AssignedRoles RoleAssignments ManagedBy
----                         ------------- --------------- ---------
HelpdeskAdmins_02adb         {}            {}              {Organization Management}
TenantAdmins_c25d1           {}            {}              {Organization Management}
SecurityReaders_-2089696204  {}            {}              {Organization Management}
ComplianceAdmins_-1672988522 {}            {}              {Organization Management}
SecurityAdmins_-417435872    {}            {}              {Organization Management}

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.