Azure Active Directory Groups Azure AD (AAD) is a cloud hosted directory available for authentication and authorization of many services including Microsoft 365. Azure AD groups are useful for authorization of various services configured to access Azure for authentication. Many Azure AD groups are created by Microsoft 365 services like Teams and Distribution Lists as well as some campus systems like Grouper. Many Exchange related groups are synchronized from on-premises Active Directory and these groups can only be updated locally with changes replicated up to Azure. Azure AD groups can be manually created by Departmental Resource Coordinators using the Resource Coordinator Tools. When an Azure AD group is created, the requester is set as an owner. Group owners have the ability to manage group membership and the owners list using the Azure Portal. Azure AD group membership types include assigned membership, dynamic users and dynamic devices. Assigned membership is the default group type and Resource Coordinators can request the membership type be changed using the Resource Coordinator Tools website. Note: Azure AD groups created via the Resource Coordinator Tools should be renamed or deleted via the campus website, not the Azure management portal. Azure AD groups renamed using other methods are periodically reset to their original name by script. Azure Active Directory Group FAQs Who can create Azure AD groups? Azure AD Groups can be created by departmental Resource Coordinators. The resource coordinator is set as the owner and can use the Azure management portal to add owners and members. Note for Azure AD Group Owners: Do NOT use the Azure management portal to change group names (automated processes will set it back to the original name) or to delete the group. If a group needs to be removed, it should be deleted using the "Delete Azure AD Group" tool in the Resource Coordinator Tools. How can owners manage Azure AD groups? Azure AD groups manually created via the Resource Coordinator Tools are managed by group owners using the Azure Management Portal or with PowerShell modules provided by Microsoft. Note that name changes and deletes should only be done using the Resource Coordinator Tools. What is the difference between Azure Group type "Security" and "M365"? All Azure AD groups managed via the Resource Coordinator Tools are security groups. M365 groups have special mail related functions and are used by services like Teams. Azure AD group type cannot be changed after creation. What is the difference between "Assigned" vs "Dynamic user" vs "Dynamic device" group membership? Azure AD Group membership is controlled in one of several different ways. The default method is "Assigned" where an owner specifies what objects are group members. "Dynamic user" and "Dynamic device" membership types allow the owner to define a rule to automatically populate group members based on directory attributes like display name. Groups with Dynamic membership rules are updated automatically as new objects matching the rules are added to the directory. Group membership type is changed via the Modify Azure AD Group link in the Resource Coordinator Tools. That generates a ticket for ACNS staff to review and implement the change. Check this Microsoft article on building dynamic membership rules. Can the Azure AD group membership type be changed (e.g. Assigned, Dynamic user, Dynamic device? Resource Coordinators can change manually created Azure AD groups using the Azure Management Portal or using PowerShell modules provided by Microsoft. Group type is set to 'Assigned' by default and can be changed using the 'Modify Azure AD Group' link in the Resource Coordinator Tools. Can e-mail be sent to an Azure AD group? Azure AD security groups are not mail enabled. If you need a group that can serve as a mail list, use the Resource Coordinator Tools to create a Distribution List  

Azure Active Directory Naming Conventions Because AAD is a downstream system being provisioned from multiple sources, DIVISION OF IT decided to attempt to avoid confusion and namespace collisions by managing the namespace for AAD objects. Currently (6/2020) these systems and manual processes create and manage objects in AAD: ADConnect – synchronized users (NetIDs) and groups from the Exchange Resource Coordinator Tools (RCT) that are also in local AD.  Also includes Grouper class enrollment groups.  Exchange Resource Coordinator Tools – Users can create groups in local AD that are synchronized into AAD using approved prefixes. Grouper Enrollment groups enforce a naming convention based on class and semester data. M365 Licensing management system – process developed to manage licensing for users in our tenant. InTune – Groups to delegate permissions for device management (cloud only). CSU Azure tenant management – Users and groups used by DIVISION OF IT to delegate permissions on Azure subscriptions (cloud only). Global Admin/Tenant Admin Users – DIVISION OF IT management accounts used to configure and manage O365/M365/Azure (cloud only). Manually Creating Azure Active Directory Objects Manually created, cloud only users, groups, etc. should always use one of the following prefixes which MUST be followed by an underscore '_' to avoid collision with similar prefixes (e.g. RAMS and RAMSKELLER): AZURE M365 MEM_CSU O365 RAMS (reserved for future use.  May be removed from the list and changed to RCT available prefix if needed)  These prefixes are registered in the RCT but should not be used for creating Exchange resources except for rare circumstances.  In those cases, check AAD before creating the resource in the RCT to avoid errors. Reserving New Prefixes for Azure Active Directory Objects AAD Departmental Subscription account Azure_ (used to be _Azure) Subscription (test|prod| Non-VPN|VPN) Subscription Resource Group ___RG Network Security Group __NSG NSG Rule (Allow|Deny)_(_…|All)_(|Any)_(In|Out)[_] e.g. Allow_103_Any_in,    Allow_All_DNS_in_DNS2 Public IP address for Gateway _-_GWPIP VNET _-_VNET Subnet -__SUBNET Storage account (std|pre)sa Vnet Gateway _-_GW Local Network Gateway _-LNG (holds the target IP ranges) Vnet-to-VNET Connection -to- Site-to-Site Connection (create two!) -to--LNG Azure security group Azure__Admins