AuthMan, Sync Groups to Azure Active Directory
As a groups registry, AuthMan's powerful Grouper software can provision groups externally, but it does not sync any groups by default.
AuthMan provides a basic provisioning mechanism to push your AuthMan access policy groups as various group types in Azure Active Directory. This is one of the preferred methods for group authorization enforcement, which can be utilized by a variety of Office 365 applications such as Teams, Planner, SharePoint, OneDrive, Exchange and GitHub and custom registered applications configured to use Azure AD or ADFS authentication.
Azure AD supports several kinds of groups, four of which can be created by AuthMan groups.
Group Type | Group Description | AuthMan Marker Attributes | Implementation |
---|---|---|---|
Azure AD Security Groups | Generally used for resource access in Azure subscriptions, some Office 365 applications. | etc:attribute:m365:SecurityGroup-Simple etc:attribute:m365:SecurityGroup-Default |
Available |
Microsoft 365 Unified "Private" Groups | Private Group with mailbox and SharePoint site: only invited members can be a member and see content. | etc:attribute:m365:PrivateGroup-Simple |
Available |
Microsoft 365 Unified "Public" Groups | Public Group with mailbox and SharePoint site: any user in the organization can self-join and see content. | Coming Soon | |
Microsoft 365 Unified "Hidden Membership" Groups | Like Private Group, but members cannot see other memberships. | Coming Soon | |
Mail-Enabled Security Groups | Security Groups with an email address. Usually synced from the UOFI AD | Use campus AD | |
Distribution Groups | Exchange groups with an email address, usually synced from the UOFI AD | Use campus AD | |
Shared Mailboxes | An Exchange mailbox configured for multiple user access, usually configured within Exchange. | Use campus AD |
The marker attributes are simply boolean attributes that are attached at the folder level, in order to designate all groups beneath that folder (and any subfolders) to be provisioned. The variations to the marker attributes are as follows:
Attribute | How group name appears... | How email address appears... |
---|---|---|
SecurityGroup-Simple | group's friendly name (example: "Intranet Access") |
n/a |
SecurityGroup-Default | group's full path and name (example: "urb:app:somegroup") |
n/a |
PrivateGroup-Simple | group's friendly name (example: "Intranet Access") |
<groupId>@office365.illinois.edu (example: "intranet-access@office365.illinois.edu") |
Configure a Folder to Sync to Azure AD
- Navigate to the folder that you want to assign to sync.
- Click on the Functions button in the upper right to expand the menu.
- Select Attribute Assignments
- Click the orange +Assign Attribute button
- In the attribute name box, type m365 and select the appropriate attribute that matches the naming profile above.
- Click the Save button to set the attribute field to the folder.