AuthMan, Sync Groups to Azure Active Directory

How to mark AuthMan groups for syncing to Active Directory

As a groups registry, AuthMan's powerful Grouper software can provision groups externally, but it does not sync any groups by default.

AuthMan provides a basic provisioning mechanism to push your AuthMan access policy groups as various group types in Azure Active Directory. This is one of the preferred methods for group authorization enforcement, which can be utilized by a variety of Office 365 applications such as Teams, Planner, SharePoint, OneDrive, Exchange and GitHub and custom registered applications configured to use Azure AD or ADFS authentication.

Azure AD supports several kinds of groups, four of which can be created by AuthMan groups.

 Group TypeGroup DescriptionAuthMan Marker Attributes Implementation 
 Azure AD Security Groups Generally used for resource access in Azure subscriptions, some Office 365 applications. etc:attribute:m365:SecurityGroup-Simple
etc:attribute:m365:SecurityGroup-Default
 Available
 Microsoft 365 Unified "Private" Groups Private Group with mailbox and SharePoint site: only invited members can be a member and see content. etc:attribute:m365:PrivateGroup-Simple
etc:attribute:m365:PrivateGroup-Default
 Available
 Microsoft 365 Unified "Public" Groups Public Group with mailbox and SharePoint site: any user in the organization can self-join and see content.    Coming Soon
 Microsoft 365 Unified "Hidden Membership" Groups  Like Private Group, but members cannot see other memberships.    Coming Soon
 Mail-Enabled Security GroupsSecurity Groups with an email address. Usually synced from the UOFI AD  Use campus AD
 Distribution GroupsExchange groups with an email address, usually synced from the UOFI AD  Use campus AD
 Shared MailboxesAn Exchange mailbox configured for multiple user access, usually configured within Exchange.  Use campus AD

The marker attributes are simply boolean attributes that are attached at the folder level, in order to designate all groups beneath that folder (and any subfolders) to be provisioned. The variations to the marker attributes are as follows:

 Attribute How group name appears... How email address appears...
 SecurityGroup-Simple  group's friendly name
(example: "Intranet Access")
 n/a
 SecurityGroup-Default  group's 3rd-level parent and friendly name
(example: "TechServices - Intranet Access")
 n/a
 PrivateGroup-Simple  group's friendly name
(example: "Intranet Access")
<groupId>@office365.illinois.edu
(example: "intranet-access@office365.illinois.edu")
 PrivateGroup-Default  group's 3rd-level parent and friendly name
(example: "TechServices - Intranet Access")
 <3rdparentId>-<groupId>@office365.illinois.edu
(example: "techsvc-intranet-access@office365.illinois.edu")

Configure a Folder to Sync to Azure AD

  • Anyone that is a delegated "org" or "app" folder admin has the ability to mark groups for sync. 
  • Azure AD syncing is only supported at the folder level, so that any groups created within that folder are automatically synced.
  • Steps to configure:
    1. Navigate to the folder that you want to assign to sync.
    2. Click on the Functions button in the upper right to expand the menu.
    3. Select Attribute Assignments
    4. Click the orange +Assign Attribute button
    5. In the attribute name box, type m365 and select the appropriate attribute that matches the naming profile above.
    6. Click the Save button to set the attribute field to the folder.

Azure AD Group Syncing Considerations

  • All Azure AD group memberships are visible to any tenant user by default, except for Unified Groups with Hidden Membership.

  • Syncing from AuthMan to Azure AD will be “flat”. That means that synced group in AD will consist of only the direct and indirect members of the group. If you are syncing a nested group, you will NOT see the nested group IDs in the synced AD group.

  • The description of the Azure AD group is populated with the group description, plus a reference to the source group path.

  • Once your group is synced to Azure AD, you may use it to access resources in Azure AD, like any other Azure AD group.

  • Groups must be created after the marker attribute is set on the folder. The changelog consumer only syncs incremental changes to Azure AD, there is no full sync.

  • If you delete your group in AuthMan, that group will be deleted entirely in Azure AD.

  • If you rename your group or change its description in AuthMan, that group is not changed in Azure AD.  The Azure AD Object ID is written back to the group as an attribute when originally created, so it will continue to be synced, even with the different group name.

  • If you wish to make a Teams area from one of these groups, IAM needs to set an alternate Owner of the group, then you can see the group when you click "Create a team using a group set up by you or University of Illinois - Urbana" in the Create your Team wizard.

  • Deleting group members in groups that are marked to be M365/Unified Groups will have a propagation delay of up to 24 hours before some Office 365 apps (such as Teams) reflect the deleted memberships. 

  • Alternate owners assigned to the group should avoid making changes to the group in directly Azure AD, as the changes don't sync back or get changed by subsequent syncs and will cause the group to get out of sync.

  • Note that some apps (namely Teams) support the ability for the user to "leave" a group. There is no known way to disable this capability. To correctly put back a person that has "left", remove them from the source group in AuthMan, wait a couple minutes, then add them back in.

For any additional questions, contact us at auth-man@illinois.edu.




Keywords:authorization manager authman grouper active directory ad aad Azure sync groups pspng provision authz ldap   Doc ID:107096
Owner:Erik C.Group:University of Illinois Technology Services
Created:2020-11-10 17:27 CDTUpdated:2021-07-20 16:12 CDT
Sites:University of Illinois System, University of Illinois Technology Services
Feedback:  0   0