AuthMan, Sync Groups to Azure Active Directory

How to mark AuthMan groups for syncing to Active Directory

As a groups registry, AuthMan's powerful Grouper software can provision groups externally, but it does not sync any groups by default.

AuthMan provides a basic provisioning mechanism to push your AuthMan access policy groups as various group types in Azure Active Directory. This is one of the preferred methods for group authorization enforcement, which can be utilized by a variety of Office 365 applications such as Teams, Planner, SharePoint, OneDrive, Exchange and GitHub and custom registered applications configured to use Azure AD or ADFS authentication.

Azure AD supports several kinds of groups, four of which can be created by AuthMan groups.

 Group TypeGroup DescriptionAuthMan Marker Attributes Implementation 
 Azure AD Security Groups Generally used for resource access in Azure subscriptions, some Office 365 applications. etc:attribute:m365:SecurityGroup-Simple
etc:attribute:m365:SecurityGroup-Default
 Available
 Microsoft 365 Unified "Private" Groups Private Group with mailbox and SharePoint site: only invited members can be a member and see content. etc:attribute:m365:PrivateGroup-Simple
etc:attribute:m365:PrivateGroup-Default
 Available
 Microsoft 365 Unified "Public" Groups Public Group with mailbox and SharePoint site: any user in the organization can self-join and see content.    Coming Soon
 Microsoft 365 Unified "Hidden Membership" Groups  Like Private Group, but members cannot see other memberships.    Coming Soon
 Mail-Enabled Security GroupsSecurity Groups with an email address. Usually synced from the UOFI AD  Use campus AD
 Distribution GroupsExchange groups with an email address, usually synced from the UOFI AD  Use campus AD
 Shared MailboxesAn Exchange mailbox configured for multiple user access, usually configured within Exchange.  Use campus AD

The marker attributes are simply boolean attributes that are attached at the folder level, in order to designate all groups beneath that folder (and any subfolders) to be provisioned. The variations to the marker attributes are as follows:

 Attribute How group name appears... How email address appears...
 SecurityGroup-Simple  group's friendly name
(example: "Intranet Access")
 n/a
 SecurityGroup-Default  group's 3rd-level parent and friendly name
(example: "TechServices - Intranet Access")
 n/a
 PrivateGroup-Simple  group's friendly name
(example: "Intranet Access")
<groupId>@office365.illinois.edu
(example: "intranet-access@office365.illinois.edu")
 PrivateGroup-Default  group's 3rd-level parent and friendly name
(example: "TechServices - Intranet Access")
 <3rdparentId>-<groupId>@office365.illinois.edu
(example: "techsvc-intranet-access@office365.illinois.edu")

Configure a Folder to Sync to Azure AD

  • Anyone that is a delegated "org" or "app" folder admin has the ability to mark groups for sync. 
  • Azure AD syncing is only supported at the folder level, so that any groups created within that folder are automatically synced.
  • Steps to configure:
    1. Navigate to the folder that you want to assign to sync.
    2. Click on the Functions button in the upper right to expand the menu.
    3. Select Attribute Assignments
    4. Click the orange +Assign Attribute button
    5. In the attribute name box, type m365 and select the appropriate attribute that matches the naming profile above.
    6. Click the Save button to set the attribute field to the folder.

Azure AD Group Syncing Considerations

For any additional questions, contact us at auth-man@illinois.edu.