Creating dynamic groups in Azure Active Directory using Graph API and C#

In one of my projects I tried to create dynamic groups in AAD for organizing added users from a custom build sync tools I wrote. So, if you don’t know, what a dynamic group is, watch this video here. In short, it is a technique for a dynamic membership based on rules, that organize users by attributes values into groups – really great!

For my syncing tool I had the requirement, to create specific dyn. groups, if they aren’t existing based on a specific attributes value. So I had to do it by code (C# Graph API SDK). Unfortunately there is no good documentation on, how one can do this, os I like to share, what I found.

First note:

Use Graph API “beta” (not version 1.0). Writing in terms of Graph API Url:

https://graph.microsoft.com/beta/groups/ 

Second note:

use properties “membershipRule” (dynamic group rule) and “membershipRuleProcessingState” (for activating group as dynamic group).

If you are not sure, what properties you can use, try the following procedure:
– create a dynamic group by hand in AAD
– go to Graph explorer (Link here)
– use URL from above (https://graph.microsoft.com/beta/groups/)
– see response JSON
– (to get the differences between v1.0 and beta, you can switch version in dropdown and compare responses)

I used the Graph API SDK for C# to handle Graph API calls. So, I had to deal with the question “How can I add theses properties? They are not part of the model Group
But luckily I could use the property AdditionaData, that is a dictionary of string and object. There I added, my dynamic group properties and here we go – It worked like a charm.
See below code for clarification. This creates a dynamic group named Group_<Number>, adding user as members, that have a displayName containing “AA “. That’s all!

Hope this helps, cheers!

...
var group = new Microsoft.Graph.Group();
group.GroupTypes = new List<string> { "DynamicMembership" };
group.Description = $"Dynamic group called Group{div}";
group.DisplayName = $"Group_{div}";
group.MailEnabled = false;
group.MailNickname = $"Group{div}";
group.SecurityEnabled = true;
group.AdditionalData = new Dictionary<string, object>();
group.AdditionalData.Add("membershipRule", @"user.displayName -contains ""AA """);
group.AdditionalData.Add("membershipRuleProcessingState", "On");

try
{
  await client.Groups.Request().AddAsync(group);
  log.LogInformation($"Added group Group_{div}");
}
catch (ServiceException ex)
{
  log.LogError(ex, $"There was an exception on creating dynamic group {div}. This 
           is the inner error {JsonConvert.SerializeObject(ex.Error)}.");
  errors.Add(div.ToString());
}
...

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert.

Diese Website verwendet Akismet, um Spam zu reduzieren. Erfahre mehr darüber, wie deine Kommentardaten verarbeitet werden.