Azure Dynamic Groups and how to use Extended attribute.

I wondered how to automagically add users to an Azure AD group with after their mailboxes have been migrated to the Cloud thru an Exchange Hybrid (Classic or Modern)

And I figured out this one.

Users get always populated with TargetAddress attribute when Mailbox migration has been finalized. Quick recap what is TargetAddress and how to modify it

Modify Azure AD Connect to include Extension Attributes from the list choose TargetAddress.

Manually run Azure AD sync.

Then You can see the Extension Attribute with Powershell like this.

When You see the extension In Azure AD, You can configure the Dynamics Group membership user rule as follows.

In the below picture I already have rule in-place, but it isn’t there before You click “Get custom extension properties”

And then enter the Enterprise Application ID that You got from Powershell or with GUI.

When You refresh properties, You will see the property with extension_ID_Attribute from the list and You can create contains rule with the information as below.

Note that now You can assign licenses based on this Dynamic group and then even Enable conditional access for that one.

There is endless possibilities with this feature. Quicktip! If the group isn’t populating or not even staring to process, You can add whitespace (yes, space bar) at the end of the rule and hit save, then it will populate in matter of minutes.

Author: Harri Jaakkonen