October 2024

“5 Benefits of Dynamic Microsoft 365 Groups for Collaboration”

Leave a Comment / Uncategorized / Decent Uwaegbute / October 9, 2024

Over time, as Microsoft 365 environments grow, managing users and devices can become increasingly complex. Instead of manually adding users to groups every time a new one joins, dynamic groups can make the process easier. In this article, we’ll explore why using dynamic groups—whether they are security groups, Microsoft 365 Groups, or dynamic distribution lists—can be beneficial, along with a few things to keep in mind when setting them up. One key point is that dynamic distribution lists are specific to Exchange Online. They won’t show up in the Entra ID admin center or in the results of Microsoft Graph queries. Exchange Online automatically calculates the membership of these lists based on mail-enabled objects in its directory. Before diving into some typical use cases for dynamic groups, let’s quickly recap what they are. Unlike static groups, dynamic groups don’t have fixed members. Their membership is defined by rules set within the group’s properties. Microsoft 365 Groups can have dynamic membership based on either users or devices, but not both. If needed, you can convert a static group to a dynamic one, but doing so will remove its current members. It might be wiser to create a new dynamic group and rename it—along with its primary SMTP address—so that you can retain the old group’s information. It’s also important to know that dynamic distribution lists cannot be renamed. To use dynamic Microsoft 365 groups, every account that falls under the membership rules must have an Entra ID P1 license. Creating Dynamic Groups Based on Attribute Values One of the most common reasons for using dynamic groups is to automatically add members based on certain attribute values. For example, you could create a rule that includes users whose department is listed as “Consulting” and whose phone number starts with +852 (as shown in Figure 1). You might wonder why we include phone numbers in this rule. In some cases, country attributes can indicate where a person is paid from, rather than where they actually work. The assigned Teams phone number provides a more accurate filter, which is why it’s used in this case. In many cases, dynamic groups take the hassle out of managing group memberships. As long as a user’s account has the correct attribute values, they will automatically be part of the group. However, issues often arise when attributes are missing, misspelled, or not properly synced from an on-premises Active Directory. Dynamic groups are commonly used by Microsoft 365 admins, and since group membership can grant access to resources like SharePoint sites, even a small typo in the membership rule can add the wrong users to the group—potentially leading to unintentional data exposure. This is a concern not just for groups, but also for other Microsoft 365 features like Dynamic Administrative Units and adaptive scopes for users and groups. To prevent issues with dynamic membership caused by incorrect account details, it’s crucial to standardize the account creation process. Creating a List of Special User Accounts Some dynamic groups are designed for specific administrative purposes. A common setup when configuring Microsoft 365 tenants is creating dynamic groups for special user accounts, like Guest Users. In Figure 2, for example, I added a condition to filter only Guest users, using a specific attribute (extensionAttribute1) for one client’s setup. This condition can vary, but in this case, they used that attribute to differentiate Guest users. The rule identifies accounts where the userType is set to “Guest” (i.e., guest user accounts) and the extensionAttribute1 is assigned the value “App1.” One client asked us to create a conditional access policy to block shared mailboxes and meeting room accounts. While we know these accounts are disabled and don’t have system access, the client wanted to be extra cautious by implementing a blocking policy. Currently, there’s no specific Entra ID attribute to identify shared mailboxes, so we had to get creative. We used alternatives like a naming convention or one of the fifteen available custom attributes to identify these accounts. Creating a List of Devices from the Intune Inventory When deploying Intune, there’s often a need to apply apps or configurations to specific platforms. For instance, you might only want to install Microsoft 365 Apps on macOS devices. The simplest way to achieve this is by setting up a dynamic group based on the device attributes collected through Intune’s inventory. Figure 3 illustrates an example of a dynamic group that includes all macOS devices within a tenant. Creating a List of Devices Based on Management Type Another common use for dynamic groups is identifying devices managed by SCCM. These groups can help exclude certain app deployments or configurations from Intune since SCCM is already handling them. For example, Figure 4 shows a dynamic group that includes only Windows devices managed by Intune. This setup allows for more efficient management by ensuring that devices already covered by SCCM don’t receive duplicate configurations. Creating a List of Users Based on Specific License Type Another useful scenario for dynamic groups is identifying users based on their assigned Microsoft 365 license or service plan. Administrators can set up dynamic groups to filter users with specific licenses, like Entra ID Premium P1 or P2, and apply policies such as allowing only these users to use Self Service Password Reset. For instance, Figure 5 shows a dynamic group that includes users with an assigned Intune license. This approach makes it easy to manage and apply targeted configurations based on users’ licenses. Things to Keep in Mind When Using Dynamic Groups Before choosing to use dynamic groups instead of static ones in Microsoft 365, there are a few important points to consider: Dynamic Group Updates in Entra ID Entra ID no longer updates dynamic group membership in real-time, as it did in the early days of Azure AD. This change was made to reduce the resource load on the Microsoft 365 backend. Now, Entra ID updates dynamic group membership at set intervals, and applications rely on a cached version of the membership list.

“5 Benefits of Dynamic Microsoft 365 Groups for Collaboration” Read More »

Microsoft 365 Backup Public Preview Now Available

INTRODUCTION Not fewer than 2024, Microsoft rolled out the public preview of Microsoft 365 Backup, as promised during Ignite 2023. This tool helps protect data in SharePoint Online, OneDrive for Business, and Exchange Online by offering point-in-time backups. Here’s a rundown of how it works and how you can set it up for testing. How It Works Microsoft 365 Backup isn’t a traditional backup solution. Instead, it provides fast snapshot backups within the Microsoft 365 datacenters, meaning no separate data location is used. It’s best thought of as a snapshot tool, capturing point-in-time copies of your data. For Exchange Online, backups are highly detailed. Microsoft 365 Backup captures changes using a “copy-on-write” mechanism, similar to litigation hold. It tracks activities like message attachment edits, deletions, and more, ensuring a low recovery point objective (RPO) of under 10 seconds. You can restore individual mailbox items as needed. For OneDrive and SharePoint, the process is a bit different. Snapshots are taken every 10 minutes and are better suited for large-scale recoveries—like after a ransomware attack—rather than everyday disaster recovery. Currently, you can only restore full OneDrive accounts or SharePoint sites. Limitations This preview has some key limitations. For example, OneDrive and SharePoint data isn’t indexed for eDiscovery, so it won’t show up in those searches. Data retention is capped at 12 months, and there’s no easy way to comply with GDPR requests like the right to be forgotten. Where Backup Data is Stored Backup data is stored in a special Microsoft layer called “Microsoft 365 Backup Storage” (MBS). This storage is kept separate from your primary mailbox or SharePoint quotas, and multiple geographically distributed copies of the data are kept within your selected region. Third-party services like Keepit, CommVault, and AvePoint can also use MBS, but you can’t use both Microsoft 365 Backup and a third-party MBS-based solution in the same tenant at the same time. Setting It Up One important thing to note: this is a paid preview, costing $0.15 per GB of backed-up data, with a 12-month retention period. Make sure to be selective when choosing test data for backups, as costs will accumulate unless the service is turned off. To set it up, you’ll need to enable Microsoft Syntex’s pay-as-you-go (PAYG) billing first, which requires an Azure subscription. If you don’t already have one, you’ll need to create an Azure subscription and assign a credit card for payment. After enabling the necessary resources in Entra ID, you can activate the Microsoft 365 Backup preview. It may take a few hours for the setup to be fully provisioned. Once that’s done, you can go to the Microsoft 365 admin center and enable Microsoft 365 Backup. Make sure to complete the setup, or you’ll encounter issues when creating protection policies. This new tool offers a lot of potential for safeguarding your organization’s data, but it’s essential to understand the nuances and costs involved before diving in. Creating Backup Policies for Microsoft 365 Backup Once you’ve enabled Microsoft 365 Backup, it won’t start working until you create backup policies for the workloads you want to protect. During the preview, you can only create one policy per workload, but you can include as many sites, users, or mailboxes as needed within that policy. Initially, all three workloads (Exchange Online, SharePoint, OneDrive) will display a small “Not set up” icon with a “Set up policy” button next to it. Let’s walk through how to set up a policy for Exchange Online. The process is similar for the other workloads. Once the policy is created, Microsoft 365 Backup will start protecting the selected items according to the settings you’ve specified. Once you’ve created a backup policy, Microsoft 365 Backup will start copying data right away. However, during the preview phase, it might take up to 15 minutes for restore points to show up after making any changes to the policy. Restoring Data To restore data, simply click the “Restore” button that appears below each workload with an active policy. The interface is the same for all workloads. It starts by asking you to select the type of data you want to restore. Even if you haven’t assigned a policy to a specific content type, you’ll still be able to select it, but no data will be available for restoration. After selecting the content type to restore, the next step is choosing specific items, like mailboxes, OneDrive users, or SharePoint sites. You can restore multiple items, but only within the same policy (for example, you can’t restore a mailbox and OneDrive account in a single operation). You’ll then pick a point in time for the snapshot you want to restore from. Microsoft 365 Backup will use the closest available snapshot before that time, and it will restore the entire selected item(s). For Exchange Online, there’s an option to restore based on specific criteria like sender, recipient, subject keywords, or whether attachments are present. If you choose this filter, you can restore from pre-set intervals of 24 hours, 48 hours, 7 days, or 14 days. You can also click “Find matching items” to see a summary before confirming the restore. Once you’re satisfied with the filter settings, click “Next.” Microsoft 365 Backup will check if there’s a valid snapshot that matches the criteria before moving forward. The final step is choosing where to restore the data. You can either restore items in place or to a different location. For Exchange or OneDrive, you can opt to restore them into a new folder named “Recovered Items” with a timestamp, while SharePoint items can be restored to a new version of the site. Once you select the destination, you can start the restore process, which will take varying amounts of time depending on the workload and the amount of data being restored. Third-party Integration Currently, you can’t manage snapshots or set policies using PowerShell, but Microsoft 365 Backup provides a REST-based API for creating and managing policies, viewing status, and performing restores. Some third-party vendors use this API

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

“5 Benefits of Dynamic Microsoft 365 Groups for Collaboration”

Microsoft 365 Backup Public Preview Now Available

Email Address

Company Address

Telephone Number

Zainab Imran

Procurement Manager

Jude Anani

Cloud Architect

Omolola Olayemi

Product Developer

Ayosunkanmi Owolabi

Technology Solutions Officer

Temitope Raji

Procurement Officer

Juliana Ojo

Account Officer

Samuel Adebanji

Product Manager