Decent Uwaegbute

Over time, as Microsoft 365 environments grow, managing users and devices can become increasingly complex. Instead of manually adding users to groups every time a new one joins, dynamic groups can make the process easier. In this article, we’ll explore why using dynamic groups—whether they are security groups, Microsoft 365 Groups, or dynamic distribution lists—can be beneficial, along with a few things to keep in mind when setting them up. One key point is that dynamic distribution lists are specific to Exchange Online. They won’t show up in the Entra ID admin center or in the results of Microsoft Graph queries. Exchange Online automatically calculates the membership of these lists based on mail-enabled objects in its directory. Before diving into some typical use cases for dynamic groups, let’s quickly recap what they are. Unlike static groups, dynamic groups don’t have fixed members. Their membership is defined by rules set within the group’s properties. Microsoft 365 Groups can have dynamic membership based on either users or devices, but not both. If needed, you can convert a static group to a dynamic one, but doing so will remove its current members. It might be wiser to create a new dynamic group and rename it—along with its primary SMTP address—so that you can retain the old group’s information. It’s also important to know that dynamic distribution lists cannot be renamed. To use dynamic Microsoft 365 groups, every account that falls under the membership rules must have an Entra ID P1 license. Creating Dynamic Groups Based on Attribute Values One of the most common reasons for using dynamic groups is to automatically add members based on certain attribute values. For example, you could create a rule that includes users whose department is listed as “Consulting” and whose phone number starts with +852 (as shown in Figure 1). You might wonder why we include phone numbers in this rule. In some cases, country attributes can indicate where a person is paid from, rather than where they actually work. The assigned Teams phone number provides a more accurate filter, which is why it’s used in this case. In many cases, dynamic groups take the hassle out of managing group memberships. As long as a user’s account has the correct attribute values, they will automatically be part of the group. However, issues often arise when attributes are missing, misspelled, or not properly synced from an on-premises Active Directory. Dynamic groups are commonly used by Microsoft 365 admins, and since group membership can grant access to resources like SharePoint sites, even a small typo in the membership rule can add the wrong users to the group—potentially leading to unintentional data exposure. This is a concern not just for groups, but also for other Microsoft 365 features like Dynamic Administrative Units and adaptive scopes for users and groups. To prevent issues with dynamic membership caused by incorrect account details, it’s crucial to standardize the account creation process. Creating a List of Special User Accounts Some dynamic groups are designed for specific administrative purposes. A common setup when configuring Microsoft 365 tenants is creating dynamic groups for special user accounts, like Guest Users. In Figure 2, for example, I added a condition to filter only Guest users, using a specific attribute (extensionAttribute1) for one client’s setup. This condition can vary, but in this case, they used that attribute to differentiate Guest users. The rule identifies accounts where the userType is set to “Guest” (i.e., guest user accounts) and the extensionAttribute1 is assigned the value “App1.” One client asked us to create a conditional access policy to block shared mailboxes and meeting room accounts. While we know these accounts are disabled and don’t have system access, the client wanted to be extra cautious by implementing a blocking policy. Currently, there’s no specific Entra ID attribute to identify shared mailboxes, so we had to get creative. We used alternatives like a naming convention or one of the fifteen available custom attributes to identify these accounts. Creating a List of Devices from the Intune Inventory When deploying Intune, there’s often a need to apply apps or configurations to specific platforms. For instance, you might only want to install Microsoft 365 Apps on macOS devices. The simplest way to achieve this is by setting up a dynamic group based on the device attributes collected through Intune’s inventory. Figure 3 illustrates an example of a dynamic group that includes all macOS devices within a tenant. Creating a List of Devices Based on Management Type Another common use for dynamic groups is identifying devices managed by SCCM. These groups can help exclude certain app deployments or configurations from Intune since SCCM is already handling them. For example, Figure 4 shows a dynamic group that includes only Windows devices managed by Intune. This setup allows for more efficient management by ensuring that devices already covered by SCCM don’t receive duplicate configurations. Creating a List of Users Based on Specific License Type Another useful scenario for dynamic groups is identifying users based on their assigned Microsoft 365 license or service plan. Administrators can set up dynamic groups to filter users with specific licenses, like Entra ID Premium P1 or P2, and apply policies such as allowing only these users to use Self Service Password Reset. For instance, Figure 5 shows a dynamic group that includes users with an assigned Intune license. This approach makes it easy to manage and apply targeted configurations based on users’ licenses. Things to Keep in Mind When Using Dynamic Groups Before choosing to use dynamic groups instead of static ones in Microsoft 365, there are a few important points to consider: Dynamic Group Updates in Entra ID Entra ID no longer updates dynamic group membership in real-time, as it did in the early days of Azure AD. This change was made to reduce the resource load on the Microsoft 365 backend. Now, Entra ID updates dynamic group membership at set intervals, and applications rely on a cached version of the membership list.

Generative AI tools are becoming increasingly common, offering claims of boosting productivity by generating content and synthesizing information. However, the rise of these applications brings with it a greater risk of organizational data leaks. Many AI tools operate via web clients and can be accessed without the need for authentication. This makes it crucial for employees to only use services that have been approved by their company, especially when handling sensitive corporate data. Sharing such information with unapproved apps can lead to unintended consequences. When I mention “unapproved applications,” I’m not implying these tools are unsafe. Instead, this term refers to any apps not approved by the organization for official use, including those from well-known vendors. There are several reasons a company might restrict access to widely trusted tools—whether due to data privacy regulations in their industry, GDPR compliance, or simply wanting tighter control over which apps employees can use. This article highlights steps to secure Microsoft 365 data from unapproved generative AI apps. Some solutions might require premium or add-on licenses. Preventing End Users from Granting Consent to Third-Party AppsUnless an organization has Security Defaults enabled, users can often consent to apps accessing company data on their behalf. This means that even non-admin users can give third-party AI tools permission to access their data. Figure 1 illustrates the experience for end users when granting consent to a third-party app in Microsoft Entra. If Security Defaults aren’t enabled for your organization, you should consider turning them on or restricting users’ ability to create app registrations or give consent to applications by default. This article looks into Security Defaults and whether they’re the right choice for your organization. Managing Endpoints and Cloud Apps to Prevent Data Leaks in Generative AI ToolsMicrosoft 365 administrators should look into managing devices with Microsoft Intune and using tools like Defender for Endpoint, Defender for Cloud Apps, and Endpoint DLP to monitor or block unapproved activity in generative AI applications. Intune-onboarded devices can be seamlessly integrated with these solutions, making it easier for admins to manage devices, onboard them into Endpoint DLP, and enable ongoing reporting in Defender for Cloud Apps—all from a single management hub without needing extra tools like a log collector or Secure Web Gateway. Auditing or Blocking Unapproved Generative AI ApplicationsMicrosoft Defender for Endpoint and Defender for Cloud Apps work hand in hand to audit or block access to generative AI tools, even without devices being connected to a corporate network, VPN, or jump box to filter traffic. Figure 2 illustrates the Cloud App Catalog in Defender for Cloud Apps, which includes over 31,000 cloud apps and assesses their enterprise risk based on factors like regulatory certifications, industry standards, and Microsoft’s best practices. For instance, apps can be flagged for risks like a recent data breach, lacking a trusted certificate, or missing HTTP security headers. Organizations can also customize risk score metrics based on their specific needs. The apps can be filtered by categories, such as Generative AI. Organizations might block or monitor apps for reasons unrelated to their risk score. In the example provided, Microsoft Designer is being monitored (maybe to track its usage), while Bing Chat and Microsoft Copilot are blocked. Even though both tools fall under the “Copilot” branding, they are accessed via different URLs. A real-world case for blocking Bing Chat and Microsoft Copilot could be GDPR compliance, as Bing Chat doesn’t keep data within the EU Data Boundary, while Copilot for Microsoft 365 does. In the Cloud App Catalog, administrators can label applications as monitored, sanctioned (approved), or unsanctioned (blocked). Figure 2 shows different types of tags. When an application is marked as unsanctioned, users will encounter the experience shown in Figure 3. With new cloud apps constantly being released, it might feel like trying to block unauthorized apps is a never-ending game of “Whac-a-Mole,” where as soon as you deal with one, another appears. Fortunately, you don’t have to manually tag each app. To set up an automatic app discovery policy for generative AI tools, go to Defender for Cloud Apps > Policy Management (under “Policies”) and select Create. In the policy settings, under “Apps matching all of the following,” choose “Category equals Generative AI” and “App tag equals No value” (see Figure 4). This will help automate the process of identifying and tagging generative AI apps. As shown in Figure 5, administrators can set up alerts for events that match the policy’s severity and set a daily alert limit (between 5 and 1000). Alerts for newly discovered generative AI applications can be sent directly to administrators via email or integrated with Power Automate to trigger a workflow, such as sending alerts to an IT ticketing system. Under “Governance actions,” you can choose to “Tag app as monitored” or “Tag app as unsanctioned,” depending on whether you want to automatically monitor or block generative AI apps that haven’t been manually tagged. When endpoints are managed by Defender, continuous reports can be accessed through Cloud Discovery. The Cloud Discovery dashboard highlights all newly discovered apps from the past 90 days. To review these apps, go to the Discovered Apps page. While the interface is similar to the Cloud App Catalog, it’s worth noting that the Generative AI category filter isn’t available here. To export all data from the Discovered Apps page, select Export > Export data. If you just need a report listing the domains of newly discovered apps, choose Export > Export domains. Preventing Data Transfer to Unauthorized AppsWithout proper controls, employees can easily copy, paste, or upload company data to web applications. Blocking all copying and pasting isn’t practical, so it’s better to selectively block these actions for sensitive data. Microsoft Purview DLP, paired with Defender for Endpoint, can audit and prevent the transfer of organizational data to unauthorized locations (e.g., websites, desktop apps, removable storage) without needing extra software on the device. Purview DLP can also limit data sharing with unapproved cloud apps and services, like unauthorized generative AI tools (as shown in

Process documentation is crucial for any business. It helps set operational standards that can boost your team’s productivity, performance, consistency, and engagement. By documenting your processes, you can also refine them, leading to even more benefits. You can cut operational costs and increase efficiency. Plus, it helps ensure your team complies with industry regulations. With all these benefits, you might wonder why many businesses, big and small, still don’t document their processes. The answer is simple: it’s a massive, time-consuming project that involves your entire team. Without the right tools, it can be even more challenging. Imagine this: You and your colleagues are all working on a single document. Files get overwritten, different departments can’t collaborate, and it takes forever to find the file you need. These problems can turn the process into a nightmare. Why Choose Microsoft 365 for Process Documentation? There are plenty of document management tools out there, but Microsoft 365 stands out as one of the best. It offers a range of solutions like SharePoint, Microsoft Dynamics, and OneDrive, all seamlessly integrated with other Microsoft products. Plus, it’s compatible with most third-party tools you might already be using. If your organization is already using Microsoft products, adopting Microsoft 365’s documentation tools will be a breeze. How Microsoft 365 Improves Process Documentation Here are some ways Microsoft 365 can make documenting your processes easier: File Version Control If you’ve ever collaborated on a document, you know how tricky it can be to keep track of different versions and revisions. It’s easy to lose track of who made what changes and when. Microsoft 365’s SharePoint solves this problem. It tracks who made changes and when, and it allows you to revert to earlier versions if needed. This gives you full control over file versions without needing multiple copies, reducing confusion. Centralized Collaboration Process documentation often involves multiple people from different departments working on a single document. Passing a master document around can lead to issues like overwritten files, outdated versions being sent out, or even accidental deletions. Microsoft 365 keeps the master document in one place while allowing everyone to collaborate seamlessly. Here are some useful collaboration features: File Accessibility One of the best things about Office 365 is that it’s all in the cloud. This means you can access your files safely, from anywhere, at any time. This is a huge advantage, especially as more businesses embrace remote work. Secure Cloud Storage Being on the cloud also means you don’t need as many physical devices for file storage. Plus, you can reduce your inbox clutter by sharing a single link to your documents instead of sending multiple versions of the same file. Microsoft 365 leverages Microsoft’s robust security measures to keep your files safe in the cloud. Ready to Improve Your Process Documentation? Documenting processes is crucial for improving your operations, but it can be daunting without the right tools. Thankfully, solutions like Microsoft 365 make it much smoother. When choosing a document management tool, it’s important to ensure it fits your workflow and is compatible with your environment. Do your research before committing to a specific tool, and give it a try first. Based on our experience at ITS, Microsoft 365 has been instrumental in helping us manage and document our various processes, checklists, and even service tickets. While what works for us might not be perfect for your business, it’s definitely worth checking out.