Some blog posts just beg to be written, and this is one of them. I swear I’ve had this conversation half a dozen times in last month after having never had it at all before. It just keeps coming up, I’m guessing because the adoption of Office 365 has really taken off in the last 5 months. What’s the topic? It boils down to, “How do I create a Team/Distribution List/SharePoint site that is always available everyone in the company?” The first couple of times the topic came up I tried to talk the customer out of it. I’m usually not a fan of big blast communication like that, and in the case of products that are built on top of Microsoft 365 Groups, there are published limitations to this. It just seemed like a bad idea. But every time a customer asks me about it I understand it a little better, so I threw this blog post together to point people at if they want to do it. This post is meant to be technical, not prescriptive. I won’t cover why you should employ any of these techniques, but how you can do them if you have already decided they are a good idea. I’ll leave the why up to people that are smarter than me.
The Options
There are several “All User” communication methods that have come up in my discussions with customers. I’ll cover how to enable them. They all leverage the functionality of updating dynamically as people join your company. Your company could already handle adding people to Distribution Lists (DLs) as part of your onboarding process. All of my examples will show how to keep the All User list populated automatically. All of these examples also assume the groups are cloud only, not synced from on-prem Windows Active Directory.
Distribution Lists (DLs)
The first option I’ll cover is the old tried and true email Distribution List. These things have been around since shortly after prehistoric fish came on land from the primordial soup and they’ve been going strong ever since. DLs are email only and they’re a good way to send out company wide things like “There are donuts in the breakroom. Get here quick before Gary eats them all” or “The CEO is feeling generous and she’s giving everyone (except Gary) Friday off!”
To do this, create a new DL and make it a dynamic DL. This one is a little tricky. When you create a dynamic anything you have to provide a rule so that Azure AD (AAD) knows whether someone should be in the thing or not. In the case of a dynamic DL the way to get everyone is to create no rule. If there’s no rule, emails sent to that DL end up in every mailbox in your tenant. If you currently have any static DLs they cannot be changed to dynamic DLs, but they can be upgraded to Office 365 Groups. Dynamic DLs cannot be upgraded to Office 365 Groups. I’ve also had customers set one of these up and send News Digests from SharePoint Online to it. The owner of the dynamic DL does not need to be IT or have any elevated roles in the tenant.
How do I Create one?
There are a couple of different ways to create a dynamic DL. You can do it in the Exchange admin center in Office 365. Then navigate to the Groups tab. Next to New Microsoft 365 Group click the dropdown and select Dynamic distribution list.
The configuration will look something like this. Do not add a rule.
Once your dynamic DL is created there are some fun settings you can play with. For instance, you can moderate messages and have approved senders.
If you’re super cool, you can create dynamic DLs with PowerShell. First connect to Exchange Online PowerShell, then run New-DynamicDistributionGroup:
New-DynamicDistributionGroup -IncludedRecipients MailboxUsers -Name "Blog Lovers"
Doesn’t that feel better than using the UI? I thought so.
Security Groups and Microsoft 365 Groups
Both AAD Security Groups and Microsoft 365 Groups support dynamic membership, so they can be used the same way. A dynamic, all company, Microsoft 365 Group can be used for a site that you want everyone to have access to, and they’ll all get emails sent to that Group’s DL. Depending on how the Group is configured or how the users configure their mail client the Group’s emails may or may not show up in their Inbox. There will also be a Team for that Group that everyone will be in. Lots of ways to annoy everyone with one of these. I honestly can’t think of a way to leverage a Security Group in the context of Office 365, but I added since it’s the same process as the Office 365 Group, and it makes this blog post look that much longer.
How do I Create Them?
As we are all painfully aware, there are just shy of 117 different ways to create an Microsoft 365 Group. I think two more have been added since I started writing this blog post. There might be more than one way to create a dynamic Microsoft 365 Group, but I’m only going to cover how to do it in the Azure AD Portal and with Azure PowerShell. Navigate to the Groups blade and click "New group.” Under Membership type choose “Dynamic User”
If Membership type is greyed out that’s because the user creating the group does not have an Azure AD Premium license.
To set the rule, click “Edit dynamic query” button to get to the rules page. The rule we want is “user.objectId -ne null”. You can build that in the wizard at the top. Don’t worry about a user’s ID actually being “Null.” The rule knows the difference between null and “Null.” Ned Ull will not be the only member of the Group.
Once you tab out of the Value box the Save button will light up and you’ll be able to save the query and go back to creating your group. The process is the same for Security Groups.
But what about PowerShell?? I’m so glad you asked. Make sure you have the AzureAD module loaded and you’re connected as an account that can create Groups. Then run this little gem to create a Dynamic Microsoft 365 Group:
New-AzureADMSGroup -DisplayName "Dynamic M365 Group From PowerShell!" -Description "Dynamic group created with PowerShell!" -MailEnabled $true -MailNickName "Dynamic-M365-Group-From-PowerShell" -SecurityEnabled $True -GroupTypes "Unified","DynamicMembership" -MembershipRule "(user.objectId -ne null)" -MembershipRuleProcessingState "On"
If you only want a Security Group (I’m not sure why) change the –MailEnabled parameter to $false, and the –GroupTypes to only DynamicMembership, like this:
New-AzureADMSGroup -DisplayName "Dynamic Security Group From PowerShell!" -Description "Dynamic security group created with PowerShell!" -MailEnabled $false -MailNickName "Dynamic-Security365-Group-From-PowerShell" -SecurityEnabled $True -GroupTypes "DynamicMembership" -MembershipRule "(user.objectId -ne null)" -MembershipRuleProcessingState "On"
It is also possible to switch an existing static Security Group or Microsoft 365 Group to dynamic. It’s a long process, and this article does a good job explaining how. I don’t think there’s a way to convert a Security Group to a Microsoft 365 Group.
Happy Dynamic Group Creating!
Question #1: "Can you use Dynamic Groups with Audience targeting?"
Answer #1: Despite this Microsoft Support document saying otherwise, I was able to target links in both Global (top) Nav and Quick (left) Nav by audience with a Dynamic Microsoft 365 Group.
Question #2: "Does the 'user.objectId -ne null' approach include Guests?"
Answer #2: I'm not sure, I'll look into that and update this blog post.
tk
ShortURL: https://www.toddklindt.com/CreateDynamicGroups
Edit: 8/24/20 to add questions