Automating Backups with Precision: How Microsoft 365 Dynamic Groups Streamline User Protection

Microsoft Entra ID offers a powerful tool for IT admins, Microsoft 365 Dynamic Groups. These types of groups ditch what we have been used to in the IT industry for decades, static membership lists. In the world of dynamic groups membership occurs automatically based on pre-defined rules. Let's explore how dynamic groups can be a powerful sidekick when it comes to your M365 backup strategy, allowing you to target specific groups with different backup protection policies with incredible efficiency.

What is a Microsoft 365 Dynamic Group?

Imagine a group that automatically populates with all users in the Sales department and whose location is set to United States. Or even more relevant, target users based on their license type within the Microsoft 365 ecosystem.

Dynamic groups achieve this using membership rules built on user attributes like department, location, or even custom properties such as service plans in our license type example. This eliminates the need to manually add or remove users from backup groups, saving you time and ensuring accuracy.

To get started with these examples, via the Azure portal make your way to Microsoft Entra ID, then expand out the Groups blade then select New Group.

Then simply select Microsoft 365 as the group type, followed by selecting Dynamic User as the membership type.

Then the fun can begin, select the add dynamic query button and use some of our examples below, or build your own!

Department and Location Dynamic Group example

The most basic example of users in the United States, in the Sales Department.

Note that the usageLocation rule below is defined as an array, so you can easily add more to this by comma separating them, for example ["US", "AU"] for both USA and Australia. ‍

‍
(user.usageLocation -in ["US"]) and (user.department -eq "Sales")  


For location codes, you can use this reference document to translate the full name (Australia) to the country code (AU).

Users with assigned E5 license Dynamic Group example

When talking about backup policy assignments using dynamic groups this is likely to be more of a real-world scenario.

Let's assume you have an organisation with a mix of E (informational) and F (frontline) workers and wish to have a different protection scheme assigned. You could create a dynamic group for each and assign the policy based on these groups.

Microsoft licenses can be confusing, each license is eligible for several features. These features are known as service plans and this is what we can use to differentiate between license types or a combination of these service plans.

You can get a list of these via PowerShell, Graph API - however, there is an online reference list from Microsoft, and a CSV download.

From the above, you can see that if we wanted to target our Microsoft 365 E5 users we could leverage the Microsoft Entra ID P2 (AAD_PREMIUM_P2) service plan since this is included in this license type. Whereas, Microsoft Office 365 F1 only includes Microsoft Entra ID P1 (AAD_PREMIUM).

Building the rule then requires you to query the assignedPlans property of the user object.


user.assignedPlans -any (assignedPlan.servicePlanId -eq "eec0eb4f-6444-4f95-aba0-50c24d67f998" -and assignedPlan.capabilityStatus -eq "Enabled")

‍

If we test the rule, you can see Adele & Alex are matched since they have active E5 licenses whereas Bianca and Brian are unlicensed so they will not end up in this group.

Troubleshooting Microsoft 365 Dynamic Group Rules

Sometimes the dynamic groups can take a few minutes to reflect changes in the dynamic group membership so there is a Validate Rules tab you can select when building the rules.

Simply select this tab, followed by adding users that you know should be picked up with the rules.

You can then select validate, and the status will reflect if your rule is matching your desired users.

Assigning Microsoft 365 Backup Policy Based on Microsoft 365 Dynamic Groups in Alcion

Now that your groups are created and ready, Alcion makes assigning backup policies a breeze leveraging our Group Based Policy Management functionality. To get started select the click the "Set policies by Groups" button at the top of the user list.

You'll see a list of both your existing static groups and your new dynamic groups. To assign Alcion backup policies, you can simply pick from either type of group (or even select multiple groups at once).

Once selected, then select the backup policy you prefer. You can also choose to automatically apply this policy to any new users who join the dynamic groups in the future. That's all it takes! Alcion's GBPM will take care of the rest, continually checking group membership and ensuring that new members of the dynamic group get the right backup policy applied.

Next Steps: Integrate Microsoft 365 Dynamic Groups with Alcion

Dynamic Groups are a powerful tool for more efficiently managing backup for M365 by allowing protection policies to be applied automatically.

In summary, here's why you'll love them:

• Effortless Management: Dynamic Groups automatically handle user assignments based on pre-defined rules (like department, location, or license type). No more endless manual updates
• Goodbye Human Error: Say goodbye to accidental omissions or adding the wrong user. Dynamic Groups ensure everyone who needs to be in the group is there every time.
• Focus on What Matters: Free yourself from tedious manual tasks. Dynamic Groups handle the administrative overhead for you.
• Alcion integrates directly with dynamic groups so you can leverage our Group Based Policy Management to set data protection policies for your Microsoft 365 Users

Dynamic Groups are your key to streamlined, worry-free backups for Microsoft 365.  . Connect with our team and find out how we can help or start a free trial (no credit card required). You may also join our Discord community.

‍