Compliance Tip - Dynamic Membership and Microsoft Teams

Defining membership of a Microsoft Teams team

The default behaviour of how membership is populated for a Microsoft Teams team is determined by the security permissions assigned to the team. The permissions may be assigned as either public, where people within an organisation have the ability to add themselves as a member, or private, where people within an organisation can request to join or an owner may add them on their behalf. Public and private teams have their use cases and is determined by the team creator. What if you want membership automated?

Dynamic membership?

There is another method to assign members to a team whereby they are automatically assigned membership to a team based on the attributes of their Active Directory user account. In this instance, an Azure Active Directory Office 365 group configured for dynamic membership underpins the team which assigns membership based on a query run against user accounts (dynamic membership is also valid for devices, however, is not applicable to O365 groups). When the query returns a positive match, the account is automatically added to the Office 365 group, the underlying mechanism for applying teams membership.

Working with teams using dynamic membership

There are several ways to create a team utilising dynamic membership. Unlike a standard team, teams using dynamic membership require additional administrative overhead during the creation or configuration phase, however, team owners will not need to update membership from this time forward due to automatic updates.

There are multiple ways to establish a team with dynamic membership:

• Create a new Office 365 group using dynamic membership from the Azure Active Directory portal, then from the Teams client create a new team using an existing Office 365 group
• Where an existing team already exists, modify the Office 365 group to use dynamic membership. Keep in mind that if you do this then all existing members will be removed from the team, however, any user account matching your query will be automatically re-added once the query has run.

Additionally, keep the following in mind when using dynamic groups:

• Members do not have the option to leave a team, the leave option from teams is no longer visible
• User account attributes need to be kept up to date. Out of date data may result in people having access to teams, conversations, files, and data that they should not
• Dynamic membership is not suited for all teams, only use where an attribute assigned to user accounts is static for a group of people who need to be assigned to a specific team
• You cannot elevate members as team owners via the teams client. Owners need to be added to the dynamic group using the Azure Active Directory Portal and assigned as owner

How do dynamic groups assist with compliance?

Organisations that diligently have their directory services data up to date can take advantage of dynamic membership for Office 365 groups to control who is or who is not a member of a team. For example, the finance department have deployed a team to contain conversations, files, and data that should only be accessible by those who are members of the finance department, and to block access to anyone outside the finance department. Dynamic membership also has the added advantage of controlling who can be promoted as a team owner.

Additional information

• Azure Premium P1 licenses (also included as part of the Azure Premium P2 license, EMS E3, and EMS E5) are required to enable dynamic membership
• Membership updates to a dynamic group may take between 0 - 2hrs to update

Dynamic Membership Examples

The below examples highlight some of the behaviours exhibited by a team using dynamic membership. Click each image for a more detailed view.

• A group displays Membership type of dynamic when configured for dynamic membership:

  
  ×

• Dynamic group queries are configured via the Azure Active Directory portal and are assigned against account attributes:

  
  ×

• The query underlying the group using dynamic membership automatically updates members within 0 - 2hrs

  
  ×

• Members cannot be added or removed using the teams client when dynamic membership is configured

  
  ×

• Owners and members do not have the ability to leave the team

  
  ×