AzureAD: attribute based dynamic groups in preview now


A well know feature of FIM has finds its way into Azure Active Directory Premium for preview:

Attribute based dynamic group membership.

See this Microsoft blog post for more information.
There is in addition a short video on how it works and also a technical documentation.




Correct group objects with: Dynamic group has static member

Sometimes I have warnings in the group UI of my dynamic groups, telling me that “Dynamic group has static member”. Unless you cannot add static member to dynamic groups in FIM portal by yourself, it can be flow into through the Synchronization Engine, especially if you have equal precedence on the member attribute for groups. I need this setting, because groups can be managed in FIM Portal and in Active Directory.

So if someone add a user to a group in AD which is a dynamic group in FIM Portal it, this change flows into Portal and you get this warning. I still working on a solution that this will not happen in future.

I’ve tried to create a set to catch such groups in Portal and maybe send a notification message or clean up such groups with a workflow but I have no look in creating such a set. So I ended up in PowerShell once again to do this.

Here is my script to Remove all static member from dynamic groups.

add-pssnapin FIMAutomation

$grouplist = Export-FIMConfig -only -custom "/Group[MembershipLocked = 'true' and ExplicitMember = /Person]"

If ($grouplist -eq $null) { Write-Host "There is no dynamic group with static member" ; exit }

foreach ($group in $grouplist)
    $memberlist=($group.ResourceManagementObject.ResourceManagementAttributes | where {$_.AttributeName -eq "ExplicitMember"}).Values

    $importObject = New-Object Microsoft.ResourceManagement.Automation.ObjectModel.ImportObject
    $importObject.ObjectType = "Group"
    $importObject.TargetObjectIdentifier = $group.ResourceManagementObject.ObjectIdentifier
    $importObject.SourceObjectIdentifier = $group.ResourceManagementObject.ObjectIdentifier
    $importObject.State = 1

    foreach ($member in $memberlist)
        $importChange = New-Object Microsoft.ResourceManagement.Automation.ObjectModel.ImportChange
        $importChange.Operation = [Microsoft.ResourceManagement.Automation.ObjectModel.ImportOperation]::Delete
        $importChange.AttributeName = "ExplicitMember"
        $importChange.AttributeValue = $member.Replace("urn:uuid:","")
        $importChange.FullyResolved = 1
        $importChange.Locale = "Invariant"
        $importObject.Changes += $importChange

    $importObject | Import-FIMConfig


The script currently only removes person objects from static member, you can modify this on your own if you have also group objects in the ExplicitMember attribute of dynamic groups.


How-To: Manage Group Membership from the User UI in FIM 2010 R2

So, let’s start this blog with an Technet Wiki Articel i wrote a couple of days ago. This is the solution from one of my customers, which need to have helpdesk users to manage group membership like it is done in ADUC.

One of the missing features in FIM Portal is that you can not OOB change the group membership of users in the user UI, like it is done in AD with the memberOf. But with the Powershell Activity an some small scripts and RCDC editing you can build a really cool solution for that.

Technet Wiki: FIM 2010 R2 HowTo Manage Group Membership from User UI