More cool news to share!
Just this week we’ve turned on a preview of group management capabilities for directory administrators. This is another free capability for Windows Azure Active Directory. Admins can now add, delete, and manage the membership of security groups directly in Windows Azure AD in the cloud. As you would expect, this capability lets directory administrators create security groups they can use to manage access to applications and to resources, such as SharePoint sites. We will add mail-enabled groups for Exchange in a future release.
And if you’re using Windows Azure Active Directory Premium, which I blogged about here, you can use these groups to assign access to SaaS applications.
To help you get started using this new feature, let me introduce Jeff Staiman, a senior program manager on the Active Directory team. He has written a nice step-by-step introduction below.
To try out the group management features, sign in to the Windows Azure Management Portal, and click on Active Directory in the left navigation bar.
Alex Simons (twitter: @Alex_A_Simons)
Director of Program Management
Active Directory Team
Hi there –
I’m Jeff Staiman, Senior PM on the AD team, writing to introduce you to the preview of the group management capabilities we’ve recently introduced for directory administrators.
From within the Windows Azure Management Portal you can now:
Create or delete new security groups in Windows Azure Active Directory, and manage membership in these groups. These groups can be used to control access to resources, such as a SharePoint site in Office 365.
See groups in your Windows Azure AD that were synchronized from your local Active Directory, or created in Office 365. The management of these groups remains in your local Active Directory or in Office 365; these groups can’t be updated in the Windows Azure Management Portal.
Assign access for a group to a SaaS application, if you’re using Windows Azure AD Premium.
Groups in Windows Azure AD
Windows Azure AD stores and manages groups that can be used by applications such as Office 365 to make their access and authorization decisions. Directory administrators can see groups in their Windows Azure AD by signing into the Windows Azure Management Portal, clicking on their directory, and clicking on the new GROUPS tab.
Creating a Group
Once you’re on the GROUPS tab, you can create a group by clicking on the ADD GROUP button in the command bar. Then, enter a friendly name for the group. You can optionally enter a description for the group to indicate the intended membership or access to resources of group members.
Fig 1: Creating a new group
Then, click the checkmark in the lower right, and in a few seconds your group is created. You can see the new group on the GROUPS tab.
Fig 2: A new group shown on the GROUPS tab
As shown in Fig 2, groups created in the Windows Azure Management Portal have ‘Windows Azure Active Directory’ in the ‘Sourced From’ property. These groups can be managed in the Windows Azure Management Portal, as well as from the PowerShell cmdlets for Windows Azure AD, or using code that programmatically accesses the Windows Azure AD Graph API. You can also see and manage the group in the Office 365 Administration Portal, since Office 365 uses Windows Azure AD as its directory for groups as well as for users.
Adding and removing group members
The most important property of a group is its members. To add and remove members from a group that is sourced from Windows Azure AD, navigate to the GROUPS tab in your directory and click on the group name in the Windows Azure Management Portal. This will open up the group to its MEMBERS tab.
A new group created in the Windows Azure Management Portal will initially have no members. To add members, click the ADD MEMBERS button in the command bar. Select members to be added by clicking on their name in the left hand column of the picker dialog. Once selected, you’ll see a green checkmark to the right of the name, and the name will appear in the SELECTED column on the right side of the dialog.
Fig 3: Adding members to a group, with pending addition of three users
To add the selected members to the group, click the checkmark in the lower right of the dialog. Then you will see the MEMBERS tab for the group, which will show the members that you just added to the group.
Fig 4: Membership in a group after adding three members
You can remove a member from a group by selecting the member in the list, and clicking the REMOVE button in the command bar.
Fig 5: Removing a member from a group
Managing Group Properties
If you need to edit the name or description of the group, you can click on the CONFIGURE tab. Type in the new name and/or description, and click SAVE in the command bar.
Fig 6: Editing the properties of a group
You can also find the Object ID for the group on the CONFIGURE tab. The Object ID will be useful if you are writing an application that uses this group to control access to its resources. To learn more about how to use groups to secure access to resources, read our authorization code sample.
Groups Sourced From Local Active Directory or Office 365
If you have configured directory synchronization, you can see groups that have been synchronized from your local Windows Server Active Directory, which have the value ‘Local Active Directory’ in the ‘Sourced From’ property. You must continue to manage these groups in your local Active Directory; these groups cannot be managed or deleted in the Windows Azure Management Portal.
If you have Office 365, you can see distribution groups and mail-enabled security groups that were created and managed within the Exchange Admin Center within Office 365. These groups have the value ‘Office 365’ in the ‘Sourced From’ property, and must continue to be managed in the Exchange Admin Center.
Fig 7: A directory with one group sourced from Windows Azure AD and one group sourced from Office 365
Deleting a group
You can delete a group by selecting a group in the list of groups and clicking the DELETE button on the command bar. Only groups that are sourced from Windows Azure AD or Office 365 can be deleted in the Windows Azure Management Portal.
To delete a group that is sourced from a Local Active Directory, just delete the group in the local Active Directory. The next time that synchronization is run, the group will be deleted in Windows Azure AD.
Assigning Access for a Group to a SaaS application
One of the cool features of Windows Azure AD Premium is the ability to use groups to assign access to a SaaS application that’s integrated with Windows Azure AD. For example, if you want to assign access for the marketing department to use five different SaaS applications, you can create a group that contains the users in the marketing department, and then assign that group to the applications that are needed by users in the marketing department. In that way, you can save time by managing the membership of the marketing department in just one place. Then, users will be assigned to the application when they are added as members of the marketing group, and have their assignments removed from the application when they are removed from the marketing group.
This capability can be used with hundreds of applications that you can add from within the Windows Azure AD Application Gallery.
Fig 8: Windows Azure AD Application Gallery
To assign access to an application, go to the APPLICATIONS tab on your directory. Click on an application that you added from the Application Gallery, then click on the USERS AND GROUPS tab. You will only see the USERS AND GROUPS tab once you have enabled Windows Azure AD Premium.
Fig 9: A Directory with Dropbox for Business, which was added from the Application Gallery
On the USERS AND GROUPS TAB, in the ‘Starts with’ field, enter the name of the group to which you want to assign access, and click the check mark in the upper right. You only need to type the first part of the group’s name. Then, click on the group to highlight it, as shown in Fig 10, then click on the ASSIGN ACCESS button and click YES when you see the confirmation message.
Fig 10: Selecting a group to assign access to an application
You can also see which users are assigned to the application, either directly or by membership in a group. To do this, change the SHOW dropdown from ‘Groups’ to ‘All Users’. The list shows users in the directory and whether or not each user is assigned to the application. The list also shows whether the assigned users are assigned to the application directly (assignment type shown as ‘Direct’), or by virtue of group membership (assignment type shown as ‘Inherited.’)
Fig 11: Users assigned to an application
- Enable administrators to create and manage nested groups in the Windows Azure Management Portal.
- Enable administrators to see and manage the groups in which a particular user is a member.
- Enable end users to create and manage their own groups.
As always, we are very interested in hearing what you think! If you have feedback for us — experiences you love, find confusing, or hope to see in future — or if you have questions about how this works, or how the various elements of the experience fit together, please tell us at our forum on TechNet.