They offer trials.

Really expensive

@@angelcastillo8572 yeah and the tools aren't baked yet. Things are so basic.

Seriously I wish the Exchange Online team would get on it, or at least communicate with the public, about their journey to get all Exchange objects into the Graph. Feels like Exchange now, even in the cloud, is like the last to the party to be API/SSO/modern etc.

I found that currently Microsoft is working on a writeback for on-prem AD. There are a lot of environments that are either still on-prem and using AD Connect. But the tool is not bidirectional unfortunately as I've learned from them. This would be good for those on-prem groups that are needed as well as a part of onboarding.

Honestly that's a terrible practice from a security standpoint. You'll end up giving way too much access to someone else. Least Privilege Access. The way you do this is you. have job families defined based on HRIS data. A new account rep comes on board and there is a workflow set up to add this new rep to all of the groups that they need for their role. These group define applications pushed to their machine, file share access, Saas provisioning, yada yada... Then when they leave you reverse the process. The issue I see with Entra so far is they do not have a lot of these options baked for hybrid related tasks. Creating an on prem user, adding to groups, etc. Hopefully it'll come.

Powershell can do this. Get the groups of one user and recursively add the user to all the groups

Dynamic groups in Entra ID (Azure AD) can automatically assign group/team membership, too. This can be predicated on attributes like location, title, etc. ExtensionAttributes are also pretty useful in this case for adding things not already available to query from.

@@MSFTMechanics Right but not if we are dealing with distribution groups and we want to dynamically assign memberships. Doesn't work and not compatible. Also, even with populating group memberships dynamically you don't have flexibility to also include an additional group as an exception or catch-all group.

Normally this isn't a good recommended security practice...scope this to a role (based on title or job family) and not so much a user as the template. The user may have more rights than you think.

@@OliABraith Actually PowerShell cant do this, not last time I checked just back in June 2023, Distribution Groups, Security Groups, Mail Enabled Security Groups, Office 365 Groups, Microsoft 365 Groups and SharePoint Groups all need to be handled separately and not by the same module. Just finding the SharePoint root programmatically is a headache..

Yes they will, you can make it so it requires password change on first sign-on or the user can change password after sign-in.

You would likely need to define an extension attribute for that.