Exercise - Create dynamic security group
Using a dynamic group for all room resource accounts saves time in onboarding and operating of new accounts, because they don't need to be added manually to a static group, but gets automatically added based on their account name. To reach that goal, you need to specify a unique prefix for all your room resource accounts and create a filtering rule to scope to this prefix. Afterwards, you can use this dynamic group to apply policies to all accounts at once without any manual intervention with the individual accounts.
In this exercise, you create a new security group for Microsoft Teams Room resource accounts from within the Microsoft Entra admin center.
The group needs to have the type Security assigned and membership is Dynamic User, for being able to create a dynamic query of users in scope. The dynamic query just requires that the userPrincipleName starts with mtr-. Save the query and select Create.
Open Azure portal and sign-in with your Global Administrator (globalAdmin@<tenant>.onmicrosoft.com).
Select Microsoft Entra ID from the left side pane or from the top menu.
On the left side beneath menu Manage, select Groups.
On the top of the list, select New group.
For group creation, provide the following information in the fields:
Group type: Security
Group name: TeamsRoomsAccounts_dynamic
Group description (optional): Collection of all Teams Meeting Room accounts for dynamic licensing, MFA exclusion etc.
Microsoft Entra roles can be assigned to the group: No
Membership type: Dynamic User
Owners:
Select No owners selected
In the search bar, enter your name and select it from the results.
When your name is added to the Owner section, select Select.
Because all of the rooms resource accounts begin with mtr- and end with <tenant>.onmicrosoft.com, we can take advantage of this by using dynamic query. Dynamic user members:
Select Add dynamic query
In the table below, Configure Rules then select Choose a Property and search for userPrincipleName.
As the operator, select Starts With
In the Value field, type mtr-
Select Save.
Note
To use a prefix for Microsoft Teams Rooms is recommended by Microsoft. The prefix mtr- is sufficient enough for using it in a M365 Developer Tenant. Based on your organization's policies, you need to be careful how you name your room resource accounts and might discuss it with other departments to make sure it is unique. The usage of a non unique prefix might lead to cases where users will be added to this group by mistake, so that they are not required to use MFA anymore, which would be a security concern.
Now, new accounts with a userPrincipleName that starts with mtr- will be automatically added as member to the newly created group TeamsRoomsAccounts_dynamic.
Note
Dynamic group membership updates can take up to 24 hours and matching users might not appear directly after creation.
Assign licenses to group members
To assign a license to your dynamic group members, open the overview page of the group TeamsRoomsAccounts_dynamic. On the left-hand navigation, select Licenses and you'll see that by default, your group and its members don't have any license assigned.
Note
Due to limitations in the Microsoft 365 Developer Program, currently it is not possible to purchase any additional Teams Rooms licenses. The following instruction will still show you how to assign licenses to your dynamic MTR resource group. For real life production systems, you would need to make sure that you have enough licenses by monitoring the available licenses in your admin center.
To assign a license, select Assignments, select the license you want to assign and apply this by selecting Save.
Note
For testing purposes, you could assign the Microsoft 365 E5 Developer (without Windows and Audio Conferencing) license. This license will not work in productive environments on Microsoft Teams Rooms and is only for this showcase scenario.
