Warning: Undefined array key "rcommentid" in /var/www/busted.dk/public_html/blog/wp-content/plugins/wp-recaptcha/recaptcha.php on line 348

Warning: Undefined array key "rchash" in /var/www/busted.dk/public_html/blog/wp-content/plugins/wp-recaptcha/recaptcha.php on line 349
Enable Security Group Functionality on a Microsoft 365 Group - Peter Busted

Enable Security Group Functionality on a Microsoft 365 Group

by

Today, I ran into a situation that many admins will recognize. I needed to deploy an Intune configuration policy to a specific group of users, but the group in question was a Microsoft 365 group. As some of you might know, Intune policies can only be deployed to security-enabled groups, and Microsoft 365 groups, by default, are not security-enabled.

I could create a new security group and manually add all the same members. However, that’s a maintenance headache, especially if the Microsoft 365 group changes regularly.

A much simpler approach is to enable the security group flag on the existing Microsoft 365 group. This way you don’t have to manage a duplicate group. The existing group can now be targeted like any other security group in Intune (or elsewhere in Azure AD).

How to Check if Your Group Is Security-Enabled
You can check whether a group is security-enabled using PowerShell with the AzureAD module.

Connect to Azure AD and check the group’s properties: 

Connect-AzureAD

Get-AzureADGroup -ObjectId <Your-Group-ObjectID> | FL

Look for the SecurityEnabled property. If it’s set to False, you’ll need to enable it.

How to Check if Your Group Is Security-Enabled
To enable the security group capability, run the following command:

Set-AzureADGroup -ObjectId <Your-Group-ObjectId> -SecurityEnabled $True

That’s it! After this change, your Microsoft 365 group can be used just like a traditional security group in Intune or any other Azure AD security-scoped setting.

How to Check if Your Group Is Security-Enabled
If you don’t know the ObjectId of the group then here’s how to find it:

In PowerShell:

Get-AzureADGroup -SearchString <Group-Name>

This will return key details like DisplayName, ObjectId, and Mail.

In the Azure Portal:

  1. Go to Azure Active Directory > Groups.
  2. Search for your group by name.
  3. Click the group to open its properties.
  4. The Object ID is listed on the group’s Overview page.

Things to Keep in Mind

  • Enabling the SecurityEnabled property does not change the nature of the Microsoft 365 group. It still retains its collaboration features (Teams, shared mailbox, Planner, etc.).
  • This approach avoids the need to duplicate groups and helps keep membership management streamlined.
  • To run these commands and modify the group, you must have one of the following Azure AD roles:
    • Global Administrator
    • PrivilegedRole Administrator
    • Groups Administrator
  • You’ll need to have the AzureAD module installed to run these commands.