Enabling Existing Entra Groups to be Managed via Workspace
Overview
The Group import feature allows the membership of any Entra group type to be managed via Workspace. This simplifies the process of onboarding Customers into Workspace and allows more use cases to be easily implemented.
When enabling this feature on a group, a Private Workspace Item is created for the group - all users in the group (that are already in Atria) will be assigned the Workspace Item.
Once Group membership is being managed via Workspace, Atria prevents membership changes to that group from within the Microsoft Online Group Management interface. Changes to membership can be made via the Customer Workspace Item, or via the Users Workspace Service.
From 15.23 onwards, any Azure AD Group already mapped to a Workspace Item, will not allow membership changes from the Manage Groups interface.
Once a Workspace Item is assigned to a Customer, the unique identifier (ObjectID or SID) of the associated group is stored, when viewing Groups in the Group Management page, this is used to identify whether or not a group membership is being managed via Workspace.
Availability
This feature is available from Atria 15.23
Permissions
By default anyone who can update Microsoft Online Groups can enable this feature.
Enable a Group for Workspace Management
- Navigate to the Groups page
Services > Microsoft Online > Group Management. - Wait for the groups to load (the connection to Microsoft Online can be slow).
- Select the Group and click to show its details.
- Enabling the "Manage Group Membership through Workspace" switch will present a Pop-Up to collect the details needed to create a new Workspace Item.
- The Name and Description of the group will be automatically populated from the Group.
- The Workspace Item Type list is filtered and defaulted based on the Type of the group. Select the most appropriate GroupType. In this example, the selected group is an AzureAD Security Group, there are four options for Workspace Item Types that have this group Type.
- Add Tags to the Workspace Item if required.
- Selecting The
Savebutton will then:- Create a New Private Workspace Item for the Customer, storing the details specified in the Pop-up as well as the Group Name and the Group Identifier (GUID, SID or ObjectID).
- Atria will iterate through the Members of the Group
- if the member is also a group - it will be ignored
- if the member is NOT a User in Atria, it will be ignored
- if the member is a User within Atria, but does not have Workspace assigned, Workspace is assigned and then
- All Users in Atria with Workspace are assigned with the new Workspace Item
On Completion an informational message is shown, this details how many users were imported, and which members were not imported.
In this example, 4 users were imported, the member "ExcludeFromNightlySync" was excluded from the import because it is also a Group.
For performance and an easier process, it's worth importing all users into Atria before importing Groups, you can also bulk-provision Workspace to Users to make the Group import process faster.
Managing Membership via Workspace
Once a group has been mapped to a Workspace Item, Atria will disable the ability to edit the membership of the group from within the Group Management Feature. A link is provided to take you to the Workspace Item. You can still edit recipient information (email addresses etc) and ownership of the group via Group Management.
Changing Workspace Details
A group mapped to a Workspace Item is managed in the same way as any other Private Workspace Item. Details can be edited including assigning Icons, adding properties, adding to Workspace Roles or Users, or adding event handlers.
Removing Workspace Management from a Group
At time of writing it is not possible to remove a Group from Workspace management via the Atria User Interface. This will be implemented in an upcoming release.