You are asked to create a new set of Azure Active Directory (Azure AD) security groups that represent the entire hierarchy of a manager's team. This is to include people managed by the manager but not people managed by the manager's own team. For example if Bob manages Tom and Tom manages Fred. The group must include Tom but not Fred. The group should also update dynamically as people change managers over time.
You need to implement the request using the least amount of administrative effort.
What should you do?
You should create new groups using the Direct Reports rule. This rule creates a dynamic group including members who have the same ManagerID attribute.
You should not create multiple Azure AD groups and add members with the same ManagerID attribute. This will initially be successful but does not satisfy the auto updating requirement as managers change.
You should not create Azure AD groups for each manager and use a custom script to update the groups on attribute changes. This would solve the requirement of keeping the group up to date on changes but would require more administrative effort to implement.
You should not construct dynamic groups in Azure AD based on the ManagerID attribute. This attribute is only available with the Direct Reports rule.