Create Dynamic Group Membership in Microsoft Entra ID: A Step-By-Step Guide

Owing to the feasibility of increasing collaboration among users, admins prefer either Microsoft 365 groups or security groups. To enhance further the collaboration strategy, the dynamic groups in Microsoft Entra ID (previously known as Azure AD) automatically allocate users based on specific rules. These dynamic Microsoft 365 groups reduce the admin’s work by specifying the dynamic group membership based on member attributes instead of adding users to them.

Let’s explore the significance, necessity, creation, and more of dynamic group memberships and their rules in Microsoft Entra.

A dynamic group is a specialized feature within Microsoft 365 groups or security groups in Entra ID that utilizes rules rather than direct user assignments. The rules or criteria defined by admins allocate the group membership for Microsoft Entra dynamic group. User attributes, such as department, location, job title, or other custom attributes are automatically evaluated to determine who should be a group member.

Some of us may think dynamic membership is same as managing dynamic distribution groups in Exchange Online. However, it’s not. While dynamic distribution groups facilitate only email collaboration, dynamic membership enables user collaboration across all Microsoft 365 services.

For example, admins can create specific MS Teams for dynamic group members, whereas this isn’t possible for dynamic distribution lists.

Ensure you have either a Microsoft Entra P1 or P2 license in your tenant to configure dynamic groups. If your organization needs to have a total of 1,000 users across all dynamic groups, you will require a minimum of 1,000 Entra ID P1 licenses. But there is no need to assign those licenses to users for them to be members of dynamic groups.

Find the below set of major operations that helps to manage the dynamic group membership in Microsoft Entra:

• Create a dynamic group membership rule in Entra
• Validate dynamic group membership rules
• Check dynamic rule processing status
• Dynamic group membership modifications
• Disable welcome email for dynamic groups
• Delete dynamic membership groups

Before getting into the process, log in to the Microsoft Entra admin center with your global or at least user administrator account.

To create Microsoft 365 dynamic groups in Entra follow the steps described below.

1. In the Microsoft Entra admin center, navigate to Identity → Groups → All groups.
2. Select the ‘New group’ button.
3. Select the ‘Group type’ either Microsoft 365 or security as per the requirement of the group.
4. Enter the name of the group in the ‘Group name’ text box.
5. Provide the group description in the ‘Group description’ text box if needed.
6. Select the ‘Membership type’ as ‘Dynamic User’ or ‘Dynamic Device’ concerning the needs of the group.
   • Dynamic User – Select this option if you want to filter the users dynamically based on their associated properties. Using this option, you can assign group users based on the user properties such as department, usage location, membership type, city, etc.
   • Dynamic Device – Select this option if you want to filter the users dynamically based on the properties or attributes of the devices they are using. Using this option, you can assign group users based on properties such as device OS type, device model, device ID, etc.
     Note: The dynamic device option is only available for Entra ID security groups.
   • Assigned – If you select this option, a normal M365 group or Security group will be created accordingly.
7. If you want to select additional owners other than the admin, select the ‘No owners selected’ option.
8. After selection, pick the users from the ‘Add owners’ pop-up window.
9. Next, click on the ‘Select’ option.
10. Click on the ‘Add dynamic query’ option, it will take you to the ‘Dynamic membership rules’ page.
11. Using the rule builder, define the rule using the Property, Operator, and Value with respect to your group’s needs.
    Dynamic membership rule example:
    Let’s say you want to create a Microsoft 365 dynamic group for all employees in your organization who belong to a specific department, such as the “R&D” department. You can define a dynamic membership rule like this:

    Property	Operator	Value
    Department	Equals	R&D

12. To add another query as a rule, click on the ‘Add expression’ button, then use the ‘And/Or’ operation and define the rule using the Entra ID rule builder.
    
    Points to remember:
    
    • You can configure up to five queries using the rule builder in the Entra portal. To select more than that, you need to write the rules as queries in the below text box using the ‘Edit’ option. To properly write the queries for your rules without any syntax error, refer the Microsoft document regarding the dynamic membership rules for groups.
    • Microsoft recently announced the preview feature to create dynamic groups and administrative units that populate by incorporating members of other groups using the ‘memberOf’ attribute. As of now, memberOf isn’t yet supported in the rule builder. You must enter your rule in the rule editor as described below.
      User rule: user.memberof -any (group.objectId -in [<GroupID>])
      Device rule: device.memberof -any (group.objectId -in [<GroupID>])
      
13. To get properties from an application, select the ‘Get custom extension properties’, enter the application ID, and choose the ‘Refresh properties’ button.
    Note: The application ID here helps to get the users who are using custom extension properties within the application or service. After retrieving those users, you can compare and select them with the appropriate operator and rules.
14. Select ‘Save’ and then finally click on the ‘Create’ button.

While dynamic membership rules can assist in adding users to a dynamic group, it’s crucial to double-check their accuracy to ensure users meet the required criteria. To overcome this circumstance, Microsoft has introduced a new preview feature called ‘Validate Rules’, which allows admins to confirm if the rules are working as expected.

Here are the steps to use this feature in the Microsoft Entra admin center:

1. After configuring certain rules, switch to the ‘Validate Rules (Preview)’ tab option on the ‘Dynamic membership rules’ page.
2. Click the ‘Add users’ button, select the users, and click the ‘Select’ button.
   
3. Finally, click the ‘Validate’ button.

The status of users, (i.e., whether they will be present in the group or not) will be displayed. You can also view the reason for any validation failures using the ‘View details’ option.

To check the status of the dynamic membership rule you have created using the queries, just follow the steps below.

1. Navigate to Identity → Groups → All groups page in the Microsoft Entra admin center home page.
2. Select the group that is configured through dynamic membership.
3. In the respective group’s ‘Overview’ page, the ‘Dynamic rule processing status’ gives the status of the rules configured. The dynamic rule processing status may show the following messages:

Note: To know about the error and for further investigation, you can check the audit logs for the group membership changes using the ‘Audit logs’ option.

In addition to this, you can check the last membership changes that have taken place within the dynamic group using the ‘Last membership change’ status.

Note: You’ll see the following message as an alert at the top of the group’s Overview page if an error occurs while processing the membership rule for a specific group.

“Dynamic group memberships have not been updated due to system delays. We’re working to resolve the issue.”

Additionally, if no pending membership updates can be processed for all the groups for more than 24 hours, the alert will appear at the top of the ‘All groups’ page.

To update the dynamic group membership, just jump into the steps conveyed below in the Microsoft Entra admin center.

1. Select the group that is configured through the dynamic membership.
2. After that, select the ‘Dynamic membership rules’ tab and reconfigure the rules based on your new requirements.
3. Once done click on the ‘Save’ button.

You can audit group membership changes in Microsoft 365, encompassing the dynamic distribution groups.

Just like disabling the welcome email for the new users of normal Microsoft 365 groups, you can disable the welcome mail for dynamic Microsoft 365 group users. To disable such emails, first connect the Exchange Online PowerShell module.

After that, execute the following cmdlet with the UPN of the respective dynamic membership group.

Note: This configuration is not applicable for the dynamic groups created within the security groups as security groups do not have any specific UPN.

As we are aware, a dynamic membership group is a type of Security/Microsoft 365 group, and the process of deleting it is also similar. To delete a dynamic group, follow these steps:

1. Select the group from the list of all available groups in Entra ID.
2. Click on the ‘Delete’ button.
3. Confirm by selecting ‘Yes.’

Some of the important limitations of Microsoft 365 group with dynamic user membership type are:

1. A Microsoft 365 organization can have a combo of a maximum of 5,000 dynamic groups and dynamic administrative units.
2. Device membership rules for groups can only reference device attributes and cannot be created based on user attributes related to the device owner.
3. A Microsoft Entra tenant can have up to 500 dynamic groups using the ‘memberOf’ attribute rule.
4. Microsoft 365 dynamic groups can be allocated with 50 member groups.
5. The ‘memberOf’ attribute can’t be used to define the membership of another ‘memberOf’ dynamic group.
6. Microsoft Entra ID currently doesn’t support granting any roles to users indirectly through dynamic group memberships.

In line with creating dynamic memberships using Microsoft Entra ID, it’s imperative to keep a close eye on group membership. Doubtful changes in user properties, additions, or removals can significantly impact group dynamics. Don’t worry! AdminDroid’s Microsoft 365 group reporting offers seamless monitoring to ensure you stay informed and in control.

Now, you may wonder, what is the need to use AdminDroid when it can be monitored using Entra ID? Well, here is the answer for you:

• AdminDroid group reporting provides user details like department, user’s job title, user’s sign-in status, company, and location, unlike Entra ID’s group members report.
• No need to explore the properties of each user, as AdminDroid provides essential properties of overall group users at a glance.
• AdminDroid group reports provide membership details for all types of groups, not only for dynamic groups.

AdminDroid’s Azure AD reporting tool helps you visualize fruitful reports on Microsoft 365 users, groups, MFA methods, user passwords, external users, and licenses. While this gives metrics on the current status, the Azure AD auditing tool offers vast collections of insights that provide the changes taking place in your Microsoft 365. With this Azure AD auditing tool, admins can monitor user logins, user activities, group activities, application activities, etc.

AdminDroid not only offers Azure AD management with 120+ FREE reports; it extends to all Microsoft 365 services with 1800+ pre-built reports and 30+ dashboards. With comprehensive features like reporting, auditing, analytics, and security & compliance, AdminDroid offers a premium edition FREE for 15 days.

Download AdminDroid now and explore all the features it offers firsthand.

In conclusion, dynamic group membership in Microsoft Entra is a powerful feature for automating user management, ensuring real-time updates, and simplifying administrative tasks. By leveraging Entra ID, organizations can manage dynamic groups efficiently across their digital workspace.

Stay tuned for more insights and tutorials on optimizing your Microsoft 365 experience!