🧩 Part 2: Dynamic Groups and Automated Membership

Get the right people in the right groups, completely automatically

We often talk about onboarding and offboarding, and it's easy to forget what happens in between. Who hasn't changed departments, roles or responsibilities and been given some new access and rights? Of course, in addition to the ones you already have because it's "nice to have" in a transition phase.. Then there was the duration of this transition phase..

With dynamic groups in Microsoft Entra ID you can define rules that automatically add users (or devices) to groups based on attributes such as:

• Department

• Job Title

• Location

• User Type

• Custom Attributes

  
  

This gives you automated membership that is always up to date – without manual effort. However, it requires that you have control over the metadata on the user objects, optimally this is synchronized from an HR system or similar. A recommendation is to start with an overview in EntraID to see if the metadata is consistent and populated across all users.

How does it work?

Dynamic groups use rule-based logic. You define a rule in Entra ID that is continuously evaluated. When a user's attributes match the rule, they are automatically added to the group - and removed again if they no longer match.

Example:

(user.department -eq "Økonomi")

This rule automatically adds all users in the "Finance" department to the group.

You can also combine multiple criteria:

(user.department -eq "IT") and (user.jobTitle -eq "Utvikler")

You can also use queries that go to members in groups, for example: All members in groups X, Y and Z should enter group XYZ. (The feature has been in Preview since 2024..). The beauty of using a query on a member of a group is that you get the best of both worlds, you can get the dynamics you want in addition to being able to add a static group to the query to override the dynamics. Let's say you have an Engage community where all employees at Innlandet should be members = Dynamic group. In addition, you want the management group across the country to be a member of the Innlandet community, they do not have Innlandet as a location and are therefore not added to the dynamic group automatically. Then you create a static group where you can control members in and out and include it in the query for the community group. (Or you can use custom attributes on users, a slightly more messy way..)

For users or devices:

user.memberof -any (group.objectId -in ['groupId']) 
device.memberof -any (group.objectId -in ['groupId'])

Use Cases

Dynamic groups are useful in many scenarios:

• Access Management: Automatically grant access to apps, SharePoint sites, or Teams based on role or department.

• Licensing: Use dynamic groups to automatically assign licenses.

• Policies: Use groups to target Intune policies or Conditional Access.

  
  
  
  

Type of dynamic groups

Limitations and Requirements

• Requires Microsoft Entra ID P1 (=All licensed users)

• Dynamic groups do not support manual membership - it is either/or (Unless you query both dynamic and static groups as described above)

• Not all attributes are available for all object types

• It may take a few minutes for changes to take effect

  
  

Get Started

• Start Simple: Start with one rule and test on a small scale

• Use custom attributes if the default fields don’t meet your needs

• Naming Conventions: Clearly separate dynamic groups from manual ones

• Monitor and Document: Keep track of which rules apply where

  
  

Example: Automatic Teams Membership

• Create a dynamic M365 group based on department

• Connect the group to a Team

• Everyone in the department automatically gets access to Teams channels, files, and meetings

  
  

🚀 Next Steps

In the next post, we’ll look at automated group lifecycle and cleanup – how you can use policies and automation to avoid group chaos and ensure old groups don’t get left behind.

Bjørnar&AI