Groups & Dynamic Membership
Understanding the Concept
Groups in Microsoft Entra ID are used to manage access to resources at scale. Instead of assigning permissions to individual users, you assign them to groups and manage group membership. There are two main types: Security groups and Microsoft 365 groups.
Dynamic groups automatically add and remove members based on user attribute rules. For example, a dynamic group can include all users where department equals 'Engineering' - when a user's department changes, their group membership updates automatically.
Group-based licensing allows you to assign licenses to a group, and all members automatically receive the appropriate licenses. This simplifies license management significantly for large organizations.
Key Points
- Security Groups: Used for access control to apps and resources
- M365 Groups: Include a shared mailbox, calendar, SharePoint site, Teams
- Assigned membership: Manual add/remove by administrators
- Dynamic membership: Rule-based automatic membership (requires P1)
- Group-based licensing: Assign licenses to groups instead of individual users
Group Management Strategy
Security Groups
Control access to applications, Azure resources, SharePoint
M365 Groups
Collaboration with Teams, SharePoint, shared mailbox
Dynamic Rules
Attribute-based auto-membership (dept, location, title)
Nested Groups
Groups within groups for hierarchical access
Group Licensing
Automatic license assignment via group membership
Why This Matters in Real Organizations
Managing access at the group level is fundamental to scalable identity management. Organizations with hundreds of applications and thousands of users cannot efficiently manage individual access assignments. Groups enable consistent, auditable, and automated access control.
Common Mistakes to Avoid
Interview Tips
- Explain the difference between Security and M365 groups
- Discuss dynamic group rule syntax and common patterns
- Mention group-based licensing as a management strategy
Exam Tips (SC-300)
- Know dynamic group rule syntax (e.g., user.department -eq 'Sales')
- Understand which group types support dynamic membership
- Know licensing requirements for dynamic groups (P1)
Course Complete!
You've finished all lessons