User & Group ManagementGroups & Dynamic Membership

Groups & Dynamic Membership

30 mins

Understanding the Concept

Groups in Microsoft Entra ID are used to manage access to resources at scale. Instead of assigning permissions to individual users, you assign them to groups and manage group membership. There are two main types: Security groups and Microsoft 365 groups.

Dynamic groups automatically add and remove members based on user attribute rules. For example, a dynamic group can include all users where department equals 'Engineering' - when a user's department changes, their group membership updates automatically.

Group-based licensing allows you to assign licenses to a group, and all members automatically receive the appropriate licenses. This simplifies license management significantly for large organizations.

Key Points

  • Security Groups: Used for access control to apps and resources
  • M365 Groups: Include a shared mailbox, calendar, SharePoint site, Teams
  • Assigned membership: Manual add/remove by administrators
  • Dynamic membership: Rule-based automatic membership (requires P1)
  • Group-based licensing: Assign licenses to groups instead of individual users

Group Management Strategy

Step 1

Security Groups

Control access to applications, Azure resources, SharePoint

Step 2

M365 Groups

Collaboration with Teams, SharePoint, shared mailbox

Step 3

Dynamic Rules

Attribute-based auto-membership (dept, location, title)

Step 4

Nested Groups

Groups within groups for hierarchical access

Step 5

Group Licensing

Automatic license assignment via group membership

Why This Matters in Real Organizations

Managing access at the group level is fundamental to scalable identity management. Organizations with hundreds of applications and thousands of users cannot efficiently manage individual access assignments. Groups enable consistent, auditable, and automated access control.

Common Mistakes to Avoid

Creating too many groups without a naming convention or governance
Using assigned groups when dynamic groups would be more appropriate
Not understanding that dynamic groups require Entra ID P1
Forgetting that nested dynamic groups are not supported

Interview Tips

  • Explain the difference between Security and M365 groups
  • Discuss dynamic group rule syntax and common patterns
  • Mention group-based licensing as a management strategy

Exam Tips (SC-300)

  • Know dynamic group rule syntax (e.g., user.department -eq 'Sales')
  • Understand which group types support dynamic membership
  • Know licensing requirements for dynamic groups (P1)

Course Complete!

You've finished all lessons

Previous|Next|HHome