Unit 10: Explore Dynamic Groups

1. Purpose

Dynamic groups in Microsoft Entra ID allow administrators to automatically manage group membership based on user attributes such as userType, department, or country. This eliminates the need for manual updates and ensures that new or departing users are automatically added or removed from relevant groups.

Dynamic groups are especially valuable for external identities, as they can automatically apply policies or licenses to all guest users.

2. How Dynamic Groups Work

Dynamic groups use rules that evaluate user attributes. When a user object changes (for example, their userType or department), Entra ID re-evaluates the rule and updates group membership accordingly.

For example:

userType eq "Guest" → includes all external users.
country eq "US" → includes all users in the United States.
department eq "Finance" → includes all Finance department members.

3. Membership Types

When creating a group, you can choose the membership type:

Type	Description
Assigned	Admin manually adds and removes members.
Dynamic User	Membership determined by user-based rule logic.
Dynamic Device	Membership determined by device attributes (e.g., compliance state, join type).

For external collaboration, Dynamic User is most relevant.

4. Creating a Dynamic Group (Exercise Example)

Goal: Create a dynamic group containing all users — members and guests.

Steps:

Sign in to the Microsoft Entra admin center as a User Administrator.
Go to Identity → Groups → All Groups → New Group.
Select Security as the group type.
Enter a name, e.g., All Company Users (Dynamic).
Under Membership type, choose Dynamic User.
Select Add dynamic query, then click Edit rule syntax.
Enter the following rule:

user.objectId -ne null

This means “include every user object that exists.”
Save and create the group.

After creation, Entra ID automatically includes all member and guest users that meet the rule’s criteria.

5. Practical Use Cases

Scenario	Dynamic Rule Example	Outcome
Apply policy to all guest users	(user.userType -eq "Guest")	Automatically groups all external collaborators.
Apply policy to a department	(user.department -eq "Finance")	Dynamic license or app assignment.
Exclude service accounts	(user.accountEnabled -eq true) and (user.userType -eq "Member")	Keeps only active employees.

6. Requirements

Dynamic groups require:

Microsoft Entra ID Premium P1 or P2 license.
Rule syntax using Azure AD rule language.
Properly indexed attributes — for example, userType or department.

7. Real-World Example

Scenario: Contoso wants to enforce MFA for all guest users automatically. They create a dynamic group with the rule (user.userType -eq "Guest"), then apply a Conditional Access policy requiring MFA for that group. As new guests are invited, they are automatically subject to MFA — without manual admin intervention.

8. Exam Tip

Dynamic groups are not retroactively filled if rule syntax is invalid.
They evaluate user or device attributes only — not groups within groups.
Require P1/P2 licensing.
Great for Conditional Access, license assignment, and governance automation.

Summary

Dynamic groups simplify identity management by automatically adding or removing users based on attributes. They’re an essential automation tool for applying consistent security and collaboration policies to both internal and external users.

SC‑300 Study Portal Dark

Unit 10: Explore Dynamic Groups