Share via

"unable to complete due to service connection error dynamic group" - Entra Dynamic Group

Shahrukh Ali 20 Reputation points
2025-12-16T10:12:31.02+00:00

Ive created some dynamic security groups on my primary account that works and allows validation, however due to company policy we had to switch to a seperate admin account, so all my admin roles that was on the main role was transferred over to my second account.

On my second account I can still edit the rules of the dynamic group however whenever I try to validate teh rules to check if someone is in the group or not, it gives the following error

"unable to complete due to service connection error dynamic group"

What is strange is that If i create a new group, it works, so its not a network error.

The current groups I have also made my admin account the owner to check but still same error.

User's image

Microsoft Security | Microsoft Entra | Microsoft Entra ID

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Shubham Sharma 16,640 Reputation points Microsoft External Staff Moderator
    2025-12-16T10:19:31.3333333+00:00

    Hey Shahrukh! It sounds like you're having trouble validating dynamic group rules on your new admin account in Microsoft Entra. The error message "unable to complete due to service connection error dynamic group" can be quite frustrating, especially since it works fine on your primary account and for new groups.

    Here are a few things you can check and try:

    1. Role and Permissions: Make sure that your second admin account has the necessary permissions. You should be a Global Administrator, Intune Administrator, or User Administrator in Microsoft Entra to manage dynamic groups. Sometimes, permission issues may arise even if roles appear to have been transferred.
    2. Membership Processing Status: Check the membership processing status of the dynamic group:
      • Go to Azure Active Directory > Groups.
      • Select your dynamic group and check the “Overview” page. Ensure the status is not “Processing Error” or “Update Paused.” If it shows “Processing,” you might need to wait as processing can take some time, especially with larger tenant sizes.
    3. Validation of Dynamic Membership Rules: Review the dynamic membership rules for the group:
      • Ensure that the rules don't have unsupported attributes or incorrect syntax. Complex rules or unsupported attributes can lead to errors like this.
    4. Force Group Processing: To manually trigger a re-evaluation of the group membership, you can slightly modify the membership rule (e.g., adding or removing whitespace) to force it to process.
    5. Check Licensing: Make sure your tenant has the necessary Microsoft Entra ID P1 Premium license, as this is required to create and manage dynamic groups.
    6. Network and Access Issues: Since you mentioned that creating new groups works fine, it's less likely to be a network error, but do double-check your network security group rules if you're using Microsoft Entra Domain Services URLs.

    If none of this resolves the issue, here are a few follow-up questions that might help us diagnose the problem further:

    • Are you certain that your second admin account has all the necessary permissions similar to your primary account?
    • Have you noticed any patterns with specific rules or attributes that cause this issue, or is it happening consistently across all groups?
    • How are the dynamic groups set up regarding the attributes being used for their rules?

    Feel free to provide more details, and I'll assist you further! Hope this helps!

    References

    Note: This content was drafted with the help of an AI system. Please verify the information before relying on it for decision-making.

    Was this answer helpful?

    1 person found this answer helpful.
    0 comments
  2. LeeM 41 Reputation points
    2026-05-26T01:24:05.7133333+00:00

    Just to add my 2c - none of the issues Mr Copilot Bot highlighted are relevant to this problem (although definitely worth checking if there are problems with dynamic groups in general). This is specifically about using the Validate Rules feature on a working dynamic group to check why a specific user is or is not in scope.

    In my experience, unless you are signed in with the GA role, accounts you add for validation against the dynamic rule appear with a grey question mark status and you get the "Unable to complete due to service connection error. Please try again later." error - not even an "access denied" error. This is across multiple tenants with E5 and A5 licensing and a minimum of E3 (incl P2) licenses for all users.

    There may be another role that allows it to work, but I have not found any that does. My account is currently a member of the roles listed below and it still fails. Yet, I can manage the group properties, modify the dynamic rule, check the membership, view the group and user audit logs, etc. Even being the group Owner gives the same error on Validate Rules.

    This has been an issue since Azure AD and dynamic groups existed - I tried a support case years ago with no resolution. So, other than elevating to GA (for what should be a Groups or Users Admin task), I can't offer a solution, other than to let others know it's not just them or their tenant.

    Groups Administrator
User Administrator
Security Administrator
Authentication Administrator
Service Support Administrator
Message Center Reader
Hybrid Identity Administrator
License Administrator
Conditional Access Administrator
Privileged Role Administrator
Reports Reader
Security Reader
Privileged Authentication Administrator

    Was this answer helpful?

    0 comments
  3. Shahrukh Ali 20 Reputation points
    2025-12-16T11:00:23.0433333+00:00

    Hi Shubham,

    Thank you for responding.

    1. I had the "user administraor" and "intune adminintrator" on my primary account and this is also the same on my admin account.
    2. The dynamic rules processing status is "Succeeded" as mentioned the rules work, I just cant validate, this is not good as i want to test who is in a group once I have edited it before I save and publish the rule
    3. The rules do not have invalid syntax as stated before the rule still processes
    4. I have tried this but still same issue
    5. We have Microsoft Entra ID P2 lisence
    6. As stated not a network issue, I actually tried on a different network also and still same error

    Was this answer helpful?

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.