Group Types in Entra ID

Question

Group Types in Entra ID

sendhil 25

Hi Team,

As per the link there are only 2 group types defined in entra id

Security groups
MS 365 groups

Question 1:

Is this MS 365 group is stored in exchange or is it purely an exchange capability?

However , the compare the group type documentation states that there are 6 groups available.

Security groups
MS 365 groups
Mail Enabled security group
Distribution List
shared mail box
dynamic distribution groups

Question 2:

Are these 2 links talking about the same or different functionality?
Are list items 3 to 6 in the above list are the capability of exchange and not relevant to Entra ID?

Question 3 :

I am planing to add one or more email address into a security group. I would like to check whether the individual email addresses created as a "contact" / "external contact" in exchange can be added to the "Security groups" or "Mail Enabled security groups" ?

Question 4 :

Will the contacts created in exchange ( to meet question 3 ) be available in the outlook automatically? is there a way to prevent this ?

Question 5 :

Can Graph API read all the "Mail Enabled security groups" or "Distribution Lists" associated with a user ?

Accepted answer

0 additional answers

Your answer

Answer 1

Alex Burlachenko 10,255

hi sendhil

lemme break it down for u in simple terms ))

thanks for throwing this question here! super helpful for others who might be scratching their heads too.

question 1: ms 365 groups are stored in exchange, but they’re also part of entra id. think of it like this they live in both places because they need to work across ms 365 apps. exchange handles the mail stuff, while entra id manages access and membership.

question 2: aha, now this is where it gets tricky )) the first link talks about core group types in entra id (security & ms 365 groups). the second one includes exchange-specific groups like mail-enabled security groups, distribution lists, etc. so yes, items 3-6 are exchange capabilities, not native entra id groups. check this doc for exchange stuff.

question 3: u can add external contacts to a mail-enabled security group! but regular security groups (without mail enabled) won’t work for email addresses. here’s how:

create a contact in exchange for the external email.

add it to the mail-enabled security group. boom, done! microsoft explains it here.

question 4: contacts u create in exchange usually show up in outlook by default. if u wanna stop that, u gotta tweak the address book policies. but fair warning it’s a bit involved. this doc has the deets.

question 5: yes! graph api can totally fetch mail-enabled security groups and distribution lists for a user. u’d use the /memberOf endpoint or check group memberships directly. microsoft’s graph api docs cover this.

hope this clears things up! entra id + exchange can feel like a maze, but once u get the hang of it, it’s not so bad ))) let me know if anything’s still fuzzy

Best regards,

Alex

and "yes" if you would follow me at Q&A - personaly thx.
P.S. If my answer help to you, please Accept my answer
PPS That is my Answer and not a Comment

https://ctrlaltdel.blog/

sendhil 25 Reputation points

2025-06-02T13:00:10.0733333+00:00
Hi @Alex Burlachenko

Many thanks for the clarity on this topic. Very much appreciated.

Few followup related to guest users in Entra ID & attributes of Entra ID security groups.

Is this possible to create a guest user manually or programmatically in Entra ID B2B and not send any invite? If yes , can this guest user be added to a security group in Entra ID ?

I am looking for some attributes that I could attach to the security group to meet few functional requirements ( like association a company to the group , checking whether the group is optional or not , etc) . The Entra ID security groups do not support the custom security attributes . is there any alternate solutions to achieve this with the security groups?

Thanks,

Sendhil
Alex Burlachenko 10,255 Reputation points

2025-06-02T15:05:00.4333333+00:00
oh hi Sendhil! thanks for the follow-up, man, great questions )) let’s dive right in.

guest users in entra id b2b without invites? aha, yes! u can totally create guest users without sending invites, both manually and programmatically. manually in the entra admin center, just add a guest user and uncheck the "send invite" box. yep, done.

programmatically use powershell (new-mguser) or graph api with invitationredeemptionurl set to none. microsoft’s got the deets here. and yep, these guest users can be added to security groups, no prob ))

adding attributes to security groups? ugh, i feel u custom attributes would be so handy, but security groups don’t support ’em directly. BUT here’s the workaround

use dynamic groups: if u can define rules based on existing attributes (like company or department), dynamic groups might do the trick. check this doc.

store metadata elsewhere: maybe in a separate list (sharepoint? azure table storage?) and link it to group ids. not perfect, but it works.

abuse descriptions: yeah, it’s janky, but u could cram extra info into the group’s description field. just sayin’ :::))

wish there was a cleaner way, but hey microsoft’s gotta keep us on our toes, right? )

Best regards,

Alex

and "yes" if you would follow me at Q&A - personaly thx. P.S. If my answer help to you, please Accept my answer PPS That is my Answer and not a Comment

https://ctrlaltdel.blog/

Share via

Group Types in Entra ID

0 additional answers

Your answer