Share via

Azure AD Dynamic Groups

Rachna Priyadarshini 0 Reputation points
2023-03-15T14:19:27.62+00:00

Hi,

My company is planning to work with Azure Dynamic groups and I was hoping to get some feedback. We would like to create dynamic group which will contain more than 200k users (when the group will be first populated). Does anyone know how much time would it take to add new users who will match the group conditions? Does this depend on the group size?

We want to create two groups for Licensing purpose. One group will have about 60k users and other more than 200k. The users might need to be removed from the 60k group and added to the 200k one and our concern is , if the time taken for adding the users is a lot, they might end up with no license for sometime. Any feedback is much appreciated. Thanks in Advance

Microsoft 365
Microsoft 365
Formerly Office 365, is a line of subscription services offered by Microsoft which adds to and includes the Microsoft Office product line.
4,363 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,630 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Harpreet Singh Matharoo 7,621 Reputation points Microsoft Employee
    2023-03-16T10:51:30.6033333+00:00

    Hello @Rachna Priyadarshini

    Thank you for reaching out. I would like to inform you following details with regards to Azure AD Dynamic Groups:

    • Azure AD Dynamic Groups can be an efficient way to manage large user groups.
    • However, the time it takes to add new users to a dynamic group can depend on several factors, such as the complexity of the group rules and the number of users already in the group.
    • Also, as per following document: Troubleshooting dynamic memberships for groups it confirms that "Depending on the size of your Azure AD organization, the group may take up to 24 hours for populating for the first time or after a rule change".

    So, let's take following example for easier explanation:

      • You have 2 Azure AD Dynamic Groups, Group A with 100 users alongwith E3 license and Group B with 200 users alongwith E5 license.
      • If user is removed from Group A since he is no longer matching the rule in Group A the E3 license would be removed.
      • If you updated the user to match the assignment rule in Group B then user would be only added to Group B once the rule for Group B is processed.
    • So, depending on your tenant size and rule complexity if the rule takes 24 hours to process then user might end up being non-licensed for 24 hours.

    Also please note that as per following document: Dynamic membership rules for groups in Azure Active Directory Azure AD Dynamic Groups requires an Azure AD Premium P1 license. You don't have to assign licenses to users for them to be members of dynamic groups, but you must have the minimum number of licenses in the Azure AD organization to cover all such users. For example, if you had a total of 1,000 unique users in all dynamic groups in your organization, you would need at least 1,000 licenses for Azure AD Premium P1 to meet the license requirement.

    Let's assume you have 200K unique users in your tenant who are part of Azure AD Dynamic Groups then you would need 200K Azure AD Premium P1 licenses available on your tenant to meet the license requirement.

    I hope this answer helps to resolve your issue.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments