Recommendations to automate user groups based on user employment type

Question

Recommendations to automate user groups based on user employment type

Gary T 0

Hi,

I’m sure others have encountered this issue before. I’m trying to assign users to separate Azure security groups based on their Employee Type property in Entra ID.

For example, I’d like users with "Full Time Employee" as their Employee Type to be dynamically added to a group called FTE, which grants access to apps intended only for full-time employees. I want to do something similar for contractors as well.

However, it seems that dynamic membership rules for security groups do not support the Employee Type attribute directly. Is there a workaround for this?

We are a fully cloud-based environment using Entra ID — no on-premises Active Directory.

Thanks in advance for any guidance!

Jyotishree Moharana 325 Reputation points Microsoft External Staff

2025-04-07T14:48:01.1766667+00:00

Hello @Gary T,

Following up to see if the answer provided by Vasil Michev was helpful.

And, if you have any further query or questions, please do let us know.

We would also request to kindly review the document https://learn.microsoft.com/en-us/entra/identity/users/groups-dynamic-membership to check the current list of supported attributes for dynamic groups creation, if any of the attribute can be utilized in place of Employee Type attribute.
Jyotishree Moharana 325 Reputation points Microsoft External Staff

2025-04-08T11:50:42.1633333+00:00

Hello @Gary T,

Following up to see if the answer provided by Vasil Michev was helpful.

And, if you have any further query or questions, please do let us know.
Jyotishree Moharana 325 Reputation points Microsoft External Staff

2025-04-09T10:54:06.97+00:00

Hello @Gary T,

Following up to see if the answer provided by Vasil Michev was helpful.

And, if you have any further query or questions, please do let us know.

1 answer

Your answer

Jyotishree Moharana 325 Reputation points Microsoft External Staff

2025-04-07T14:48:01.1766667+00:00

Hello @Gary T,

Following up to see if the answer provided by Vasil Michev was helpful.

And, if you have any further query or questions, please do let us know.

We would also request to kindly review the document https://learn.microsoft.com/en-us/entra/identity/users/groups-dynamic-membership to check the current list of supported attributes for dynamic groups creation, if any of the attribute can be utilized in place of Employee Type attribute.
Jyotishree Moharana 325 Reputation points Microsoft External Staff

2025-04-08T11:50:42.1633333+00:00

Hello @Gary T,

Following up to see if the answer provided by Vasil Michev was helpful.

And, if you have any further query or questions, please do let us know.
Jyotishree Moharana 325 Reputation points Microsoft External Staff

2025-04-09T10:54:06.97+00:00

Hello @Gary T,

Following up to see if the answer provided by Vasil Michev was helpful.

And, if you have any further query or questions, please do let us know.

Answer 1

Vasil Michev 116.7K MVP

That's correct, dynamic membership rules do not currently support the employeeType attribute. You have few options: create a static membership group instead, which you can periodically update via PowerShell/Graph API; use a different attribute if possible; if no suitable attribute exists, consider "copying" the value of employeeType to one of the extensionAttributeXX attributes, which are supported for dynamic membership rules.

Chinmayi Bose 0 Reputation points

2025-04-07T18:05:21.8933333+00:00

Hi Vasil,

I have created extension via Graph API. It is resulted as "extension_userObjectID_EmpType": "Contract" (unable to see this attribute as user property in GUI unless we run the rule syntax). As the user object ID is a unique value, we may have to create the attribute and update the object ID manually for all the users before creating dynamic membership rule ( To edit Rule Syntax manually).

Could you help me to create extensionAttributeXX so that I can update the value of EmployeeType to it.

Also, we are trying to automate this complete process, so let us know if we can user Power Automate or similar tools to perform this action.

Please note we are a fully cloud-based environment using Entra ID — no on-premises Active Directory.

Thank you!
Vasil Michev 116.7K Reputation points MVP

2025-04-07T20:06:03.3566667+00:00
You don't have to create the set of extensionAttributeXX attributes, they are already available for each user. You can access them programmatically via the Graph API (onPremisesExtensionAttributes resource) or PowerShell:

Get-MgUser -UserId xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx -Property onPremisesExtensionAttributes | select -ExpandProperty onPremisesExtensionAttributes Update-MgUser -UserId xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx -OnPremisesExtensionAttributes @{"extensionAttribute4"="Value"}

Share via

Recommendations to automate user groups based on user employment type

1 answer

Your answer