Here is an overview of our discussion with Microsoft Sherweb vendor:
- We discussed that the possible cause of the SSPR issue you are facing could be due to the license prerequisites not being met.
- The dynamic security group added to the SSPR scope has around 4,000+ members.
- The prerequisite for a dynamic group is that the total number of Entra ID P1/P2 licenses should equal the total number of unique users added to that group.
- However, as we checked, you have only around 1,800 licenses, including P1/P2.
- This is why the dynamic group added to the SSPR scope is not behaving correctly.
- As discussed during our meeting, we kindly request you to create a new static security group and add only the licensed users.
- Once the group is created, please add it to the SSPR scope and remove the dynamic group.
·
· What Shabaaz meant here is to remove the users that you’ve added in the test group from the dynamic group, to not impact your overall current user and not to remove the full dynamic group from sspr
- After completing these steps, kindly share the new security group name and the members' UPNs who are part of the new security group.
- Once you enable SSPR for the new group, please test it for at least 7 days and let us know the outcome.
Adding in Green a clarification of one of the step, as currently what is being done is a test to ensure that the intermittent issue is not happening due to the security group being bloated & as Shabaaz noted, not meeting the compliance in terms of dynamic membership prerequisite.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(230.39999999999998, 84%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKP%3C/text%3E%3C/svg%3E)
