Troubleshoot and resolve groups issues
This article contains troubleshooting information for groups in Azure Active Directory (Azure AD), part of Microsoft Entra.
Troubleshooting group creation issues
I disabled security group creation in the Azure portal but groups can still be created via PowerShell
The User can create security groups in Azure portals setting in the Azure portal controls whether or not non-admin users can create security groups in the Access panel or the Azure portal. It does not control security group creation via PowerShell.
To disable group creation for non-admin users in PowerShell:
Verify that non-admin users are allowed to create groups:
Get-MsolCompanyInformation | Format-List UsersPermissionToCreateGroupsEnabled
If it returns
UsersPermissionToCreateGroupsEnabled : True, then non-admin users can create groups. To disable this feature:
Set-MsolCompanySettings -UsersPermissionToCreateGroupsEnabled $False
I received a max groups allowed error when trying to create a Dynamic Group in PowerShell
If you receive a message in PowerShell indicating Dynamic group policies max allowed groups count reached, this means you have reached the max limit for Dynamic groups in your organization. The max number of Dynamic groups per organization is 5,000.
To create any new Dynamic groups, you'll first need to delete some existing Dynamic groups. There's no way to increase the limit.
Troubleshooting dynamic memberships for groups
I configured a rule on a group but no memberships get updated in the group
- Verify the values for user or device attributes in the rule. Ensure there are users that satisfy the rule. For devices, check the device properties to ensure any synced attributes contain the expected values.
- Check the membership processing status to confirm if it is complete. You can check the membership processing status and the last updated date on the Overview page for the group.
If everything looks good, please allow some time for the group to populate. Depending on the size of your Azure AD organization, the group may take up to 24 hours for populating for the first time or after a rule change.
I configured a rule, but now the existing members of the rule are removed
This is expected behavior. Existing members of the group are removed when a rule is enabled or changed. The users returned from evaluation of the rule are added as members to the group.
I don't see membership changes instantly when I add or change a rule, why not?
Dedicated membership evaluation is done periodically in an asynchronous background process. How long the process takes is determined by the number of users in your directory and the size of the group created as a result of the rule. Typically, directories with small numbers of users will see the group membership changes in less than a few minutes. Directories with a large number of users can take 30 minutes or longer to populate.
How can I force the group to be processed now?
Currently, there is no way to automatically trigger the group to be processed on demand. However, you can manually trigger the reprocessing by updating the membership rule to add a whitespace at the end.
I encountered a rule processing error
The following table lists common dynamic membership rule errors and how to correct them.
|Rule parser error||Error usage||Corrected usage|
|Error: Attribute not supported.||(user.invalidProperty -eq "Value")||(user.department -eq "value")
Make sure the attribute is on the supported properties list.
|Error: Operator is not supported on attribute.||(user.accountEnabled -contains true)||(user.accountEnabled -eq true)
The operator used is not supported for the property type (in this example, -contains cannot be used on type boolean). Use the correct operators for the property type.
|Error: Query compilation error.||1. (user.department -eq "Sales") (user.department -eq "Marketing")
2. (user.userPrincipalName -match "*@domain.ext")
|1. Missing operator. Use -and or -or to join predicates
(user.department -eq "Sales") -or (user.department -eq "Marketing")
2. Error in regular expression used with -match
(user.userPrincipalName -match ".*@domain.ext")
or alternatively: (user.userPrincipalName -match "@domain.ext$")
These articles provide additional information on Azure Active Directory.