Create, configure, and manage groups

  • 3 minutes

A Microsoft Entra group helps organize users, which makes it easier to manage permissions. Using groups lets the resource owner (or Microsoft Entra directory owner), assign a set of access permissions to all the members of the group, instead of having to provide the rights one-by-one. Groups allow us to define a security boundary and then add and remove specific users to grant or deny access with a minimum amount of effort. Even better, Microsoft Entra ID supports the ability to define membership based on rules - such as what department a user works in, or the job title they have.

Microsoft Entra ID allows you to define two different types of groups.

  • Security groups - the most common type of groups and are used to manage member and computer access to shared resources for a group of users. For example, you can create a security group for a specific security policy. By doing it this way, you can give a set of permissions to all the members at once, instead of having to add permissions to each member individually. This option requires a Microsoft Entra administrator.
  • Microsoft 365 groups - provide collaboration opportunities by giving members access to a shared mailbox, calendar, files, SharePoint site, and more. This option also lets you give people outside of your organization access to the group. This option is available to users as well as admins.

View available groups

You can view all groups through the Groups item under the Manage group from the Microsoft Entra - Identity dashboard. A new Microsoft Entra ID deployment won't have any groups defined.

Screenshot of the Microsoft Entra ID view all groups page. It shows a list of several groups that already exist, along with attributes about group like Group Type and Membership Type.

The second characteristic of a group that you need to be aware of is the Membership Type. This specifies how individuals members are added to the group. The two types are:

  • Assigned - members are added and maintained manually.
  • Dynamic - members are added based on rules, creating a Dynamic Group. These groups are still either a security group or Microsoft 365 group, just their members are controlled by rule.

Dynamic groups

The final type of group is a dynamic group, which the name implies, the membership is generated by a formula each time the group is used. A dynamic group includes any recipient in Active Directory with attribute values that match its filter. If a recipient's properties are modified to match the filter, the recipient could inadvertently become a group member and start receiving messages that are sent to the group. Well-defined, consistent account provisioning processes will reduce the chances of this issue occurring.

Screenshot of the Dynamic Group membership rule generator. In this dialog you can add rules to let you define exactly what users can be a part of the group. You could set up a rule that includes on members from a specific country.

This dynamic group would consist of all valid members of the Microsoft Entra ID.