Configure dynamic membership
Microsoft Teams supports teams associated with Microsoft 365 Groups by using dynamic membership.
You can use dynamic membership to define members of a team by one or more rules that check for certain user attributes in Microsoft Entra ID. Users are automatically removed or added to the designated teams as user attributes change or users join and leave the tenant. Possible scenarios include:
- A hospital can create distinct teams for nurses, doctors, and surgeons to broadcast communications. This capability is especially important if the hospital relies on temp employees.
- A university can create a team for all faculty within a college, including an adjunct faculty that changes frequently.
- An airline wants to create a team for a frequently changing flight crew automatically assigned or removed as needed.
Using this feature, a given team's members update automatically based on a specific set of criteria, instead of manually managing membership.
Note
Using dynamic groups requires Microsoft Entra ID P1 licenses for any users in scope.
It may take anywhere from a few minutes to up to 2 hours to reflect dynamic membership changes once they take effect in the Microsoft 365 Group for a team. For dynamic group membership in teams, you must consider the following:
- Rules can define who is a team member of a team, but not who is a team owner.
- Owners won’t be able to add or remove users as members of the team, since members are defined by dynamic group rules.
- Members won’t be able to leave teams backed by dynamic groups.
Enable dynamic membership
To enable dynamic membership in a Team, you must modify the underlying Microsoft 365 group membership rule using the Microsoft Entra admin center or PowerShell. The references to the group won't be changed if you modify the membership. If the group is used for access every member added by the dynamic membership rule will have access to the resources of the group.
There currently isn't a way to create a team with dynamic membership directly. You can either create a team then change the membership rule of the associated Microsoft 365 group or create a Microsoft 365 group with dynamic user membership type then create a team from the existing Microsoft 365 Group.
Warning
When changing an existing static group to a dynamic group, all existing members are removed from the group, and then the membership rule is processed to add new members. If the group is used to control access to apps or resources, be aware that the original members might lose access until the membership rule is fully processed. You should test the new membership rule beforehand to make sure that the membership in the group is as expected.
Use Microsoft Entra admin center
Do the following steps to change the group membership of an existing team to a rule based dynamic membership.
Sign into the Microsoft Entra admin center with an account that is a global administrator, user administrator or groups administrator in your Microsoft Entra organization.
In the left-pane menu, select Groups.
From the All groups list, open the group that you want to change.
Select Properties. On the Properties page for your selected group, select a Membership type of Dynamic User.
Select Add dynamic query, and then provide the rule.
After creating the rule, click save to go back to Properties page.
Select Save on the Properties page for the group to save your changes. The Membership type of the group is immediately updated in the group list.
Use Microsoft Graph PowerShell
To change the membership type of a group, use Microsoft Graph PowerShell.
Note: Azure AD and MSOnline PowerShell modules are planned for deprecation and the PowerShell commands have been changed to reflect Microsoft Graph PowerShell.
Use the following command to switch the group to dynamic membership:
Set-MgGroup -Id $groupId -GroupTypes $groupTypes.ToArray() -MembershipRuleProcessingState "On" -MembershipRule $dynamicMembershipRule
To create the $groupTypes
variable you have to get the group types of the existing group and add the String "dynamicMembership" to it.
$groupTypes = (Get-MgGroup -Id $groupId).GroupTypes
$groupTypes.Add("DynamicMembership")
Create a dynamic membership rule
You can build a rule from one or more expressions. A single expression has the format Property Operator Value. For example: user.department -eq "Sales"
. If you want to add multiple expressions to a single rule, you can use the same operators to combine them and keep every expression in its own parenthesis:
(user.department -eq "Sales") -and (user.department -eq "Marketing")
There are three types of properties that can be used to construct a membership rule.
Boolean
String
String collection
The supported operators are:
Operator | Syntax |
---|---|
Not Equals | -ne |
Equals | -eq |
Not Starts With | -notStartsWith |
Starts With | -startsWith |
Not Contains | -notContains |
Contains | -contains |
Not Match | -notMatch |
Match | -match |
In | -in |
Not In | -notIn |
The values used in an expression may consist of several types, including:
Strings
Boolean – true, false
Numbers
Arrays – number array, string array
When specifying a value within an expression, it's important to use the correct syntax to avoid errors. Some syntax tips include:
Double quotes are optional unless the value is a string.
String and regex operations are not case-sensitive.
When a string value contains double quotes, both quotes should be escaped using the character ("), for example,
user.department -eq "Sales"
is the proper syntax when "Sales" is the value.You can also do Null checks, using null as a value, for example,
user.department -eq null
.
For more information, see Dynamic membership rules for groups in Microsoft Entra ID.