IGA Glossary

Dynamic Groups

Dynamic groups are groups in Microsoft Entra ID that automatically add and remove members based on user attributes like department, job title, or location. They replace the need for manual group management and are a key building block for automating identity governance.

What are dynamic groups in Entra ID?

In most organizations, groups control access to everything: applications, file shares, Teams channels, email distribution lists, and more. Traditionally, someone on the IT team manually adds users to the right groups when they join and removes them when they leave or change roles. This works when you have 20 people. It falls apart at 200.

Dynamic groups solve this by automating group membership. Instead of manually adding users, you define rules based on user attributes. Entra ID then evaluates those rules and keeps the group membership up to date automatically.

For example, you could create a rule that says "add all users where department equals Marketing." When a new marketing hire shows up in Entra ID, they are automatically added to the group. When someone transfers out of marketing, they are automatically removed.

How do dynamic group rules work?

Dynamic group rules use a simple expression syntax that references user attributes stored in Entra ID. Some common examples:

  • By department: user.department -eq "Engineering" adds all engineers.
  • By job title: user.jobTitle -contains "Manager" adds anyone with "Manager" in their title.
  • By location: user.country -eq "Sweden" adds all users based in Sweden.
  • Combined rules: (user.department -eq "Sales") -and (user.country -eq "Norway") adds salespeople in Norway.

You can combine multiple conditions with -and and -or operators. The rule engine supports string operations like -eq (equals), -contains, -startsWith, and -match (for regex patterns).

Entra ID evaluates these rules periodically. When a user attribute changes — say, their department is updated from "Sales" to "Marketing" — the system recalculates group memberships. The user is removed from Sales groups and added to Marketing groups without anyone lifting a finger.

What types of dynamic groups exist?

Entra ID supports two types of dynamic groups.

Dynamic security groups control access to applications, resources, and policies. These are the workhorses — you use them for things like conditional access policies, app assignments, and license assignments.

Dynamic Microsoft 365 groups manage collaboration resources like shared mailboxes, SharePoint sites, and Teams. These are useful for automatically creating collaboration spaces for departments or project teams.

Both types follow the same rule syntax. The difference is what they control downstream.

What license do you need?

Dynamic groups require at least an Entra ID P1 license. This is an important detail because many smaller organizations start with the free tier or basic Microsoft 365 licenses that do not include P1 features.

You need the P1 license for every user who could potentially be a member of a dynamic group — in practice, this usually means licensing all your users.

Why are dynamic groups important for identity governance?

Dynamic groups are one of the most practical tools for reducing manual identity work.

Faster onboarding. When a new employee is created in Entra ID with the right attributes (department, title, location), they automatically land in the correct groups. That means they get the right app access, licenses, and permissions from day one without IT having to configure anything for that specific person.

Cleaner offboarding. When someone leaves and their account is disabled or deleted, they are automatically removed from all dynamic groups. No more orphaned memberships lingering in groups weeks after someone has left.

Role changes handled automatically. The "mover" scenario — when someone changes departments or gets promoted — is one of the hardest to manage manually. With dynamic groups, updating a user's department attribute triggers automatic group membership changes. The old access goes away, the new access appears.

Less group sprawl. Because dynamic groups are rule-based, you can consolidate many manually managed groups into fewer, well-defined dynamic groups. This makes your directory cleaner and easier to audit.

Common pitfalls with dynamic groups

Dirty data breaks everything. Dynamic groups are only as good as the user attributes they depend on. If the "department" field is inconsistent — some users say "Engineering," others say "Eng," and a few say "R&D/Engineering" — your rules will not catch everyone. Before relying heavily on dynamic groups, clean up your user attributes.

Processing delays. Entra ID does not update dynamic group memberships instantly. After a user attribute changes, it can take anywhere from a few minutes to several hours for the group membership to update. Microsoft states that initial population of a large group can take up to 24 hours. Plan for this delay in your onboarding processes.

Rule complexity limits. While you can build fairly complex rules, there are limits. A single rule can have a maximum of five expressions when using the rule builder in the Azure portal. For more complex scenarios, you need to use the advanced rule editor, which has its own syntax quirks.

No nested dynamic groups. You cannot create a dynamic group that includes members of another dynamic group. Group nesting only works with assigned (static) groups. This limits some organizational patterns.

How Adcyma works with dynamic groups

Adcyma integrates directly with your Entra ID tenant and uses dynamic groups as part of its lifecycle management engine. Rather than replacing dynamic groups, Adcyma builds on them.

Where Entra ID's native dynamic groups handle basic attribute-based membership, Adcyma adds governance logic on top. This means you can define access policies that combine dynamic group membership with approval workflows, time-based access, and compliance requirements.

For organizations that find native dynamic group rules too limited or too hard to manage, Adcyma provides a simpler interface for defining who should have access to what, with dynamic groups doing the heavy lifting in the background.

When should you use dynamic groups vs. static groups?

Use dynamic groups when membership should follow a clear, attribute-based rule. Department-level access, location-based policies, and license assignments are all good candidates.

Use static (assigned) groups when membership is ad hoc or exception-based. Project teams, temporary access grants, and groups with a handful of specific people are usually better managed manually.

Most organizations end up using a mix of both. The goal is to automate what you can with dynamic groups and keep manual management to a minimum for everything else.

See how Adcyma handles this:

Explore Lifecycle Management

Put these concepts into practice

Adcyma makes identity governance simple for companies using Microsoft Entra ID. See how these terms translate into actual features.

Start Free Trial