Create or update a dynamic membership group in Microsoft Entra ID

  • Article
  • 12/26/2024

You can use rules to determine dynamic membership groups based on user or device properties In Microsoft Entra ID, part of Microsoft Entra. This article tells how to set up a rule for a dynamic membership groups in the Azure portal.

Group membership based on user or device properties is supported for security groups and Microsoft 365 groups. When you apply a rule for a dynamic membership group, user and device attributes are evaluated for matches with the membership rule. When an attribute changes for a user or device, all rules for dynamic membership groups in the organization are processed for changes. Users and devices are added or removed if they meet the conditions for a dynamic membership group. In Microsoft Entra, a single tenant can have a maximum of 15,000 dynamic membership groups.

Note

Security groups can be used for either devices or users, but Microsoft 365 groups can include only users.

Using dynamic membership groups requires Microsoft Entra ID P1 license or Intune for Education license. For more information, see Manage rules for dynamic membership groups in Microsoft Entra ID for more details.

Rule builder in the Azure portal

Microsoft Entra ID provides a rule builder to create and update your important rules more quickly. The rule builder supports the construction up to five expressions. The rule builder makes it easier to form a rule with a few simple expressions, however, it can't be used to reproduce every rule. If the rule builder doesn't support the rule you want to create, you can use the text box.

Here are some examples of advanced rules or syntax for which we recommend that you construct using the text box:

Note

The rule builder might not be able to display some rules constructed in the text box. You might see a message when the rule builder is not able to display the rule. The rule builder doesn't change the supported syntax, validation, or processing of rules for dynamic membership groups in any way.

Screenshot that shows the rules for dynamic membership groups page with the Add expression action on the tab selected.

For examples of syntax, supported properties, operators, and values for a membership rule, see Manage rules for dynamic membership groups in Microsoft Entra ID.

To create a rule for a dynamic membership group

Tip

Steps in this article might vary slightly based on the portal you start from.

  1. Sign in to the Microsoft Entra admin center as at least a Groups Administrator.

  2. Select Microsoft Entra ID.> Groups.

  3. Select All groups, and select New group.

    Screenshot showing how to select the Add new group action.

  4. On the Group page, enter a name and description for the new group. Select a Membership type for either users or devices, and then select Add dynamic query. The rule builder supports up to five expressions. To add more than five expressions, you must use the text box.

    Screenshot that shows the All groups page with the New group action selected.

  5. To see the custom extension properties available for your membership query:

    1. Select Get custom extension properties
    2. Enter the application ID, and then select Refresh properties.

  6. After creating the rule, select Save.

  7. Select Create on the New group page to create the group.

If the rule you entered isn't valid, an explanation of why the rule couldn't be processed is displayed in a notification in the portal. Read it carefully to understand how to fix the rule.

To update an existing rule

  1. Sign in to the Microsoft Entra admin center as at least a Groups Administrator.

  2. Select Microsoft Entra ID.

  3. Select Groups > All groups.

  4. Select a group to open its profile.

  5. On the profile page for the group, select Dynamic membership rules. The rule builder supports up to five expressions. To add more than five expressions, you must use the text box.

    Screenshot showing how to add a rule for a dynamic membership group.

  6. To see the custom extension properties available for your membership rule:

    1. Select Get custom extension properties
    2. Enter the application ID, and then select Refresh properties.

  7. After updating the rule, select Save.

Turn on or off welcome email

When a new Microsoft 365 group is created, a welcome email notification is sent the users who are added to the group. Later, if any attributes of a user or device(only for security groups) change, all rules for dynamic membership groups in the organization are processed for changes. Users who are added then also receive the welcome notification. You can turn off this behavior in Exchange PowerShell.

Check processing status for a rule

You can see the rule processing status and the last membership change date on the Overview page for the dynamic membership group.

Screenshot of a diagram of the dynamic membership group status.

The following status messages can be shown for Dynamic rule processing status:

  • Evaluating: The group change has been received and the updates are being evaluated.
  • Processing: Updates are being processed.
  • Update complete: Processing completed and all applicable updates made.
  • Processing error: Processing couldn't be completed because of an error evaluating the membership rule.
  • Update paused: Rule for dynamic membership group updates paused by the administrator. MembershipRuleProcessingState is set to “Paused”.
  • Not started: Processing not started yet.

Note

In this screen you now may also choose to Pause processing. Previously, this option was only available through the modification of the membershipRuleProcessingState property. Those assigned at least the Groups Administrator role can manage this setting and can pause and resume dynamic membership group processing. Group owners without the correct roles do not have the rights needed to edit this setting.

The following status messages can be shown for Last membership change status:

  • <Date and time>: The last time the membership was updated.
  • In Progress: Updates are currently in progress.
  • Unknown: The last update time can't be retrieved. The group might be new.

Important

After pausing and unpausing processing of dynamic membership groups, the "Last membership change" date will show a placeholder value. This value is updated once the processing completes.

If an error occurs while processing the membership rule for a specific group, an alert is shown on the top of the Overview page for the group. If no pending dynamic membership groups updates can be processed for all the groups within the organization for more than 24 hours, an alert is shown on the top of All groups.

Screenshot showing how to process error message alerts.

Next steps

The following articles provide additional information on how to use groups in Microsoft Entra ID.