Create dynamic groups in Microsoft Entra B2B collaboration

What are dynamic groups?

A dynamic group is a dynamic configuration of security group membership for Microsoft Entra available in the Microsoft Entra admin center. Administrators can set rules to populate groups that are created in Microsoft Entra ID based on user attributes (such as userType, department, or country/region). Members can be automatically added to or removed from a security group based on their attributes. These groups can provide access to applications or cloud resources (SharePoint sites, documents) and to assign licenses to members. Learn more about dedicated groups in Microsoft Entra ID.

Prerequisites

Microsoft Entra ID P1 or P2 licensing is required to create and use dynamic groups. Learn more in Create attribute-based rules for dynamic group membership in Microsoft Entra ID.

Creating an "all users" dynamic group

Tip

Steps in this article might vary slightly based on the portal you start from.

You can create a group containing all users within a tenant using a membership rule. When users are added or removed from the tenant in the future, the group's membership is adjusted automatically.

  1. Sign in to the Microsoft Entra admin center as at least a User Administrator.

  2. Browse to Identity > Groups > All groups, and then select New group.

  3. On the New Group page, under Group type, select Security. Enter a Group name and Group description for the new group.

  4. Under Membership type, select Dynamic User, and then select Add dynamic query.

  5. Above the Rule syntax text box, select Edit. On the Edit rule syntax page, type the following expression in the text box:

    user.objectId -ne null
    
  6. Select OK. The rule appears in the Rule syntax box:

    Screenshot of rule syntax for all users dynamic group.

  7. Select Save. The new dynamic group will now include B2B guest users and member users.

  8. Select Create on the New group page to create the group.

Creating a group of members only

If you want your group to exclude guest users and include only members of your tenant, create a dynamic group as described above, but in the Rule syntax box, enter the following expression:

(user.objectId -ne null) and (user.userType -eq "Member")

The following image shows the rule syntax for a dynamic group modified to include members only and exclude guests.

Screenshot of rule syntax where user type equals member.

Creating a group of guests only

You might also find it useful to create a new dynamic group that contains only guest users, so that you can apply policies (such as Microsoft Entra Conditional Access policies) to them. Create a dynamic group as described above, but in the Rule syntax box, enter the following expression:

(user.objectId -ne null) and (user.userType -eq "Guest")

The following image shows the rule syntax for a dynamic group modified to include guests only and exclude member users.

Screenshot of rule syntax where user type equals guest.

Next steps