Microsoft Entra ID – Dynamic Groups with Rule Builder

---

🔑 What Are Dynamic Groups?

• A Dynamic Group in Entra ID (Azure AD) is a group whose membership is determined automatically by rules, not manual assignment.

• Rules are based on user or device attributes (e.g., department, job title, OS, location).

• If an attribute changes → Entra ID automatically re-evaluates membership.

  • Example: If a user’s department changes from “Sales” → “Marketing”, they’re automatically moved to the correct group.

✅ Benefits:

• Reduces admin effort (no manual adds/removes).

• Keeps groups accurate & updated in real time.

• Useful for Conditional Access, Intune policies, Teams, and license assignments.

---

⚖️ Licensing Requirement

• You need Microsoft Entra Premium P1 or Microsoft Intune for Education.

• Licensing rule: Every unique user in dynamic groups must be covered by a license.

  • Example: If 1,000 users exist across all dynamic groups, you need 1,000 P1 licenses.

• ⚠️ Devices don’t require licenses.

---

🖥️ How to Create a Dynamic Group (Step by Step)

1. Go to Entra Admin Center

• Open: https://entra.microsoft.com

• Sign in with Global Admin, Intune Admin, or User Admin.

2. Navigate to Groups

• Left navigation → Groups → All Groups.

• Click + New group.

3. Fill Group Details

• Group type → Security or Microsoft 365.

• Group name & description → e.g., Sales Users – Dynamic.

• Assignable role? (Yes/No).

• Membership type → choose:

  • Dynamic User → based on user attributes.

  • Dynamic Device → based on device attributes.

⚠️ Rule: You can’t mix users & devices in one group.

4. Add Owners (optional)

• Helps delegate group management.

• But membership can’t be managed manually for dynamic groups.

5. Build the Membership Rule

• Click Add dynamic query → opens Dynamic membership rules window.

• Options:

  • Rule Builder → supports up to 5 simple expressions.

  • Rule Syntax box → for advanced, complex rules.

---

🛠️ Rule Syntax Basics

A rule = Property + Operator + Value

Example:

user.department -eq "Sales"

Means: add all users where department = Sales.

---

Supported Operators

---

Multiple Expressions

You can combine rules with -and, -or, -not.

✅ Example 1:

(user.department -eq "Sales") -or (user.department -eq "Marketing")

→ All users in Sales or Marketing.

✅ Example 2:

(user.department -eq "Sales") -and -not (user.jobTitle -contains "Intern")

→ All Sales users except interns.

---

Complex Examples

1. All Users (including guests):

user.objectId -ne null

2. All Members (exclude guests):

(user.objectId -ne null) -and (user.userType -eq "Member")

3. All Devices:

device.objectId -ne null

4. Direct Reports of a Manager:

Direct Reports for "62e19b97-8b3d-4d4a-a106-4ce66896a863"

(Use Manager’s objectID)

---

⚙️ Extension Attributes

• Extra attributes synced from on-prem AD or SaaS apps.

• Format: extensionAttributeX (X = 1–15).

• Example:

(user.extensionAttribute15 -eq "Marketing")

• For custom app properties (via Graph API):

user.extension_c272a57b722d4eb29bfe327874ae79cb_OfficeNumber -eq "123"

---

🚫 Rules & Limitations

• Can’t mix users & devices in one group.

• Can’t manually add/remove members.

• Rule body length ≤ 3072 characters.

• Rule builder supports only 5 expressions (use syntax box for more).

• Multi-value extension attributes are not supported.

---

✅ Key Takeaways for Exam / Practice

1. Dynamic groups save admin time by auto-updating memberships.

2. Require P1 license per user (but not per device).

3. Built using rule builder (simple) or syntax box (advanced).

4. Operators & syntax are critical to remember.

5. Real-world usage: Teams auto-membership, license assignment, conditional access, Intune policies.