Key Points
- Microsoft Entra dynamic groups automate membership management through user and device attribute rules, streamlining Intune assignments, Conditional Access, and provisioning.
- Define the scope early to determine whether the group targets users or devices, as one dynamic group cannot manage both.
- Keep rules simple by starting with single-attribute logic before adding layered conditions to improve performance and maintain predictable results.
- Validate before rollout by testing rules with sample users or devices and confirming that expected members appear correctly.
- Understand evaluation timing because membership updates in large or hybrid tenants can take time and may not update instantly.
- Automate audits with Microsoft Graph PowerShell to export rules, member counts, and processing states for consistent compliance tracking.
- Govern with evidence by versioning rule text, monitoring evaluation results, and archiving monthly snapshots to maintain accurate audit records.
Dynamic groups in Microsoft Entra ID handle membership automatically by using rules tied to user or device attributes. They’re essential for scaling Intune assignments, Conditional Access policies, and automated provisioning.
The setup is simple, but issues often appear at scale when rules become too complex or governance is ignored. This guide uses Microsoft’s best practices with automation and evidence tracking so you can keep Microsoft Entra dynamic groups predictable, secure, and easy to manage.
Steps to create Microsoft Entra dynamic groups
Before you begin, ensure the basics are in place.
📌 General prerequisites:
- Global Administrator or Group Administrator in Microsoft Entra ID.
- Defined attributes to drive membership (department, deviceOwnership, userType, or enrollmentProfileName).
- Pilot tenant or test group for validation before production deployment.
- PowerShell 7 and the Microsoft Graph module are installed for automation and audits.
Step 1: Choose the correct group type (Security or Microsoft 365) and membership scope (Users or Devices)
Start by selecting the group type based on its purpose and whether it targets users or devices. This decision affects access control, collaboration, and automation behavior.
📌 Use Cases:
- Security group: Assign app permissions, apply Conditional Access policies, or deploy Intune configurations.
- Microsoft 365 group: Enable collaboration in Teams, SharePoint, and Outlook for a department or project.
Instructions:
- Sign in to the Microsoft Entra Admin Center.
- Navigate to Groups > All groups > + New group.
- Under Group type, select:
- Security: Supports dynamic membership for users or devices (not both in one group)
- Microsoft 365: Supports users only for collaboration features
- Under Membership type, select:
- Dynamic User: Based on user attributes (e.g., department, job title)
- Dynamic Device: Based on device attributes (e.g., operating system, compliance state)
- Create dedicated groups per type for clarity and traceability.
💡 Tip: Use consistent naming convention (e.g., Auto-Dept-Marketing-Users, Auto-Device-Windows-Endpoints) to simplify governance and audits.
- Record each group’s purpose, owner, and dependencies, such as linked Intune policies or Conditional Access assignments.
Step 2: Write the dynamic membership rule
Next, build the rule that defines which users or devices automatically join or leave the group. Dynamic membership rules utilize attribute-based logic that Entra ID continuously evaluates as directory data changes.
📌 Use Cases:
- Add all users in a specific department, such as Finance, to a Microsoft 365 group.
- Target all company-owned devices for Intune compliance policies.
- Include users across multiple departments.
Instructions:
- In the Microsoft Entra admin center, navigate to Groups and select your group.
- Under Membership type, choose Dynamic User or Dynamic Device based on your Step 1 setup.
- Click Add dynamic query.
- Choose an editor:
- Rule Builder: For simple conditions. Use dropdowns to select an attribute, operator, and value.
- Syntax Editor: For advanced logic. Write rules manually using expressions and comments.
- Write your rule:
- Example for users:
(user.department -eq "Finance")
- Example for devices:
(device.deviceOwnership -eq "Company")
- Keep logic simple whenever possible. Compound rules using -and, -or, and -not increase processing time and maintenance effort.
- If you use the syntax editor, add short comments to explain the rule’s purpose and conditions for future admins.
- Click Save to apply the rule.
Step 3: Validate and preview group membership results
Before deploying a dynamic group, validate and preview the membership results to confirm that your rule logic works as intended. This step helps you catch inclusion or exclusion errors early.
📌 Use Cases:
- Testing a new department-based user rule.
- Verifying that only company-owned devices are targeted for compliance.
Instructions:
- Open Microsoft Entra Admin Center > Groups and select your dynamic group.
- Navigate to Dynamic membership rules, then click Validate Rules.
- Enter a sample object ID or attribute values to test the rule.
- Click Validate.
- Review the preview results:
- Confirm expected members are included.
- Check edge cases such as users with missing or blank attributes.
- Capture screenshots or export validation results as baseline evidence for governance records.
Step 4: Monitor membership evaluation and synchronization status
Dynamic groups re-evaluate automatically when user or device attributes change, but updates are not instant. Large tenants or complex rules can take several hours to process. Monitoring evaluation status helps you confirm that each group is updating correctly and stays accurate over time.
📌 Use Cases: Tracking dynamic rule updates after user attribute changes.
Instructions:
- Open Microsoft Entra Admin Center > Groups and select your dynamic group.
- On the Overview tab, check:
- Last membership change: Shows when the group membership was last updated.
- Membership rule processing status: Shows whether the rule evaluation is processing, completed, or failed.
- When a user or device attribute changes, Entra ID queues a re-evaluation of all affected dynamic groups.
💡 Expect delays for large tenants or groups with nested logic. Processing can take hours depending on the directory size and complexity.
- If the status shows Failed, review the rule syntax and confirm that the required attributes exist in the directory.
- For detailed diagnostics, use PowerShell or Microsoft Graph API to view processing logs.
- Capture screenshots or save evaluation logs for compliance and lifecycle documentation.
Step 5: Automate and audit dynamic groups using Microsoft Graph PowerShell
Manual monitoring doesn’t scale well in large environments. Use Microsoft Graph PowerShell to retrieve rule text, processing state, owners, and member counts on a scheduled basis. You can also use it to create new dynamic groups from a standard template and keep your configuration records up to date.
📌 Use Cases: Retrieve all dynamic groups and their membership rules for documentation and audits.
Instructions:
- Open PowerShell 7 and connect to Microsoft Graph:
Connect-MgGraph -Scopes "Group.Read.All","Directory.Read.All"
- Retrieve dynamic groups for oversight:
Get-MgGroup -Filter "membershipRuleProcessingState ne null" |Select-Object DisplayName, MembershipRule, MembershipRuleProcessingState, CreatedDateTime
This lists all dynamic groups with their rules and processing status.
- Export rules and member counts to CSV or JSON on a weekly basis for evidence.
Get-MgGroup -Filter "membershipRuleProcessingState ne null" |Select-Object DisplayName, MembershipRule, MembershipRuleProcessingState, CreatedDateTime |Export-Csv "DynamicGroups_Audit.csv" -NoTypeInformation
- Integrate the script into your audit documentation workflow.
Export-Clixml "DynamicGroups_Audit.json"
- Store each export in your audit documentation workspace to build a version history and support compliance reviews.
Step 6: Maintain governance and lifecycle management
The final step is to ensure your automation remains aligned with evolving roles, compliance regulations, and device policies. Strong governance ensures that dynamic groups stay accurate, compliant, and easy to audit.
📌 Use Cases: Review dynamic groups monthly to match the current business structure and IT policy.
Instructions:
- Assign an owner for each dynamic group. The owner is responsible for updates, validation, and compliance.
- Treat rule text like code. Track every change in a version-controlled document. Include the reason for the update, approval reference, and validation notes.
- Run monthly or quarterly audits to confirm that rules still match current roles, Intune compliance settings, and license assignments.
- Archive old versions of rule text and validation logs in your documentation workspace. Label each with a timestamp and change request ID.
- Link review results to your audit or change management system, such as ServiceNow, for traceability and accountability.
Best practices summary table
Below are the key practices that keep your configuration predictable, efficient, and audit-ready.
| Practice | Purpose | Value delivered |
| Separate user and device groups | Prevent targeting overlap and reduce policy confusion. | Keeps policies predictable and easier to troubleshoot |
| Start with simple logic | Build clean rules before adding compound operators. | Improves processing speed and evaluation reliability |
| Validate before enabling | Test rule results before production rollout. | Ensures accurate membership and avoids mis-targeting |
| Use Graph automation | Automate retrieval, versioning, and exports via PowerShell. | Enables consistent reporting and compliance documentation |
| Archive monthly snapshots | Preserve rule versions and validation logs. | Maintains governance evidence and supports audits |
Automation touchpoint example
A well-designed script can turn a manual compliance task into a predictable routine. Here’s an example workflow you can adapt to your environment.
A weekly PowerShell script connects to Microsoft Graph and runs the following process:
- Export all dynamic group definitions and membership counts.
- Compare the results with those from the previous week to detect any changes.
- Flag updated rules for review.
- Attach the report to a compliance folder or ticket for governance tracking.
NinjaOne integration
Bringing Microsoft Entra automation into NinjaOne closes the loop between identity management and operational governance. Here’s how NinjaOne can streamline your process:
| NinjaOne feature | Purpose |
| Scheduled scripting | Automate the execution of Microsoft Graph PowerShell scripts to collect dynamic group data. |
| File and documentation management | Store and attach script outputs to compliance folders or internal documentation libraries. |
| Alerting and threshold policies | Detect deviations in rule text, member counts, or processing states. |
| Ticket automation | Automatically open tickets for flagged anomalies or rule updates. |
| Role-based access and visibility | Control who can view, execute, and manage Entra automation scripts. |
Quick-Start Guide
NinjaOne can create Dynamic Groups in Microsoft Entra ID using SCIM provisioning. This integration allows you to dynamically create NinjaOne technicians or end users based on Entra ID group membership.
The process involves:
- Creating and Assigning User Roles to Groups in Entra ID:
- In Microsoft Entra admin center, go to App registrations and select the Enterprise Application created for Single Sign-On and SCIM with NinjaOne.
- Create app roles (e.g., “Technician” or “endUser”) and assign them to Entra ID Groups.
- Provisioning and Mapping User Attributes:
- Configure attribute mapping in the NinjaOne Enterprise Application to provision users based on group membership.
- Use expressions to dynamically assign users to the correct NinjaOne user type (technician or end user).
- Group Mapping in NinjaOne:
- Once groups are provisioned in Entra ID, they appear in the Group Mapping section of the Identity Providers page in the NinjaOne console.
This setup ensures that users are automatically provisioned in NinjaOne when they become members of specific Entra ID groups, streamlining user management and access control.
Building scalable governance with Microsoft Entra dynamic groups
When built and maintained with intention, Microsoft Entra dynamic groups reduce manual work and maintain consistent access across your environment. Keep your rules simple, validate changes before rollout, automate your audits, and store historical evidence for reference.
These habits provide MSPs and IT teams with steady control, stable configurations, predictable policies, and compliance that scales with the business.
Related topics:
- Streamline Microsoft Entra (Azure AD) Connection Checks with PowerShell
- Integrating On-Premises and Cloud with Hybrid Azure AD Join
- How to tag Intune devices automatically based on enrollment method (BYOD, Corporate, Autopilot)
- How to Automatically Tag Azure AD Devices Based on Security State or Ownership
- The Importance of Scope and Behavior in Modern Entra Integrations
