Understanding Microsoft Entra ID Groups (Azure AD Groups): Types & Management

Learn how Microsoft Entra ID Groups (formerly Azure Active Directory Groups) work and their relationship to Entra ID Role-Based Access Control (RBAC).

What is a Microsoft Entra ID group?

There are two types of Entra ID group: –

1. Microsoft 365 (M365) groups
2. and security groups.

Entra ID Groups allow enterprises to manage and assign specific permissions to multiple users at once, simplifying secure access to resources like applications, files, and shared drives.

Entra ID Groups: Security vs Microsoft 365

Let’s look in more detail at the two different group types.

Microsoft 365 Groups

Microsoft 365 Groups are designed to aid collaboration in your enterprise.

Microsoft 365 Groups help to:

• share resources and tools easily
• reduce duplication. Key M365 apps, like Teams and SharePoint, are set up for the group, avoiding multiple app setups that are not directly connected to one another.
• facilitate communication by providing a dedicated email address and shared mailbox.

They can be granted direct access to other resources in Entra ID, like applications, other SharePoint Sites, or file shares.

Also it’s worth noting that M365 Groups can:

• only be populated by users
• include external users
• have a user or service principal set as the group owner

Security groups

Security groups in Entra ID grant granular access to resources. Members of security groups can include users, devices, or service principals (a security identity used by applications, services, or automated processes to access resources within a tenant).

Users and service principals can be the owners of a security group.

Nested groups

Groups can be members of other groups, sometimes known as nested groups. When security groups are nested into existing security groups, only objects in the parent group get access to shared resources and applications.

Access management using Entra ID security groups

Microsoft Entra ID is designed to offer efficiency when architecting access permissions for resources to a group of users. This is where Entra ID security groups come in. The basic procedure is to

• grant access rights (to a third-party application, for example) to a group
• and then populate said group with the right users, devices, and service principals

The resource or directory owner can grant group management rights to someone else, such as a department manager or a service desk lead – this designated ‘manager’ of the group can add or remove users to the group.

To help you understand what resources a group can manage access to, here is a basic list:

• Part of your Microsoft Entra organization, such as permissions to manage users, applications, billing, and other objects
• External to your organization, such as non-Microsoft Software as a Service (SaaS) apps (e.g. Salesforce, etc.)
• SharePoint sites
• Azure services
• On-premises resources

Types of Microsoft Entra ID group assignment

After you create a group, you need to decide how to manage access to the group. There are 4 main types that Microsoft has engineered in Entra ID:

Direct assignment

The resource owner directly assigns the user to the resource.

Group assignment

The resource owner assigns a Microsoft Entra ID group to the resource, which automatically gives all of the group members access to the resource. Both the group owner and the resource owner manage group membership, letting either owner add or remove members from the group.

Rule-based assignment

The resource owner creates a group and uses a rule to define which users are assigned to a specific resource. The rule is based on attributes that are assigned to individual users. The resource owner manages the rule, determining which attributes and values are required to allow access to the resource. Note – A Dynamic Group – more to come on this below.

External authority assignment

Access comes from an external source, such as an on-premises directory or a SaaS app. In this situation, the resource owner assigns a group to provide access to the resource, and then the external source manages the group members.

Understanding dynamic and synchronized groups in Microsoft Entra ID

There are two core topics included here. The first discusses assigned or dynamic groups, and the second talks about the two types of ‘Source’ for a group. Let’s look at assigned/dynamic groups first.

What are managed (dynamic) groups and how do they work?

When you create a new group, you are asked if you want to create an assigned group or a dynamic group.

Assigned groups vs dynamic groups

An assigned group includes explicit users in the group membership. We can add five separate users to the group – they will stay members of the group until an administrator or group owner manually adjusts the group membership. This type is ideal for groups whose memberships don’t change frequently.

However, Microsoft added dynamic groups in Entra ID to ease administrative overhead and boost efficiency. When you create a dynamic group (these can be based on user or device-based membership rules…we’ll focus on users in this article), you define one or more dynamic membership rules that define which users should be included based on user attributes.

Dynamic rule example

For example, I can create a rule that specifies a specific “department”, one of the attributes in Entra ID. Soon after the group and its rules are created, Entra ID starts a background process to analyze and add appropriate users to the group. When a new user is added to the tenant, and they are a member of this department, they will automatically be added to this group. Nice.

Here’s a real-world scenario describing how a dynamic group works with RBAC permissions.

Step-by-step explanation

1. User/Device Attributes:
   • Users/devices in Entra ID have attributes (e.g., department, jobTitle, country).
   • Example: A user’s department is set to “Sales”.
2. Dynamic Group Rule:
   • The Dynamic Entra ID Group has a membership rule based on attributes (e.g., user.department -eq "Sales").
   • When attributes change, Entra ID automatically re-evaluates membership.
3. Automatic Membership Evaluation:
   • Entra ID checks if the user/device meets the rule criteria.
   • If yes: Added to the group.
   • If no: Removed from the group.
4. RBAC Permissions:
   • The Dynamic Group is assigned RBAC roles (e.g., “Sales Team Access” with permissions to CRM, SharePoint, etc.).
   • Permissions are inherited by all group members.
5. Automatic Access Updates:
   • When users join/leave the group, their access is automatically granted/revoked based on the group’s RBAC assignments.

When a user transitions to a new department, they will automatically be removed from that dynamic group. This is preferable to avoid human error – this is all done behind the scenes.

What are synchronized groups?

When you examine your groups in the Microsoft Entra ID portal, you will see the ‘Source’ attribute/column. This specifies either ‘Windows Server AD’ or ‘Cloud’. If the source is ‘Windows Server AD’, it is a synchronized group.

Windows Server AD – these are called ‘synchronized’ groups because they have been synchronized (synced) from an on-premises Active Directory environment using Entra ID Connect (formerly Azure AD Connect) Sync or Entra ID Cloud Sync technologies. They must be modified in Active Directory – if you try to modify any aspect of the group in the Entra ID website, you will receive an error.

Cloud – These groups were created natively in Microsoft 365 / Entra ID. You have full control over the management of these groups in the Entra ID portal website.

How Entra ID groups and roles work together

Entra ID Groups and Role-Based Access Control (RBAC) form a powerful combination for scalable and secure identity management. By assigning Entra ID roles (such as Global Administrator, User Administrator, or custom roles) to security groups instead of individual users, organizations gain consistent permissions while reducing administrative complexity.

When a user is added to a role-assigned group, they automatically inherit the associated privileges, streamlining onboarding and offboarding processes. Also, during transfers or promotions, dynamic groups allow seamless transitions for users and their managers as new roles and permissions are added, and old ones removed – all behind the scenes, automatically.

Frequently Asked Questions

What is Microsoft Entra ID group?

A Microsoft Entra ID group (formerly Azure AD group) is a collection of user identities or service principals that can be managed collectively within Microsoft Entra ID. These groups simplify the administration of access and permissions by allowing you to assign roles, licenses, and access rights to multiple users at once. Groups can be security groups (for managing access to resources) or Microsoft 365 groups (for collaboration via services like Teams, SharePoint, and Outlook).

How do I manage groups in Entra?

You can manage Entra ID groups through the Microsoft Entra admin center, PowerShell, or Microsoft Graph API. In the Entra admin center:

1. Navigate to Entra ID > Groups.
2. Select a group to view its details.
3. From here, you can:
   • Add or remove members.
   • Update group settings.
   • Assign group roles and licenses.
   • Configure group lifecycle policies (e.g., expiration or naming conventions).

How do I add a group claim to my Entra ID?

To add group claims to a token in Microsoft Entra ID:

1. Go to Entra ID > App registrations > Select your app.
2. Choose Token configuration > + Add Group Claim.
3. Select the group types to include:
   • Security groups
   • Directory roles
   • All groups
4. Choose the claim format (Group ID or Group Name).
5. Save your configuration.

This is typically done to pass group membership information in tokens for apps that use it for authorization.

How do I create a dynamic group in Entra ID?

To create a dynamic group (where membership is based on rules rather than manual assignment):

1. Go to Entra ID > Groups > + New Group.
2. Set Group type to Security or Microsoft 365.
3. Under Membership type, select Dynamic User or Dynamic Device.
4. Define your rule (e.g., user.department -eq "Sales").
5. Click Create.

Entra will automatically manage group membership based on the rule, which updates in real-time as user attributes change.