Manage Microsoft Entra users and groups 2 – Manage Azure identities and governance – AZ-104 Study Guide

First, you must select the type of group you are creating. You have two options: Security and Microsoft 365. Security groups allow you to share Azure resources access to a group of users, devices, or service principals. A Microsoft 365 group allows access to a shared mailbox, cal- endar, SharePoint site, and so on. Note that even if you are creating groups in an Entra tenant that is not associated with a Microsoft 365 subscription, you will still see the option to create a Microsoft 365 group.

Also, Group Name is a required field. While filling in a Group Description is not required, it is recommended that you include a group description to make it easier to find and identify the purpose of a group later.

The Membership Type drop-down menu provides three options:

  • Assigned Use this option to select one or more users and add them to the group. Adding and removing users is performed manually.
  • Dynamic User Select this option to use dynamic group rules to automatically add and remove members.
  • Dynamic Device Select this option to use dynamic group rules to automatically add and remove devices.

For both dynamic user and dynamic device-based groups, the rules associated with the group are evaluated on an ongoing basis. If a user or device has an attribute that matches the rule, that user or device is added to the group. If an attribute changes and the user or device no longer matches the criteria for group membership, the entity will be removed. Membership processing is not immediate. If an error occurs while processing a membership rule, an error is surfaced on the Group blade in the Azure portal. You can always view the current processing status from the Group blade.

It is important to note that you can create a dynamic group for users or devices, but you cannot create both at the same time. You also cannot use user attributes in a device-based rule. It is possible to change the membership type of a group after it has been created, which pro- vides an opportunity to transition from a static (or assigned) membership model to a dynamic membership model or vice-versa.

When creating dynamic groups, rules can be edited in the simple rule format, where you will build the query and conditions in the rule builder, where you can build complex rules with conditional logic. In the example shown in Figure 1-3, a dynamic user group is being created, which will automatically update its membership based on the department attribute and its value in Entra ID.

FIGURE 1-3 Dynamic membership rules

Dynamic groups require an Entra ID Premium P1 or Premium P2 license.