Create Dynamic Groups Using Microsoft Entra Rule Builder
Managing user access in Microsoft Entra ID (formerly Azure AD) can be a challenging task, especially in organizations with frequently changing personnel or roles. To reduce manual overhead and ensure that users always have appropriate access, dynamic groups provide a powerful and flexible solution.
With the recent improvements to Microsoft Entra Rule Builder, creating and managing dynamic groups is now more intuitive and less error-prone—even for those not deeply familiar with writing syntax-rich rules.
In this blog, we’ll walk through:
- What dynamic groups are and why they matter
- The difference between static and dynamic membership
- How to use the Entra Rule Builder to create dynamic groups
- Example scenarios and rules you can apply today
✅ What Are Dynamic Groups?
Dynamic groups in Microsoft Entra automatically add or remove users (or devices) based on rule-based membership criteria. These rules evaluate user or device properties like job title, department, location, or device ownership.
This is particularly useful for:
- Licensing automation
- Conditional access
- Application access provisioning
- Role-based security models
🆚 Static vs Dynamic Membership
| Feature | Static Group | Dynamic Group |
|---|---|---|
| Membership | Manually assigned | Automatically assigned based on rules |
| Maintenance | Manual | Automatic |
| Use Cases | Small, fixed teams | Role-based or attribute-based grouping |
| Licensing | Free (for static), Premium (for dynamic) | Requires Entra ID P1/P2 license |
🧱 Introducing Microsoft Entra Rule Builder
Previously, creating dynamic group rules required you to write expressions using a specific syntax—a task that was prone to error. With the Rule Builder interface in Microsoft Entra, you can now build complex expressions using a guided UI without writing a single line of syntax.
Key Features:
- No-code experience for rule creation
- Real-time validation
- Expression preview
- Support for AND/OR conditions, nested groups
🛠️ How to Create a Dynamic Group Using the Rule Builder
Here’s a quick step-by-step guide:
Step 1: Open Microsoft Entra Admin Center
Navigate to https://entra.microsoft.com, sign in with your admin account, and go to Groups > All groups.
Step 2: Click + New group
Choose:
- Group type: Security or Microsoft 365
- Membership type: Dynamic User or Dynamic Device
Step 3: Choose Add dynamic query
Click Edit dynamic membership rules, then select Rule Builder (you can switch to syntax view if you prefer later).
Step 4: Add Conditions
Use the dropdowns to add rules. For example:
- user.department equals Sales
- user.jobTitle starts with Manager
Click Add expression to add more conditions using AND/OR logic.
Step 5: Validate and Save
Validate your rule, preview the expression, and save your group. Membership updates will occur automatically based on the rule.
💡 Example Use Cases
🎯 Group: All Sales Managers
- Rule:
user.department -eq "Sales"- AND
user.jobTitle -contains "Manager"
💻 Group: All Intune-Enrolled Windows Devices
- Rule (for dynamic device group):
device.deviceOSType -eq "Windows"- AND
device.managementType -eq "MDM"
🌍 Group: Remote Employees
- Rule:
user.physicalDeliveryOfficeName -eq "Remote"
🧠 Best Practices
- Avoid overly complex rules: They can slow down evaluation and increase errors.
- Use nested groups: When rules get complex, consider using simpler dynamic groups and nesting them.
- Document your rules: Especially in large environments.
- Test with small scopes: Validate rules using a subset of users before applying organization-wide.