Dynamic groups vs static groups in Entra ID: when rules win
Static groups you fill by hand, dynamic groups fill themselves with a rule. This is the decision guide: when to pick which, plus the limits Microsoft does not advertise loudly.
In Entra ID you have two kinds of groups: static groups you fill by hand, and dynamic groups that fill themselves based on a rule. The choice looks simple, but dynamic groups have limits that only show up once you hit them. This article gives the decision point and the pitfalls.
TL;DR
- Static group: you add and remove members by hand.
- Dynamic group: a membership rule decides membership automatically.
- Dynamic groups require Microsoft Entra ID P1.
- Pick static for small, stable, or exceptional groups.
- Pick dynamic once a group is large, changes often, or follows a clear attribute pattern.
- Watch out: group-based licensing does not count members from nested groups.
The difference in one paragraph
In a static group, membership is a list you manage. Someone joins? You add them. Someone leaves? You remove them. In a dynamic group you write a rule like user.department -eq "Sales", and Entra ID decides who is in it. When an attribute changes, membership adjusts without you doing anything.
The decision guide
| Situation | Pick static | Pick dynamic |
|---|---|---|
| Small group (< 10 members) | Yes | Overkill |
| Large and changing | No | Yes |
| Follows an attribute (department, job title) | No | Yes |
| Random set with no pattern | Yes | Hard |
| Exceptions (executives, special contracts) | Yes | No |
| No P1 license | Required | Not available |
When static is enough
Static groups are not outdated. They are the right choice when:
- The group is small and stable, like a fixed project team.
- Membership follows no logical attribute pattern.
- It concerns exceptions you deliberately want to control by hand, like admin rights or executive access.
When dynamic wins
Dynamic groups pay for themselves once:
- The group has dozens or hundreds of members.
- People join and leave regularly.
- Membership neatly follows an attribute, like department, job title, location, or contract type.
The limits to know up front
Dynamic groups sound like the winner, but there are three limits Microsoft does not advertise loudly.
- They require P1. Without Microsoft Entra ID P1 you cannot create dynamic membership rules. For some tenants that is the only reason to stay static.
- No nested groups with group-based licensing. If you assign licenses through a group, members of a nested group do not count. Only direct members get the license. A dynamic group that contains other groups does not fix that.
- A dynamic group cannot be topped up by hand. You cannot add a single exception to a dynamic group; membership comes entirely from the rule. If you need exceptions, combine a dynamic group with a separate static group.
Processing time and recalculation
A change to an attribute does not instantly produce a new membership. Entra ID recalculates dynamic group membership periodically. In large tenants with many groups that can take some time. For access that has to be correct to the second, a dynamic group is not always the right choice; for most department and job-title access, the delay is easy to live with.
FAQ
Can I convert a static group to dynamic? Not directly while keeping members. You create a dynamic group with the right rule, confirm the same people end up in it, and then retire the static group. Do this in steps, not all at once.
Do dynamic groups also work for on-prem AD? Dynamic membership rules are an Entra ID feature. For on-prem AD groups you need a different mechanism. ServiceChanger applies rules to both Entra ID and on-prem AD, so a hybrid environment falls under one rule model.
How many dynamic groups can I have? The practical limit is around 15,000 dynamic groups per tenant.
How do I combine rules with exceptions? Keep the rule for the standard population in a dynamic group and put exceptions in a separate static group. Two groups, two responsibilities, no surprises.
Dynamic groups are the engine behind attribute-based access. For how to turn that into a complete model, read ABAC in Entra ID.
Next step
Want to set up dynamic group rules and keep the exceptions cleanly separate, across both Entra ID and on-prem AD? ServiceChanger manages both from one rule model. Book a demo or read the ABAC docs.
You might also like
Group mining: do not start your ABAC model from zero
Your tenant is full of groups someone once made by hand. Group mining reads those patterns and proposes which group belongs to which attribute, so you do not have to spend months figuring out where to start.
Dynamic groups, an IGA platform, or ServiceChanger: when to choose what
You can manage access in Microsoft with native Entra dynamic groups, a full IGA platform, or a rules layer like ServiceChanger. Here are the three approaches, their limits, and when each fits.
RBAC vs ABAC: when to pick which
RBAC is simple and works up to a certain size. ABAC scales better but needs more setup. This is the practical decision point: when do you move from RBAC to ABAC?