Automating Entra ID group membership with attributes

Filling Entra ID groups by hand is one of the biggest time sinks on the service desk. This post shows how to automate it fully with dynamic groups and attribute rules, and what to watch out for.

TL;DR

• Dynamic groups in Entra ID solve manual memberships
• Membership rules read user attributes like jobTitle, department, officeLocation
• Works for M365 groups, security groups, and distribution lists
• Up to about 15,000 dynamic groups per tenant, plenty
• Test each rule on a small subset before going live

The problem

Every time someone joins or leaves, someone on the service desk has to add them to the right Teams, grant SharePoint rights, update a distribution list, sync an Intune group. At, say, 500 employees and 10 onboardings a month, that easily adds up to hours of work each week. And steps get skipped because someone forgets one.

How it works

A dynamic group has a membership rule. Entra ID evaluates the rule continuously and fills the group with users that match.

Example: every engineer at the Lichtenvoorde office, automatically in the Engineering-Lichtenvoorde group.

(user.jobTitle -contains "Engineer") and (user.officeLocation -eq "Lichtenvoorde")

When a new engineer's attributes are set in Entra ID, they land in the group automatically, including Teams access, SharePoint site, and distribution email. In small directories that happens within minutes; in large tenants the recalculation can take longer (see the FAQ).

Which attributes work well

The most reliable ABAC attributes in Entra ID come straight from HR:

• jobTitle
• department
• officeLocation
• companyName
• employeeId
• extensionAttribute1 through extensionAttribute15 for custom fields

Avoid attributes employees can edit in their own profile like displayName or mobilePhone. Too easy to misuse as an access basis.

Works with M365, security, and distribution

Dynamic membership works for three group types:

Type	Use	Example
Microsoft 365	Teams, SharePoint, Outlook distribution	All marketing staff in Marketing team
Security	App access, Conditional Access	All contractors get 2FA enforced
Mail-enabled security	Shared mailbox + access	Finance group with its own mailbox

One rule, one group, multiple purposes.

Step plan

1. Start with a Data Cleaner pass. Inconsistent job titles make dynamic rules unreliable.
2. Write a first rule for one scoped group, for example "Engineering-Lichtenvoorde".
3. Test the rule on a small test group of a few users first before you apply it more broadly.
4. Check which users match. Too many? Too few? Adjust the rule.
5. Go live.
6. Repeat for the next group.

Not all groups at once. Start with three to five priority ones, measure the effect, expand from there.

Pitfalls

1. Stale attributes. If HR updates a job title three weeks late, someone sits in the wrong groups for three weeks. Sync daily.
2. Inclusion vs exclusion. You can exclude users with and user.mail -ne "[email protected]". Easy to forget.
3. Never use displayName. People sometimes edit it themselves and your access model falls apart.

FAQ

How fast does Entra ID process an attribute change? Microsoft documents that dynamic membership changes are usually processed within a few hours, but it can take up to 24 hours depending on the number of groups, the volume of changes, and rule complexity. For critical access changes like offboarding, do not rely on dynamic group evaluation alone. Combine with explicit license and group cleanup.

Can a user be in multiple dynamic groups? Yes, same as manual groups. Overlapping memberships are fine as long as the rules do not contradict each other.

Does this work for guest users? Yes, but guest attributes are often sparse. Write explicit rules for guests, for example userType -eq "Guest".

Want the full model behind these rules? Read ABAC in Entra ID for the membership rules and the limits you hit in practice.

Next step

ServiceChanger builds dynamic groups and the ABAC rules behind them in your tenant, based on the attributes already in your Entra ID. Book a demo or read the Automated Group Assignment docs.