This chapter covers dynamic membership groups in Azure Active Directory (Azure AD), a key feature for automating user and device group membership based on rules. For the AZ-104 exam, understanding dynamic groups is critical for identity governance, typically appearing in 5-10% of questions related to managing Azure AD objects. You'll learn how to create, manage, and troubleshoot dynamic groups, including rule syntax, processing delays, and best practices.
Jump to a section
Imagine a private club that uses a smart door system. Instead of manually updating a list of members each time someone joins or leaves, the system automatically grants or revokes access based on predefined rules. For example, all employees of a certain company (identified by their email domain) get automatic membership. When a new employee joins that company, their email domain matches the rule, and the system adds them to the member list within 24 hours. If an employee leaves the company, their email domain changes or is deactivated, and the system automatically removes them. The club doesn't need a human to update the list—the rules do it. However, the system only checks for rule matches every few minutes, so there's a slight delay. Also, if an employee changes their email domain but still works for the company, they might temporarily lose access until the system re-evaluates. This mirrors how dynamic membership groups in Azure AD automatically add or remove users based on rules, with a processing delay and potential edge cases.
What Are Dynamic Membership Groups?
Dynamic membership groups in Azure AD allow you to automatically add or remove users or devices from a group based on rules you define. Instead of manually assigning members, you write a rule that evaluates attributes of users or devices. When a user or device's attributes change, Azure AD re-evaluates the rule and updates group membership accordingly. This reduces administrative overhead and ensures membership stays current.
Why Use Dynamic Groups?
Dynamic groups are essential for automated access control, licensing assignment, and policy enforcement. For example, you can create a group that includes all users in the Sales department, and assign them a specific app or license. When a new salesperson is hired, they are automatically added to the group; when they leave, they are removed. This eliminates manual updates and reduces errors.
How Dynamic Groups Work Internally
Azure AD processes dynamic group rules using a background engine that evaluates rules periodically. The engine checks for changes in user or device attributes that match the rule expression. When a match occurs, the user or device is added to the group; when an attribute changes so that it no longer matches, the member is removed. The processing is not instantaneous—there is a delay. For small groups (under 100,000 members), the delay is typically a few minutes. For larger groups, it can take up to 30 minutes or more. The rule engine uses a property-based syntax that supports user and device attributes.
Rule Syntax and Structure
A dynamic group rule consists of one or more expressions that evaluate to true or false. The basic syntax is: (user.department -eq "Sales"). You can combine multiple expressions using logical operators: -and, -or, -not. You can also use nested expressions with parentheses. The rule must be a single string that evaluates to a Boolean result. Common operators include:
- -eq (equals)
- -ne (not equals)
- -like (string match with wildcards, e.g., -like "*Contoso*")
- -notlike
- -startsWith
- -endsWith
- -contains (for arrays)
- -notContains
- -in (value in list)
- -notIn
- -match (regex match, case-sensitive)
- -notMatch
Device rules use device. prefix instead of user.. For example: (device.deviceOSType -eq "Windows").
Supported Attributes
For users: user.department, user.jobTitle, user.country, user.city, user.employeeId, user.userPrincipalName, user.extensionAttribute1 (and up to 15), user.assignedPlans, user.usageLocation, etc. For devices: device.displayName, device.deviceOSType, device.deviceOSVersion, device.devicePhysicalIds, device.isRooted, device.deviceCategory, device.deviceTrustType, device.extensionAttribute1, etc.
Rule Builder vs. Manual Entry
In the Azure portal, you can use the rule builder to construct rules with dropdowns and checkboxes. However, the AZ-104 exam expects you to understand the raw rule syntax. You can also enter rules manually using the text box. The rule builder is limited; for complex rules, manual entry is required.
Processing and Re-evaluation
Azure AD evaluates dynamic group rules periodically. The evaluation is triggered by attribute changes (like a user's department being updated) and also runs on a scheduled basis (every 24 hours for full synchronization). When a rule changes, Azure AD re-evaluates all members of that group. The group membership is updated asynchronously. You can check the processing status in the Azure portal under the group's "Dynamic membership rules" tab. A message indicates when the last membership was updated.
Group Types and Dynamic Membership
Dynamic membership can be applied to both security groups and Microsoft 365 groups. However, only Azure AD security groups and Microsoft 365 groups support dynamic membership. Distribution groups and mail-enabled security groups do not. Also, dynamic groups can be created in the Azure portal, Azure AD PowerShell, or Microsoft Graph API.
Limitations and Quotas
A tenant can have up to 15 dynamic groups per license type (Azure AD Free includes 5 dynamic groups, Azure AD Premium P1 includes 15, Premium P2 includes 15). Note: These limits may have changed; check current documentation.
A single dynamic group can have up to 5,000 rules (expressions) combined.
The rule string length is limited to 15,000 characters.
Dynamic groups can have up to 15,000 members for Azure AD Free, and up to 100,000 members for Azure AD Premium P1/P2 (or higher with larger limits).
Dynamic groups cannot be nested (you cannot add a dynamic group as a member of another group).
Dynamic groups cannot contain other groups as members; they only contain users or devices.
You cannot convert a static group to a dynamic group or vice versa; you must create a new group.
Interaction with Other Features
Dynamic groups integrate with Azure AD conditional access, enterprise app assignment, and licensing. For example, you can assign a license to a dynamic group so that new members automatically get the license. However, licensing assignment may take additional time (up to 24 hours). Conditional access policies can target dynamic groups, but note that group membership evaluation may cause delays in policy enforcement.
Verification and Troubleshooting
To verify dynamic group membership, you can use the Azure portal to view members after processing. Use PowerShell cmdlets like Get-AzureADMSGroup and Get-AzureADGroupMember to check membership. To troubleshoot, ensure that the attributes referenced in the rule exist and have correct values. Use the "Validate Rules" feature in the portal to test a rule against a specific user before saving. Also, check the "Processing status" to see if there are errors. Common errors include invalid attribute names, syntax errors, or exceeding quotas.
Best Practices
Use simple rules when possible. Complex rules are harder to troubleshoot and may take longer to process.
Test rules using the validation tool.
Monitor group membership changes using audit logs.
Use extension attributes for custom data that is not available in standard attributes.
Avoid using dynamic groups for very frequent changes (e.g., every few minutes) as there is a processing delay.
Document rules for governance.
Exam Relevance
For AZ-104, you need to know how to create and manage dynamic groups, write rules using the correct syntax, understand processing delays, and know the limitations. Questions may ask you to choose the correct rule to add users from the Sales department in the US, or to identify why a user is not being added to a group. Pay attention to attribute prefixes (user. vs device.) and operator syntax. Also, know that dynamic groups are not available for Azure AD Free tier (only for Premium P1 or P2).
Sign in to Azure Portal
Navigate to Azure Active Directory > Groups > New group. Select Security or Microsoft 365 as group type. For dynamic groups, you must choose a group type that supports dynamic membership. Note: You cannot create a dynamic group in Azure AD Free tier; you need at least Azure AD Premium P1. If you don't have the required license, the dynamic membership option will be greyed out.
Select Dynamic Membership Type
Under Membership type, choose 'Dynamic User' or 'Dynamic Device' depending on whether the group will contain users or devices. This determines the attribute prefix (user. or device.) used in the rule. If you choose Dynamic User, you can only write rules using user attributes. If you choose Dynamic Device, you use device attributes. This selection cannot be changed after the group is created.
Write the Dynamic Rule
Click 'Add dynamic query' to open the rule editor. You can use the rule builder or manually edit the rule syntax. For example, to add all users in the Sales department: (user.department -eq "Sales"). For multiple conditions: (user.department -eq "Sales") -and (user.country -eq "US"). Ensure correct syntax: use double quotes for string values, no quotes for numbers. Use parentheses to group expressions. Click 'Save' when done.
Validate the Rule
Before saving the group, use the 'Validate Rules' feature to test the rule against a sample user. Enter a user's UPN or object ID and click 'Test'. The system will evaluate the rule and show whether the user would be added to the group. This helps catch syntax errors or logic issues. If validation fails, check the rule syntax and attribute values.
Create the Group
After validation, click 'Create' to create the dynamic group. The group is created with no members initially. Azure AD starts processing the rule asynchronously. The group's 'Members' tab will show 'Processing' until the initial membership evaluation completes. For small groups, this takes a few minutes; for larger groups, up to 30 minutes or more. You can monitor the processing status on the group's overview page.
Monitor Membership Changes
After creation, monitor the group to ensure members are added correctly. Use the Azure portal to view members after processing. You can also use PowerShell: Get-AzureADGroupMember -ObjectId <group-id>. Check audit logs for membership changes. Note that attribute changes on users trigger re-evaluation, but there is a delay. If a user's department changes, they will be added/removed within minutes for small groups.
Scenario 1: Automated Licensing for Sales Team
A multinational company wants to assign Microsoft 365 E5 licenses to all sales employees globally. They create a dynamic security group with rule: (user.department -eq "Sales"). When HR updates a user's department to Sales in Azure AD (synchronized from on-premises Active Directory via Azure AD Connect), the user is automatically added to the group within a few minutes. The license assignment is configured on the group, so the new user gets the license automatically (though licensing may take up to 24 hours). When a salesperson leaves the company and their account is disabled or department changed, they are removed from the group and the license is revoked. This eliminates manual license management. However, if the HR system has a delay in updating the department attribute, the user may not get the license promptly. Also, if the dynamic group reaches the member limit (e.g., 100,000 for Premium), new users may not be added, causing licensing failures.
Scenario 2: Conditional Access for Mobile Devices
A healthcare organization wants to enforce conditional access policies for mobile devices that access patient data. They create a dynamic device group with rule: (device.deviceOSType -eq "Android") -or (device.deviceOSType -eq "iOS"). All Android and iOS devices enrolled in Azure AD are automatically added to this group. They then create a conditional access policy that requires multi-factor authentication and device compliance for this group. When a new employee enrolls an iPhone, it is added to the group, and the policy applies. If the device is retired or the OS type changes, it is removed. However, note that dynamic device groups only include devices that are registered in Azure AD (Azure AD registered, joined, or hybrid joined). Devices that are not registered are not evaluated. Also, the group membership update may take up to 30 minutes, so there is a window where a new device might not have the policy applied.
Scenario 3: Dynamic Groups for Regional IT Policies
A company with offices in multiple countries wants to apply different IT policies based on user location. They create dynamic groups for each region: US-Employees with rule (user.country -eq "US"), EU-Employees with (user.country -eq "EU"), etc. They then assign region-specific apps and policies to each group. However, they discover that some users have incorrect country attributes due to data entry errors. They implement a process to validate and clean the country attribute. They also use extension attributes to handle edge cases where a user works in multiple regions. The dynamic groups simplify policy management but require accurate attribute data. If the country attribute is not populated, the user will not be added to any regional group. They also use the validation tool to test rules before creating groups to avoid misconfigurations.
The AZ-104 exam tests dynamic membership groups under objective 1.1, which includes managing Azure AD objects. You can expect 2-3 questions on this topic. The exam focuses on:
Rule Syntax: You must be able to identify the correct rule syntax. Common distractors include using incorrect prefixes (e.g., user. for device groups), wrong operators (e.g., = instead of -eq), or missing parentheses. A typical question: "You need to create a dynamic group that includes all users whose department equals 'Sales' and whose country equals 'US'. Which rule should you use?" Correct answer: (user.department -eq "Sales") -and (user.country -eq "US"). Wrong answers might use -or instead of -and, or omit parentheses.
Processing Delay: The exam tests that dynamic group membership is not immediate. Questions may ask: "A user was added to the Sales department 10 minutes ago, but they are not yet a member of the dynamic group. What is the most likely reason?" Correct answer: The group membership is still being processed (delay up to 30 minutes). Wrong answers might suggest the rule is wrong or the user needs to be added manually.
Limitations: Know that dynamic groups cannot be nested, cannot contain other groups, and have member limits. A question might ask: "You need to create a group that contains all users in the Sales department and all users in the Marketing department. You create two dynamic groups and then add them to a static group. Will this work?" Answer: No, because dynamic groups cannot be members of other groups (only users/devices can be members).
Licensing Requirements: Dynamic groups require Azure AD Premium P1 or P2. A question might state: "Your tenant uses Azure AD Free. Can you create a dynamic group?" Answer: No, you need at least Premium P1.
Conversion: You cannot convert a static group to dynamic or vice versa. If you need to change the membership type, you must create a new group and delete the old one.
Common Wrong Answers:
Choosing -contains instead of -eq for exact match. -contains is for arrays, not strings.
Using device. prefix for user rules.
Assuming membership is instant.
Thinking dynamic groups can include other groups.
Edge Cases:
If a user has multiple departments (array attribute), use -contains to check if the array contains a value.
For device rules, device.deviceOSType returns the OS type as a string (e.g., "Windows", "iOS").
Extension attributes are available for dynamic rules but must be populated first.
How to Eliminate Wrong Answers:
Check the prefix: user vs device.
Check operator syntax: -eq not =.
Check logic: -and vs -or.
If the question mentions a delay, look for answer choices that acknowledge the processing time.
Dynamic groups automatically add/remove users or devices based on rules using user. or device. prefixes.
Rule syntax uses operators like -eq, -ne, -like, -contains, etc., not = or ==.
Dynamic groups require Azure AD Premium P1 or P2 license.
Membership updates are not instant; processing can take up to 30 minutes.
Dynamic groups cannot be nested or contain other groups.
You cannot convert a static group to dynamic; you must create a new group.
Use the Validate Rules feature to test a rule against a specific user before creating the group.
Dynamic groups support up to 15,000 members for Free tier (if upgraded) and up to 100,000+ for Premium.
These come up on the exam all the time. Here's how to tell them apart.
Dynamic Security Group
Membership is automatically updated based on rules.
Requires Azure AD Premium P1 or P2.
Cannot contain other groups.
Membership changes have a processing delay.
Ideal for automated governance and large-scale environments.
Static Security Group
Membership is manually assigned or added via scripts.
Available in all Azure AD editions (Free, Basic, Premium).
Can contain users, devices, and other groups (nested).
Membership changes are immediate.
Suitable for small, static groups or when manual control is needed.
Mistake
Dynamic group membership updates are instantaneous.
Correct
Membership updates are not instant. There is a processing delay that can range from a few minutes for small groups to up to 30 minutes for larger groups. The exam expects you to know that changes take time.
Mistake
Dynamic groups can contain other groups.
Correct
Dynamic groups can only contain users or devices, not other groups. You cannot nest dynamic groups. If you need to combine multiple dynamic groups, you must create a single rule that includes all conditions using logical operators.
Mistake
You can convert a static group to a dynamic group by changing the membership type.
Correct
You cannot convert a static group to a dynamic group or vice versa. You must create a new group with the desired membership type and delete the old one. This is a common exam trap.
Mistake
Dynamic groups are available in all Azure AD editions.
Correct
Dynamic groups require Azure AD Premium P1 or P2. They are not available in Azure AD Free. The exam may test this licensing requirement.
Mistake
The rule syntax uses C# or PowerShell operators.
Correct
Dynamic group rules use a specific syntax with operators like -eq, -ne, -like, etc. They are not standard programming operators. For example, use -eq not == or =.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
A dynamic user group contains users based on user attributes (e.g., department, job title). A dynamic device group contains devices based on device attributes (e.g., OS type, compliance status). The rule prefix differs: user. for user groups, device. for device groups. You must choose the correct type when creating the group.
The processing time varies. For groups with fewer than 100,000 members, it typically takes a few minutes. For larger groups, it can take up to 30 minutes. Azure AD also performs a full evaluation every 24 hours. The exam expects you to know that there is a delay, not instant.
No. Dynamic groups require at least Azure AD Premium P1. If you have Azure AD Free, you cannot create dynamic groups. You would need to upgrade your license.
No. Dynamic groups can only contain users or devices, not other groups. If you need to combine multiple sets of users, you must create a single dynamic group with a combined rule using -and/-or operators.
First, verify the user's attributes match the rule. Use the Validate Rules feature to test the rule against that user. Check the group's processing status for errors. Ensure the group is not at its member limit. Also, check that the user has the required attributes populated. If the rule uses extension attributes, ensure they are populated.
The default limit is 15 dynamic groups per tenant for Azure AD Premium P1/P2. However, this can be increased by contacting support. There is also a limit of 5,000 rules per group and 15,000 characters per rule string.
Yes, you can assign licenses (e.g., Microsoft 365) to a dynamic group. When a user is added to the group, they will receive the license automatically, though it may take up to 24 hours. When removed, the license is revoked.
You've just covered Dynamic Membership Groups — now see how well it sticks with free AZ-104 practice questions. Full explanations included, no account needed.
Done with this chapter?