Entra ID Dynamic Groups - Using Date and Times
Microsoft Entra
Oct 4, 2023 12:00 PM

Entra ID Dynamic Groups - Using Date and Times

by HubSite 365 about John Savill's [MVP]

Principal Cloud Solutions Architect

AdministratorMicrosoft EntraM365 AdminLearning Selection

Master Microsoft Azure dynamic groups with this concise guide, explaining user attributes, rule-settings, and license requirements.

A Quick Overview: Entra Id Dynamic Groups

Microsoft's Entra Id Dynamic Groups offer a powerful tool for efficient user and device management.

In a tutorial video by Microsoft Valued Professional (MVP) John Savill, he demonstrates how to use date and time as part of the member expression for dynamic groups. Savill demonstrates how user's employment dates can be added to the system and used in a membership rule.

The use of system time and a datetimeoffset value are also explained.

  • Considering the dynamic nature of Entra Id groups, attributes of users or devices are set to automatically change. The system then evaluates whether any changes trigger membership alterations in the directory. If a user or device satisfies a group rule, they're added to the group. If they don't, they're removed. Notably, manual changes to group membership aren't possible.

    user.employeeHireDate -ge system. Now -minus p365d
    user.employeeHireDate  -le 2018-01-01T06:00:00

  • Furthermore, groups for devices must be created separately from groups for users. Creating a group that contains both users and devices isn't possible. Any group for devices can include only device attributes, excluding user attributes of the device owner.

Particularly important is the necessity of a Microsoft Entra ID P1 license or Intune for Education. Each user that's part of one or more of the dynamic groups requires a license. This requirement doesn't necessitate assigning licenses to users but emphasizes having enough licenses in the Microsoft Entra organization.

The Rule Builder of Azure Portal

When setting up complex rules, users can utilize the Azure portal's rule builder feature as it makes the process quicker. It supports up to five expressions and makes it easier to formulate a rule with simple expressions.

However, using the text box may be needed when the rule builder doesn't support the rule wanted, or when expression complexity is high. For example, more than five expressions, setting operator precedence or complex expressions (user.proxyAddresses -any (_ -contains "contoso")).

Note that validation, syntax, or dynamic group rules aren't changed by the rule builder despite potentially failing to display some rules.

General Overview of Entra Id Dynamic groups

Microsoft Entra ID provide a seamless way to manage users and devices by automatically assigning them to groups based on their attributes. This saves administrators time and ensures better governance as entities are grouped efficiently. Aside from aiding in the organization and identification of users and devices, Dynamic Groups also contribute significantly to security and automation throughout the Azure network. Better yet, Azure's flexibility allows businesses to tailor the characteristics, rules, and requirements of these dynamic groups to their specific needs.


Read the full article Guide to Setting Up Azure Dynamic Groups: Date & Time

Learn about Guide to Setting Up Azure Dynamic Groups: Date & Time

Interested in learning how to set up Azure Dynamic Groups? There's a useful YouTube video that offers a fast and easy guide, demonstrating the use of date and time as part of the member expression for dynamic groups. Examples include expressions such as "user.employeeHireDate -ge system.Now -minus p365d" and "user.employeeHireDate -le 2018-01-01T06:00:00Z".

The video is neatly organized, with timestamps for each significant topic: introduction, the use of rules, the application of 'system.now', utilization of a datetimeoffset value, the question of employee leaving dates, and an overall summary.

On a related note, be aware that not all browsers are compatible for this. It is recommended to use Microsoft Edge for optimizing features, security updates, and technical support. The Dynamic membership feature in the Microsoft Entra ID forms a key part of Microsoft Entra.

  • Dynamic membership lets you set attribute-based rules to enable automatic addition and removal of group members using membership rules based on member attributes.
  • Groups can be security groups or Microsoft 365 groups, and members can be users or devices.
  • A user or a device can be added or removed from a dynamic group conditionally, based on whether they satisfy a rule. If they don't, they're removed.
  • Note that manual additions or removals are not possible.
  • A dynamic group can involve devices or users, but not both.
  • It's not possible to create a device group based on the user attributes of the device owner.

Please note that the use of this feature requires a Microsoft Entra ID P1 license or Intune for Education for every unique user in one or more dynamic groups. Users do not need these licenses to be members of dynamic groups, but you need to possess at least enough licenses to fit all such users. For instance, you would need at least 1,000 licenses for Microsoft Entra ID P1 for 1,000 unique users across your dynamic groups. However, devices do not require these licenses.


Create or update a dynamic group in Microsoft Entra ID
Sep 21, 2023 — This article tells how to set up a rule for a dynamic group in the Azure portal. ... date on the Overview page for the group. Diagram of dynamic ...


Azure Dynamic Groups Setup Guide, Setting Up Azure Dynamic Groups, Azure Dynamic Groups Date Time, Creating Azure Dynamic Groups, Azure Active Directory Dynamic Groups, Azure AD Dynamic Groups Setup, Azure Dynamic User Groups Configuration, Guide to Azure Dynamic Groups, Azure Dynamic Groups Creation Guide, Azure AD Dynamic Groups Management