Professional Documents
Culture Documents
Learn About Groups and Access Rights in Microsoft Entra ID
Learn About Groups and Access Rights in Microsoft Entra ID
Learn About Groups and Access Rights in Microsoft Entra ID
applications, and tasks. With Microsoft Entra groups, you can grant access and
permissions to a group of users instead of for each individual user. Limiting
access to Microsoft Entra resources to only those users who need access is one of
the core security principles of Zero Trust.
This article provides an overview of how groups and access rights can be used
together to make managing your Microsoft Entra users easier while also applying
security best practices.
Microsoft Entra ID lets you use groups to manage access to applications, data, and
resources. Resources can be:
Groups synced from on-premises Active Directory can be managed only in on-premises
Active Directory.
Distribution lists and mail-enabled security groups are managed only in Exchange
admin center or Microsoft 365 admin center. You must sign in to Exchange admin
center or Microsoft 365 admin center to manage these groups.
What to know before creating a group
There are two group types and three group membership types. Review the options to
find the right combination for your scenario.
Group types:
Security: Used to manage user and computer access to shared resources.
For example, you can create a security group so that all group members have the
same set of security permissions. Members of a security group can include users,
devices, service principals, and other groups (also known as nested groups), which
define access policy and permissions. Owners of a security group can include users
and service principals.
Note
When nesting an existing security group to another security group, only members in
the parent group will have access to shared resouces and applications. Nested group
members don't have the same assigned membership as the parent group members. For
more info about managing nested groups, see How to manage groups.
This option also lets you give people outside of your organization access to the
group. Members of a Microsoft 365 group can only include users. Owners of a
Microsoft 365 group can include users and service principals. For more info about
Microsoft 365 Groups, see Learn about Microsoft 365 Groups.
Membership types:
Assigned: Lets you add specific users as members of a group and have unique
permissions.
Dynamic user: Lets you use dynamic membership rules to automatically add and remove
members. If a member's attributes change, the system looks at your dynamic group
rules for the directory to see whether the member meets the rule requirements (is
added), or no longer meets the rules requirements (is removed).
Dynamic device: Lets you use dynamic group rules to automatically add and remove
devices. If a device's attributes change, the system looks at your dynamic group
rules for the directory to see whether the device meets the rule requirements (is
added), or no longer meets the rules requirements (is removed).
Important
You can create a dynamic group for either devices or users, but not for both. You
can't create a device group based on the device owners' attributes. Device
membership rules can only reference device attributions. For more info about
creating a dynamic group for users and devices, see Create a dynamic group and
check status.
Direct assignment. The resource owner directly assigns the user to the resource.
Group assignment. The resource owner assigns a Microsoft Entra group to the
resource, which automatically gives all of the group members access to the
resource. Group membership is managed by both the group owner and the resource
owner, letting either owner add or remove members from the group. For more
information about managing group membership, see the Manage groups article.
Rule-based assignment. The resource owner creates a group and uses a rule to define
which users are assigned to a specific resource. The rule is based on attributes
that are assigned to individual users. The resource owner manages the rule,
determining which attributes and values are required to allow access the resource.
For more information, see Create a dynamic group and check status.
External authority assignment. Access comes from an external source, such as an on-
premises directory or a SaaS app. In this situation, the resource owner assigns a
group to provide access to the resource and then the external source manages the
group members.