Skip to Content
IdentityUser GroupsAll Groups

All Groups

Manage Microsoft Entra ID groups including Security Groups, Microsoft 365 Groups, Distribution Lists, and Dynamic Groups. Control access, licensing, and email distribution.

Group Types

Security Groups

Used for access control and license assignment. Can be assigned to apps, SharePoint sites, and Conditional Access policies. No email capability unless mail-enabled.

Use cases: Application access, license assignment, Conditional Access targeting

Microsoft 365 Groups

Collaboration-focused groups that provision shared resources: mailbox, calendar, SharePoint site, Planner, and optionally a Team. Members get automatic access to all associated resources.

Use cases: Project teams, departments, cross-functional groups

Distribution Lists

Email-only groups for sending messages to multiple recipients. No access control capabilities. Can include external contacts as members.

Use cases: All-staff announcements, department newsletters

Mail-Enabled Security Groups

Hybrid of security and distribution groups. Provides both access control and email distribution capability. Useful when you need one group for both purposes.

Use cases: SharePoint site access + email notifications

Dynamic Groups

Membership automatically determined by rules based on user/device attributes. Requires Azure AD Premium P1. Can be security or M365 group type.

Example rule: (user.department -eq "Sales")

Group List

The main table displays:

ColumnDescription
Display NameGroup name with type indicator badge
EmailMail address (if mail-enabled)
TypeSecurity, M365, Distribution, Dynamic
MembersMember count (users and nested groups)
OwnersNumber of group owners
SourceCloud or Synced from on-premises AD
Has TeamWhether Teams is provisioned (M365 groups)

Creating a Group

Click “Add Group” and configure:

Group Type

Select Security, M365, or Distribution

Group Name

Display name. For M365 groups, also creates email alias.

Description

Optional description for self-service discovery

Membership Type

Assigned (manual) or Dynamic (rule-based). Dynamic requires P1 license.

Owners

Users who can manage group membership. At least one owner required.

Members

Initial members (can add more later). For dynamic groups, preview rule results.

Warning: M365 Group Options: When creating M365 groups, additional settings are available:

  • Privacy — Public (discoverable) or Private
  • Create Team — Automatically provision a Teams team
  • Send Copies — Members receive email in personal inbox
  • Allow External Senders — Receive email from outside org

Dynamic Group Rules

Example membership rules:

// All Sales department members
(user.department -eq "Sales")

// All managers
(user.jobTitle -contains "Manager")

// All US employees with E3 license
(user.usageLocation -eq "US") -and (user.assignedPlans -any (assignedPlan.servicePlanId -eq "xxx"))

// All Windows devices
(device.deviceOSType -eq "Windows")

Group-Based Licensing

Assign licenses to a group instead of individual users. When users join the group, they automatically receive the assigned licenses. Requires Azure AD Premium.

  • Assign Licenses — Select which SKUs to assign to group members
  • Service Plans — Toggle individual services within each SKU
  • Processing Status — View pending, succeeded, and failed assignments
  • Error Handling — Resolve conflicts when users have direct assignments

Group Detail View

Click a group to see tabs:

  • Overview — Group info, member count, creation date
  • Members — List of members with add/remove capability
  • Owners — Manage group owners
  • Settings — Email settings, privacy, Team settings
  • Licenses — Group-based license assignments
  • Nested Groups — Groups that are members of this group
  • Member Of — Groups this group belongs to

Graph API Endpoints

  • GET /groups — List all groups
  • POST /groups — Create group
  • GET /groups/{id}/members — Get members
  • POST /groups/{id}/members/$ref — Add member
  • DELETE /groups/{id}/members/{userId}/$ref — Remove member
  • POST /groups/{id}/assignLicense — Assign licenses

API Reference

  • GET /api/user-management-identity/groups — List groups with type filter
  • POST /api/user-management-identity/groups — Create new group
  • GET /api/user-management-identity/groups/:groupId/members — Get group members
  • POST /api/user-management-identity/groups/:groupId/members — Add members to group
  • DELETE /api/user-management-identity/groups/:groupId/members/:userId — Remove member from group
Last updated on
Add GroupDistribution Lists