Learn about groups and access rights in Microsoft Entra ID

Microsoft Entra ID provides several ways to manage access to resources, applications, and tasks. With Microsoft Entra groups, you can grant access and permissions to a group of users instead of for each individual user. Limiting access to Microsoft Entra resources to only those users who need access is one of the core security principles of Zero Trust.

This article provides an overview of how groups and access rights can be used together to make managing your Microsoft Entra users easier while also applying security best practices.

Microsoft Entra ID lets you use groups to manage access to applications, data, and resources. Resources can be:

• Part of the Microsoft Entra organization, such as permissions to manage objects through roles in Microsoft Entra ID
• External to the organization, such as for Software as a Service (SaaS) apps
• Azure services
• SharePoint sites
• On-premises resources

Some groups can't be managed in the Azure portal:

• Groups synced from on-premises Active Directory can be managed only in on-premises Active Directory.
• Distribution lists and mail-enabled security groups are managed only in Exchange admin center or Microsoft 365 admin center. You must sign in to Exchange admin center or Microsoft 365 admin center to manage these groups.

What to know before creating a group

There are two group types and three group membership types. Review the options to find the right combination for your scenario.

Group types:

Security: Used to manage user and computer access to shared resources.

For example, you can create a security group so that all group members have the same set of security permissions. Members of a security group can include users, devices, service principals, and other groups (also known as nested groups), which define access policy and permissions. Owners of a security group can include users and service principals.

Note

When nesting an existing security group to another security group, only members in the parent group will have access to shared resources and applications. Nested group members don't have the same assigned membership as the parent group members. For more info about managing nested groups, see How to manage groups.

Microsoft 365: Provides collaboration opportunities by giving group members access to a shared mailbox, calendar, files, SharePoint sites, and more.

This option also lets you give people outside of your organization access to the group. Members of a Microsoft 365 group can only include users. Owners of a Microsoft 365 group can include users and service principals. For more info about Microsoft 365 Groups, see Learn about Microsoft 365 Groups.

Membership types:

• Assigned groups: Lets you add specific users as members of a group and have unique permissions.

• Dynamic membership group for users: Lets you use rules for users to automatically add and remove users as members. If a member's attributes change, the system looks at your rules for dynamic membership groups for the directory. The system checks to see whether the member meets the rule requirements (is added), or no longer meets the rules requirements (is removed).

• Dynamic membership group for devices: Lets you use rules for devices to automatically add and remove devices as members. If a device's attributes change, the system looks at your rules for dynamic membership groups for the directory to see whether the device meets the rule requirements (is added) or no longer meets the rules requirements (is removed).

  Important

  You can create a dynamic group for either devices or users, but not for both. You can't create a device group based on the device owners' attributes. Device membership rules can only reference device attributions. For more info about creating a dynamic group for users and devices, see Create a dynamic group and check status.

What to know before adding access rights to a group

After creating a Microsoft Entra group, you need to grant it the appropriate access. Each application, resource, and service that requires access permissions needs to be managed separately because the permissions for one might not be the same as another. Grant access using the principle of least privilege to help reduce the risk of attack or a security breach.

How access management in Microsoft Entra ID works

Microsoft Entra ID helps you give access to your organization's resources by providing access rights to a single user or to an entire Microsoft Entra group. Using groups lets the resource owner or Microsoft Entra directory owner assign a set of access permissions to all the members of the group. The resource or directory owner can also give management rights to someone such as a department manager or a help desk administrator, letting that person add and remove members. For more information about how to manage group owners, see the Manage groups article.

Ways to assign access rights

After creating a group, you need to decide how to assign access rights. Explore the ways to assign access rights to determine the best process for your scenario.

• Direct assignment. The resource owner directly assigns the user to the resource.

• Group assignment. The resource owner assigns a Microsoft Entra group to the resource, which automatically gives all of the group members access to the resource. Both the group owner and the resource owner manage group membership, letting either owner add or remove members from the group. For more information about managing group membership, see the Managed groups article.

• Rule-based assignment. The resource owner creates a group and uses a rule to define which users are assigned to a specific resource. The rule is based on attributes that are assigned to individual users. The resource owner manages the rule, determining which attributes and values are required to allow access the resource. For more information, see Create a dynamic group and check status.

• External authority assignment. Access comes from an external source, such as an on-premises directory or a SaaS app. In this situation, the resource owner assigns a group to provide access to the resource and then the external source manages the group members.

  

Can users join groups without being assigned?

The group owner can let users find their own groups to join, instead of assigning them. The owner can also set up the group to automatically accept all users that join or to require approval.

After a user requests to join a group, the request is forwarded to the group owner. If required, the owner can approve the request and the user is notified of the group membership. If you have multiple owners and one of them disapproves, the user is notified, but isn't added to the group. For more information and instructions about how to let your users request to join groups, see Set up Microsoft Entra ID so users can request to join groups.

Best practices for managing groups in the cloud

The following are best practices for managing groups in the cloud:

• Enable Self-Service Group Management: Allow users to create and manage their own Microsoft 365 (M365) groups. This empowers teams to organize themselves while reducing the administrative burden on IT. Apply a Group Naming Policy to block the use of restricted words and ensure consistency. Prevent inactive groups from lingering by enabling group expiration policies. This automatically deletes unused groups after a specified period, unless renewed by a group owner. For more information, see Set up self-service group management in Microsoft Entra ID
• Leverage Sensitivity Labels: Use sensitivity labels to classify and govern M365 groups based on their security and compliance needs. This provides fine-grained access controls and ensures that sensitive resources are protected. For more information, see Assign sensitivity labels to Microsoft 365 groups in Microsoft Entra ID
• Automate Membership with Dynamic Groups: Implement dynamic membership rules to automatically add or remove users and devices from groups based on attributes like department, location, or job title. This minimizes manual updates and reduces the risk of lingering access. This feature applies to M365 groups and Security Groups.
• Conduct Periodic Access Reviews: Use Entra Identity Governance capabilities to schedule regular access reviews. These ensure that membership in assigned groups remains accurate and relevant over time. For more information, see Create or update a dynamic membership group in Microsoft Entra ID
• Manage Membership with Access Packages: Create access packages with Entra Identity Governance to streamline the management of multiple group memberships. Access packages can:
  • Include approval workflows for membership
  • Define criteria for access expiration
  • Provide a centralized way to grant, review, and revoke access across groups and applications For more information, see Create an access package in entitlement management
• Assign Multiple Group Owners: Assign at least two owners to a group to ensure continuity and reduce dependencies on a single individual. For more information, see Manage Microsoft Entra groups and group membership
• Use Group Based Licensing: Group based licensing simplifies user provisioning and ensures consistent license assignments. You can also use dynamic membership groups to automatically manage licensing for users meeting specific criteria. For more information, see What is group-based licensing in Microsoft Entra ID?
• Enforce Role Based Access Controls (RBAC): Assign roles (e.g. Group Admin) to control who can manage groups. RBAC reduces the risk of privilege misuse and simplifies group management. For more information, see Overview of role-based access control in Microsoft Entra ID

Next steps

• Create and manage Microsoft Entra groups and group membership
• Learn about group-based licensing in Microsoft Entra ID
• Manage access to SaaS apps using groups
• Manage rules for dynamic membership groups
• Learn about Privileged Identity Management (PIM) for Microsoft Entra roles