How to Use Dynamic Membership Rules in Entra ID

Many organizations control access to internal systems by simply relying on whether or not an account is enabled. However, users often change roles throughout their careers within a single organization. For example, a user might start as an intern in one department and then be hired full-time in another department. After a few years, they might go back to school for further training and then switch departments again. At this point, the user might still have access to resources in three different areas, even though most are no longer relevant to their role in the organization.

Another example of access control issues is in situations where the line between multiple roles on a single account is blurred (e.g., students, affiliates, and employees). Simply disabling someone’s account when they leave a role would mean a loss of access to resources they may still need as part of another role. For example, a university employee might quit their on-campus job but still be a student at the institution. Completely disabling this person’s account might prevent them from completing their coursework. Entra ID (formerly Azure Active Directory) access reviews can help with this problem by forcing the user, a manager, or an administrator to periodically attest to the user’s need for access. However, it could be several months before the user’s access is cleaned up. In addition, this approach does not scale well for groups that may include thousands of individuals.

Fortunately, Entra ID offers a solution to help automate access control.

Automated Access Control

You probably have a lot of attributes already set in your Entra tenant, such as department, manager, location, etc. You also have 15 built-in “extension” attributes that can contain whatever value you would like, along with the ability to extend the schema through a custom app registration . Ideally, these attributes are automatically maintained from a source of record, such as your HR system. This allows your Entra tenant to automatically update whenever someone in your HR department makes an update in the HR system for an employee. (As a side note, if you do not have automated inbound provisioning set up for either your on-premises AD or Entra ID environment, reach out to our experts for help.)

You can leverage your automated attributes to create an “access control methodology where authorization to perform a set of operations is determined by evaluating attributes associated with the subject, object, requested operations, and, in some cases, environment conditions against policy” ( NIST 800-162 ). In more informal language, you should set up access to be automatically controlled based on the values of those attributes, instead of using manually maintained groups.

Let’s get started!

Natural Language Policy

When automating access control policies, whether you are using dynamic membership rules on a group in Entra ID, a different automated group management tool, or even custom scripts, you should first think about and describe the access you want to grant in “natural language.”

For example, rather than saying “I want the group to be populated by all users that have extensionAttribute12 set to ‘yes’,” consider using clearer or more natural language such as “I want the group to be populated by all users who have completed security training.”

Outlining your access policies in natural language does two things. First, it allows you to talk about the policies at a level that everyone in the organization can understand. For example, how many people outside your identity and access management (IAM) team know what extensionAttribute12 means or what specific values mean? Second, outlining your policies keeps you from jumping to a technical solution before fully understanding and vetting with stakeholders what the policy might entail. For example, suppose there is more to completing compliance training than you originally thought—such as the training is only required for employees working in Wisconsin. Your original description of the policy on a technical level probably would not have met that requirement, but you wouldn’t have realized it if you had not discussed the potential policy in “natural language” first.

Once you have written out your policy in natural language and vetted it with the relevant stakeholders, you can use dynamic membership rules on a group in Entra ID to implement the policy.

Dynamic Membership Rules in Entra ID

Entra’s dynamic membership rules feature allows you to use any attributes from Entra ID’s base set or custom extension properties from an app registration to construct groups that automatically add and remove members based on those attributes’ values. Dynamic group membership can be either Microsoft 365 or Security groups.

To use dynamic membership rules, you need at least enough Entra ID P1 or P2 licenses for the number of members that will be in the group. However, each user does not need a P1 license assigned in order to be added to a group with a dynamic membership as long as there are at least as many P1/P2 licenses as members to be added.

We have a variety of query operators to work with and are not constrained by simple attribute = value. For example, we can set up expressions based on an attribute containing a certain string, starting with a particular value, or being in a list of values. We can even use a match operator and use a regular expression for extra-complicated rules.

Membership rules can contain multiple expressions joined by or, and, and not. However, we discourage the use of not whenever possible and suggest constructing only positive rules in order to avoid accidentally removing someone.

For instance, suppose a user has two locations represented as “ Medical Center ; Business School ” in a single-valued attribute and we set up a rule to include everyone who is not in the medical school. Although our intention is to still include this person since they also have a location in the business school, we have accidentally removed them. In this case, it would be better to use the “-contains” operator on the location attribute to positively represent all the buildings joined together by “-or” instead of trying to subtract only the medical center.

Policy Implementation

Next we’ll learn how to implement two policies:

  1. All employees on the identity and access management (IAM) team
  2. All employees who work in the medical center and have completed HIPAA training To carry out this implementation, we’ll use dynamic membership rules in Entra ID that can then be assigned to any Microsoft 365 resource or used to grant access to a particular set of applications.

Let’s get started with a simple example.

Example 1: All Employees on the IAM Team

Dynamic Membership Rules Editor

Selecting “Add dynamic query” will take you to the dynamic membership rules editor. In this simple example, we are just looking for an exact value of “Central IT/Identity and Access Management” in the department attribute, as the following screenshot shows.

You do not need to create the group to validate that your membership rules are working as intended. Clicking the Validate Rules tab will take you to a window where you can add a select set of users and validate whether or not a user would end up in a group.

But suppose you actually wanted all of the Central IT employees instead of a specific team. Then, you could change the membership rule to simply match any string starting with “Central IT” if you wanted to create a group of all employees in Central IT. The following screenshot shows an example.

Note: You can edit the dynamic membership rules after a group is created. You do not need to recreate the group if your business rules change and you continue to use the same group.

Once you are done creating your rules, click Save. Finish creating the group as you would any regular Entra group.

Validating the Group

Even though you just created the group, you will see that it has not populated yet. On the Overview pane of the group, you will see two important boxes: “Dynamic rule processing status” and “Last membership change.”

Since membership changes are handled asynchronously in the background and can take up to 24 hours in large tenants, this is a quick way to see if your group has refreshed or not when looking for missing (or extra) members. In a smaller tenant, you can usually expect the group membership to update within a few minutes.

Now let’s move on to a more complicated example where we use two attributes (including a custom attribute) to create a Microsoft 365 group.

Example 2: All Employees Who Work in the Medical Center and Have Completed HIPAA Training

In this example, the organization has purchased some compliance training software that records training status in a custom attribute as part of an app registration. The example organization has employees working in a variety of locations and departments. We are particularly interested in those at the medical center.

Unfortunately, the compliance training software uses only a single attribute to store completion status for multiple training courses (Family Educational Rights and Privacy Act—FERPA, HIPAA, cybersecurity training, in-house policy training, etc.). The courses appear in no particular order and are not always present for a user within the attribute; for example:

“CYBER: YES”, “HIPPA: NO | CYBER: YES”, “CYBER: NO | HIPPA: YES”

As in the first example, create your dynamic membership group and click Add Dynamic Query.

Next, you need to add into the membership rules editor the application registration that contains the custom attribute(s) so that you can use it in creating the rule. Click “Get custom extension properties” and enter the app ID from the application. Click Refresh Properties.

The custom attribute is now available in the Property drop-down menu as:

as the following screenshot shows.

The rule looks for individuals with the attribute TrainingStatus containing “HIPAA: YES” and who are also in a building location starting with “Hospital.” Since the office locations (known in the drop-down menu as physicalDeliveryOfficeName) are a combination of building name and room number, we use the “Starts With” operator—but we could also use a regular expression with the -matches operator.

We can use the Validate Rules panel to make sure the rule is working as intended. You may want to find some examples of individuals who have completed the HIPAA training but work elsewhere, and vice versa. Fine-tuning your rules will be particularly important as they get more complex.

Create your group and wait for the initial processing to finish.

Validating the Group and Automatic Changes

After the initial processing has completed, you can use the group to drive access to specific resources. Just be careful switching over from a hand-maintained group because you might find, for example, that a few employees have lost access because they have not yet completed the training. But thanks to the dynamic membership rules, the group is automatically updated as the compliance software marks a user as having completed the training.

Entra ID periodically scans for any changes. In a smaller tenant, within a few minutes of completing the training a user will be added to the group. To help answer access questions, the audit logs can be helpful in troubleshooting when someone was added to or removed from the group. The following screenshot shows an example.

The group in the example above was created at 3:52 P.M., the initial refresh finished at 3:53 P.M., and user2 completed the training and was automatically added to the group at 3:55 P.M. You would see similar rows for removals from the group. If user2 had called the service desk at 3:54 P.M. to report that they could not access a resource, you would know the reason from looking at the audit log. You would also know that they would have had access starting at 3:55 P.M.

Using dynamic membership rules, you no longer need to worry about adding and removing employees from access groups as their mandatory trainings fall in and out of compliance. Additionally, if any of your employees change job locations, they will not retain access to resources simply because they completed the training. The combination of job location plus compliance training status controls their access.

Final Thoughts

As you can see from the examples in this blog, the automation possibilities are almost endless. Determining the business rules you want to implement around automated provisioning and de-provisioning of access to applications can be a daunting task. Fortunately, the experts at Ravenswood Technology Group have the business and technical expertise to help you make those decisions.

If your organization needs assistance in this area, we can walk you through the design and implementation of dynamic membership rules on groups in Entra ID. Or if you have an existing access control or grouping tool you would like to integrate with Entra ID, we are here to help. Contact our experts today!

Partner with Microsoft experts you can trust

If it’s time to take that first step toward leveling up your organization’s security, get in touch with Ravenswood to start the conversation. 

[RELEVANT BLOG CONTENT]