Group types in Microsoft Entra ID: differences, use, and synchronization
Groups play a key role in Entra ID and organize access rights, license assignments, and resource control. Administrators have a wide range of different group types at their disposal, both from the cloud and from the local Active Directory.
This article explains the most important differences, areas of application, and management options.
We will show you how you can synchronize Entra groups with each other using our cloud solution DynamicSync. Even without a P1 license, you can use filters to assign group members in the best possible way (even nested filters are possible).
Index
All group types in Microsoft Entra ID
Microsoft Entra ID supports various group types. You can roughly divide them into cloud-native groups and groups transferred from the local Active Directory to the cloud via Entra Connect. These two group categories differ both in their technical architecture and in their usage scenarios:
Cloud-native groups
Security groups (Cloud)
Cloud-based security groups control access rights to applications, resources, and services in M365 and Entra. Administrators can manage them manually (“assigned”) or dynamically. They are often used for role assignments, application access, or administrative roles.
Dynamic security groups are particularly flexible because they can automatically update their membership based on attributes. This requires an Entra ID P1 or P2 license.
Microsoft 365 (M365) groups (Cloud)
These group types bundle users, permissions, and resources for collaboration. An M365 group automatically creates a shared mailbox, calendar, OneDrive directory, and SharePoint website.
It is ideal for teams, projects, or departments with a collaborative focus. Microsoft Teams also uses M365 groups as its technical foundation in the background.
Dynamic group memberships are also possible, but require a corresponding license.
💡 Dynamic groups are possible for both security groups and M365 groups, are based on attribute filters, and automatically update their memberships.
Email-enabled security groups (Cloud)
Entra ID also features email-enabled security groups that combine security features with email communication.
These groups work well when user groups require access to resources and need to be contacted directly by email.
❌ However, dynamic management is not possible.
Distribution groups (email-enabled, cloud)
These groups are created directly in the cloud and and serve exclusively for email communication via Exchange Online.
Administrators can create and manage them only via the Exchange Admin Center. The focus is on distributing messages to user groups in the cloud.
❌ Access control is not provided here.
Groups from the local Active Directory
Security groups (on-premises Active Directory)
Security groups in the local Active Directory primarily control access to local files, printers, and internal applications.
☁️ Entra Connect can synchronize these groups with Entra ID, making them usable in the cloud.
Email-enabled security groups (on-premises Active Directory)
Email-enabled security groups combine access protection with email functionality and are used in classic (local) Exchange environments.
☁️ Synchronization in Entra ID is possible.
For many organizations, they are indispensable in hybrid integrated scenarios. The groups can be used to send emails to the members of security groups.
❌ However, dynamic management is not provided.
Distribution groups (email-enabled, on-premises Active Directory)
Email-enabled groups in Active Directory serve exclusively to send emails to multiple recipients. Many companies use them for internal newsletters, circulars, or general announcements.
☁️ Entra Connect can transfer these groups to the cloud.
❌ There is no provision for managing access rights. The groups lack the ability to control permissions.
Quick overview: Entra ID group types and purpose
| Category | Group type | Primary purpose |
|
Access control |
Security group | Resource rights management |
|
Collaboration |
M365 group | Communication & collaboration |
|
Email communication |
Distribution group | Email distribution list |
|
Combination of access + email |
Email-enabled security group | Rights to resources as well as direct email communication |
|
Automation |
Dynamic group | Automatic member assignment |
|
Hybrid integration |
Synchronized group | Synchronized via Entra Connect |
DynamicSync enables synchronization between Entra ID groups
FirstAttribute’s cloud solution DynamicSync significantly expands the possibilities of hybrid group management.
💡 Specifically, DynamicSync allows for the targeted synchronization of members between different group types, something that Microsoft cannot do.
DynamicSync automatically synchronizes groups four times per hour, keeping all groups and members up to date.
For example, you can transfer members of a locally managed distribution group synced to the cloud into a cloud-based security group to enforce automated access rules.
DynamicSync also supports include/exclude logic and complex (nested) filters based on attributes.
This allows adminstrators to structure hybrid environments more precisely and in an application-oriented manner.
Important aspects of managing Entra ID groups
Membership types and group dynamics
Entra ID distinguishes between three membership types:
- Assigned (manually)
- Dynamic (users or devices)
- Membership based on “member of”
Administrators select this option during creation, and it cannot be changed later.
Assigned: Administrators manually add or remove users, groups, or devices as members. This method is often used for smaller groups or special access scenarios where administrators want to retain full control over the member list.
Dynamic: These group memberships are automatically determined by rules based on user or device properties. Changes to attributes (e.g., job title, department) automatically result in an adjustment to group membership. A Microsoft Entra ID P1 license is required for dynamic memberships.
Dynamic memberOf group: This group type builds on existing group relationships: Members are automatically added if they belong to other groups that are stored in the rule definition. This allows hierarchical group models with automatic inheritance.
License assignment by group
Dynamic groups are ideal for automated license assignment. If a user is automatically assigned to a group that contains a license configuration, they receive all assigned services without any manual intervention. When they leave the group, the licenses are removed again.
This reduces administrative effort and ensures consistent, role-based license assignment. An Entra ID P1 license is necessary. Especially in conjunction with maintained attributes from HR systems, this results in high efficiency and transparency in license management.
Security aspects of dynamic groups
Automatic group membership based on attributes brings new security aspects. Attackers with access to user objects could unintentionally become members of privileged groups through targeted attribute manipulation.
Protecting these attributes and restricting the assignment of change rights are therefore important factors. Access reviews, lifecycle workflows, and access packages help to regularly check and correct group memberships.
Group-based role assignment
Groups in Entra ID efficiently organize role-based access control (RBAC). Administrators can assign roles not only directly, but also based on groups.
You must activate this setting during creation. Subsequent changes are not possible.
⚠️ Dynamic groups are excluded from role assignments.
To establish consistent administrative structures, it is advisable to use dedicated groups for specific roles in conjunction with RBAC concepts.
Additional administrative functions
Entra ID offers additional administrative functions such as group expiration control and naming conventions. This setting lets you define automatic expiration times for groups, which group owners can extend before expiration through notifications. A central naming policy also contributes to a better overview, for example, in the case of mass group management in larger organizations.
Conclusion
In the Entra Admin Center, you can create new groups, maintain existing groups, manage members, and define rules. You can name group owners directly via the portal.
The use of dynamic memberships is particularly recommended in organizations with high turnover or many role-based access concepts.
Combining this with DynamicSync opens up hybrid scenarios in which cloud and on-premises infrastructures interlock.
Synchronize Entra ID groups with each other – Try it now
DynamicSync is an automation solution for cloud groups from FirstAttribute AG. As a pure cloud service (SaaS), DynamicSync specializes in dynamic and automatic group synchronization in
Entra ID.
In addition to the free online demo, our friendly staff are also available to answer your questions by phone. Call us on +49 81 969 984 330.