Back to Implement and Manage User Identities

Group Creation, Configuration, and Management

5 minutes 5 Questions

Group Creation, Configuration, and Management is a critical component of Microsoft Identity and Access Administration, enabling organizations to efficiently manage user access and permissions at scale. **Group Creation:** In Microsoft Entra ID (formerly Azure AD), administrators can create two pri…

Group Creation, Configuration, and Management in Microsoft Entra ID (SC-300)

Why Is Group Creation, Configuration, and Management Important?

Groups are a foundational element of identity and access management in Microsoft Entra ID (formerly Azure Active Directory). They simplify the process of assigning access to resources, applications, and licenses at scale. Instead of managing permissions for each user individually, administrators can assign permissions to a group, and all members automatically inherit those permissions. For the SC-300 exam, understanding how groups work is critical because group management intersects with conditional access policies, entitlement management, privileged identity management, and application access controls.

What Is Group Creation, Configuration, and Management?

Group creation, configuration, and management refers to the lifecycle of groups within Microsoft Entra ID — from creating a group with a specific type and membership model, to configuring its properties and behaviors, to ongoing management of its members, owners, and settings. Microsoft Entra ID supports several types of groups, each serving different purposes:

1. Group Types:
- Security Groups: Used to manage access to shared resources (applications, SharePoint sites, etc.). These can be assigned to conditional access policies, used for role assignments, and leveraged in license assignments.
- Microsoft 365 Groups: Provide collaboration capabilities by giving members access to a shared mailbox, calendar, files, SharePoint site, Planner, and more. These are used primarily for collaboration scenarios.

2. Membership Types:
- Assigned: Members are manually added and removed by an administrator or group owner. This gives full control over who belongs to the group.
- Dynamic User: Membership is automatically determined by rules based on user attributes (e.g., department, jobTitle, city). When a user's attributes change and match the rule, they are automatically added; when they no longer match, they are removed.
- Dynamic Device: Similar to dynamic user groups but based on device attributes. Only available for Security groups, not Microsoft 365 groups.

How Does It Work?

Creating Groups:
Groups can be created through the Microsoft Entra admin center, Microsoft Graph API, PowerShell (Microsoft.Graph module), or the Azure CLI. When creating a group, you must specify:
- Group type (Security or Microsoft 365)
- Group name and description
- Membership type (Assigned, Dynamic User, or Dynamic Device)
- Owners (users responsible for managing the group)
- Members (for assigned groups)
- Dynamic membership rules (for dynamic groups)

Dynamic Membership Rules:
Dynamic membership rules use a syntax that evaluates user or device properties. For example:
(user.department -eq "Marketing") — this rule automatically includes all users whose department attribute equals "Marketing."
Rules can be combined using -and, -or, and -not operators. Complex rules can reference multiple attributes such as user.companyName, user.accountEnabled, user.userType, and extension attributes.

Important: Dynamic groups require a Microsoft Entra ID P1 or P2 license.

Group-Based Licensing:
You can assign licenses (e.g., Microsoft 365 E5, EMS E5) to a group, and all members of that group automatically receive the license. When a user is removed from the group, the license is reclaimed. This is a powerful feature for automating license management at scale.

Self-Service Group Management:
Microsoft Entra ID allows administrators to enable self-service group management, which lets users create and manage their own groups (Security or Microsoft 365) without administrator intervention. This is configured through the Group settings in the Entra admin center. Administrators can control:
- Whether users can create Microsoft 365 groups
- Whether users can create Security groups
- Who can manage group membership
- Whether group naming policies are enforced

Group Naming Policies:
Administrators can configure naming policies that enforce prefixes or suffixes on Microsoft 365 group names (e.g., "GRP_" prefix) and block certain words from being used in group names. This helps maintain consistency and prevent inappropriate names.

Expiration Policies:
Microsoft 365 groups can have expiration policies configured. When enabled, group owners receive notifications before their group expires and must renew the group. If not renewed, the group is soft-deleted and can be restored within 30 days. This helps reduce group sprawl.

Group Writeback:
With Microsoft Entra Cloud Sync or Entra Connect Sync, Microsoft 365 groups can be written back to on-premises Active Directory as distribution groups or security groups. This enables hybrid scenarios where cloud-created groups need on-premises representation.

Role-Assignable Groups:
A special configuration allows groups to be designated as role-assignable at creation time. These groups can be assigned to Microsoft Entra ID roles (e.g., Global Administrator, User Administrator). This setting cannot be changed after the group is created. Role-assignable groups have stricter controls — only Global Administrators and Privileged Role Administrators can manage membership, and dynamic membership is not supported for role-assignable groups assigned to Entra roles through PIM unless using an assigned membership type.

Key Configuration Options:
- Visibility: Microsoft 365 groups can be Public (anyone can join) or Private (membership requires approval).
- Owners: Every group should have at least one owner. Owners can add or remove members, approve join requests, and manage group settings.
- Group settings via Microsoft Graph: Tenant-wide group settings can be managed using the groupSettings resource, which controls behaviors like whether guests can be added to groups, who can create groups, and usage guidelines URLs.

Nested Groups:
Microsoft Entra ID supports adding groups as members of other groups (group nesting). However, there are important limitations:
- Dynamic groups do not support nested groups as members.
- Group-based licensing does not process nested group memberships — only direct members receive licenses.
- Some features like conditional access evaluate nested group memberships, while others do not. Always verify feature-specific behavior.

Managing Groups at Scale:
For large organizations, PowerShell and Microsoft Graph API are essential tools. Common administrative tasks include:
- Bulk importing members using CSV files
- Auditing group membership changes via audit logs
- Reviewing group access through Access Reviews (part of Identity Governance)
- Using Administrative Units to delegate group management to specific administrators

Access Reviews for Groups:
Administrators can create access reviews that periodically ask group owners or designated reviewers to confirm that each member still needs access. Members who are not confirmed can be automatically removed. This is a key governance control for the SC-300 exam.

Exam Tips: Answering Questions on Group Creation, Configuration, and Management

1. Know the Differences Between Group Types: The exam frequently tests your understanding of Security groups vs. Microsoft 365 groups. Remember that Microsoft 365 groups provide collaboration features (mailbox, SharePoint site, etc.), while Security groups are primarily for access control. Dynamic Device membership is only available for Security groups.

2. Understand Dynamic Membership Rules: Expect scenario-based questions asking you to write or evaluate dynamic membership rules. Know the syntax, common operators (-eq, -ne, -contains, -match, -startsWith, -in), and which attributes are available for users vs. devices.

3. Remember Licensing Requirements: Dynamic groups require Microsoft Entra ID P1 or P2. Group-based licensing also requires P1 or P2. If a question mentions a free or basic tier, dynamic groups will not be available.

4. Role-Assignable Groups Are Immutable After Creation: A group must be marked as role-assignable at creation time — this cannot be changed later. Only Assigned membership is allowed for groups being used with Entra role assignments. These groups are tightly controlled.

5. Group Expiration Applies Only to Microsoft 365 Groups: Security groups do not support expiration policies. If a question asks about reducing group sprawl for Microsoft 365 groups, expiration policies are the answer.

6. Nested Group Limitations: Know that group-based licensing does NOT cascade through nested groups. Only direct members of a licensed group receive the license. Also, dynamic groups cannot have groups as members.

7. Self-Service Group Management Settings: Questions may ask how to restrict who can create Microsoft 365 groups. The answer involves configuring group settings (via PowerShell or Graph API) to restrict group creation to members of a specific security group.

8. Watch for "Least Privilege" Scenarios: The exam emphasizes least privilege. If asked who should manage a specific group, prefer Group Owner over Global Administrator. If asked about delegating group management within a specific scope, consider Administrative Units.

9. Access Reviews for Groups: Understand that access reviews can be configured for both Security and Microsoft 365 groups, and that they can automatically remove members who are denied during the review. This falls under Identity Governance.

10. Pay Attention to Question Wording: Look for keywords like "automatically," "without administrator intervention," and "based on attributes" — these typically point to dynamic groups. Keywords like "collaboration," "shared mailbox," or "Teams" typically point to Microsoft 365 groups. Keywords like "role assignment" or "Entra role" point to role-assignable groups.

11. Understand Group Writeback Scenarios: If a question describes a hybrid environment needing cloud groups visible on-premises, group writeback via Entra Connect Sync or Cloud Sync is the answer.

12. Naming Policies: If a scenario requires enforcing consistent group naming across the organization, the answer is Microsoft 365 group naming policies, configured in the Entra admin center under Groups settings or via PowerShell/Graph API.

By mastering these concepts and their nuances, you will be well-prepared to handle any SC-300 exam question related to group creation, configuration, and management.

Test mode:

Exam (Timed)

Practice (With explanations)

Start practice test

Unlock Premium Access

Microsoft Identity and Access Administrator + ALL Certifications

Access to ALL Certifications: Study for any certification on our platform with one subscription
3060 Superior-grade Microsoft Identity and Access Administrator practice questions
Unlimited practice tests across all certifications
Detailed explanations for every question
SC-300: 5 full exams plus all other certification exams
100% Satisfaction Guaranteed: Full refund if unsatisfied
Risk-Free: 7-day free trial with all premium features!

More Group Creation, Configuration, and Management questions

45 questions (total)

Start 45 question test