Table of Contents
- Key Takeaways
- Problem
- Solution: Create a dynamic Entra ID group based on distribution list membership
- Frequently Asked Questions (FAQs)
- Question: What is a dynamic Entra ID group?
- Question: What is a distribution list?
- Question: Why create a dynamic Entra ID group based on distribution list membership?
- Question: How does the dynamic Entra ID group update its membership?
- Question: Can I create a dynamic Entra ID group based on a dynamic distribution list?
- Question: Can I create a dynamic Entra ID group based on multiple distribution lists?
- Question: Can I create a dynamic Entra ID group based on a nested distribution list?
- Summary
Key Takeaways
- This blog article that explains how to create a dynamic Entra ID group based on distribution list membership in Exchange Online.
- By creating a dynamic Entra ID group based on distribution list membership, you can simplify your group management and ensure that your group membership is always consistent and up-to-date.
Problem
If you’re lazy like me and don’t want to maintain two separate groups with the same membership, this will show you how you can leverage queries to build a dynamic Entra ID group that automatically updates its members based on the distribution list membership in Exchange Online. This way, you can have a single source of truth for your group management and avoid manual errors and inconsistencies.
Solution: Create a dynamic Entra ID group based on distribution list membership
To create a dynamic Entra ID group based on distribution list membership, you need to follow these steps:
Step 1: Sign in to the Microsoft Entra admin center as at least a User Administrator.
Step 2: Browse to Identity > Groups > All groups, and then select New group.
Step 3: On the New Group page, under Group type, select Security. Enter a Group name and Group description for the new group. Under Membership type, select Dynamic User, and then select Add dynamic query.
Step 4: On the Dynamic membership rules page, select Advanced rule. In the text box, enter the following rule:
(user.mail -eq "<distribution list email address>") -or (user.proxyAddresses -any (_ -eq "SMTP:<distribution list email address>"))
Replace <distribution list email address> with the email address of the distribution list that you want to use as the source of membership. For example, if your distribution list email address is [email protected], the rule would look like this:
(user.mail -eq "[email protected]") -or (user.proxyAddresses -any (_ -eq "SMTP:[email protected]"))
This rule will match any user whose primary email address or proxy address matches the distribution list email address.
Step 5: Select Save to save the rule and create the group.
Frequently Asked Questions (FAQs)
Question: What is a dynamic Entra ID group?
Answer: A dynamic Entra ID group is a group that has its membership defined by a rule or a query, rather than a static list of users or devices. A dynamic group can be a security group or a Microsoft 365 group, and it can have a membership type of either dynamic user or dynamic device. A dynamic group can be used for various purposes, such as assigning licenses, policies, roles, or access to resources.
Question: What is a distribution list?
Answer: A distribution list is a group of email recipients that is created and managed in Exchange Online. A distribution list can have a static list of members or a dynamic membership based on recipient filters. A distribution list can be used to send email messages to multiple people at once, without having to type each individual address.
Question: Why create a dynamic Entra ID group based on distribution list membership?
Answer: There are several scenarios where you might want to create a dynamic Entra ID group based on distribution list membership, such as:
- You want to assign licenses, policies, roles, or access to resources to a group of users that is already defined by a distribution list in Exchange Online.
- You want to sync a distribution list from Exchange Online to Entra ID, but you don’t want to create a duplicate static group in Entra ID.
- You want to have a consistent and up-to-date group membership across Exchange Online and Entra ID, without having to manually update both groups every time there is a change.
By creating a dynamic Entra ID group based on distribution list membership, you can achieve these goals with minimal effort and maintenance.
Question: How does the dynamic Entra ID group update its membership?
Answer: The dynamic Entra ID group will update its membership automatically based on the rule that you defined. Whenever there is a change in the attributes of a user or a device, the system will evaluate all dynamic group rules in the directory to see if the change would trigger any group adds or removes. If a user satisfies the rule, they will be added as a member of the group. If they no longer satisfy the rule, they will be removed.
The membership update process can take up to 30 minutes to complete. You can check the status of the update by selecting the group in the Microsoft Entra admin center and then selecting Refresh membership. You can also view the current members of the group by selecting Members.
Question: Can I create a dynamic Entra ID group based on a dynamic distribution list?
Answer: Yes, you can create a dynamic Entra ID group based on a dynamic distribution list, as long as the dynamic distribution list has a valid email address. The rule for the dynamic Entra ID group will be the same as the one for a static distribution list, except that you need to use the email address of the dynamic distribution list instead of the static one.
Question: Can I create a dynamic Entra ID group based on multiple distribution lists?
Answer: Yes, you can create a dynamic Entra ID group based on multiple distribution lists, by using the logical operator -or in the rule. For example, if you want to create a dynamic Entra ID group based on two distribution lists, [email protected] and [email protected], the rule would look like this:
((user.mail -eq "[email protected]") -or (user.proxyAddresses -any (_ -eq "SMTP:[email protected]"))) -or ((user.mail -eq "[email protected]") -or (user.proxyAddresses -any (_ -eq "SMTP:[email protected]")))
This rule will match any user whose primary email address or proxy address matches either of the distribution list email addresses.
Question: Can I create a dynamic Entra ID group based on a nested distribution list?
Answer: No, you cannot create a dynamic Entra ID group based on a nested distribution list, which is a distribution list that contains another distribution list as a member. The rule for the dynamic Entra ID group will only match the users who are directly members of the distribution list, not the users who are members of the nested distribution list.
Summary
In this blog post, you learned how to create a dynamic Entra ID group based on distribution list membership in Exchange Online. This can help you simplify your group management and ensure that your group membership is always consistent and up-to-date. You also learned how to write the rule for the dynamic Entra ID group, how to check the status and members of the group, and how to answer some common questions about this topic.
Disclaimer: This blog post is for informational purposes only and does not constitute professional advice. You should always consult with your IT administrator before making any changes to your Entra ID or Exchange Online settings. We are not responsible for any damages or losses caused by following the instructions in this blog post.