Skip to main content

Dynamic Groups

Dynamic Groups let you define rules based on user attributes (like department, job title, or location) and have Adcyma automatically maintain the membership of Microsoft Entra Security Groups or Exchange Distribution Lists. No more manually adding or removing users.

When to Use Dynamic Groups

Good candidates for dynamic groups:

  • Department-based distribution lists that update as people change roles
  • Security groups for office locations that adjust as people move
  • Project teams that need specific tool access based on attributes
  • Compliance groups that must include all users meeting certain criteria

For example, you could create a "Marketing Team" group that automatically includes anyone with Department = Marketing, while manually excluding interns and including the CMO (who might be in a different department).

Setting Up Your Dynamic Group

Basic Configuration

Name Pick a descriptive name that indicates what the group is for. Names don't need to be unique, but something like "Marketing-FullTime-Seattle" is more helpful than "Group1".

Description (Optional) Document the group's purpose, any special rules, or important notes for future administrators. This is especially valuable for complex conditional logic.

Target Group Type Select the type of group you're managing:

  • Microsoft Entra Security Group (for access permissions and security policies)
  • Exchange Distribution List (for email distribution)

Target Group Choose the existing group in Entra that will be updated. The dynamic group configuration will control the membership of this group.

Membership Rules

Evaluation Mode

Choose your approach carefully:

Relaxed Mode (Recommended for most cases)

  • Keeps existing manual members in the group
  • Adds new users who match your conditions
  • Safe option that won't accidentally remove important users
  • Best for: Adding structure to existing groups

Strict Mode (Use with caution)

  • Completely replaces group membership based on your rules
  • Removes users who don't match conditions (except those in "Always Include")
  • Can cause access issues if rules are incorrect
  • Best for: Groups that should be 100% rule-based

Warning: Strict Mode will remove existing members who don't match your new rules. Test your conditions carefully before applying.

Manual Overrides

Always Include Users Specific users who should be in the group regardless of whether they match the automated rules. Common uses:

  • Executives who need access but don't fit standard criteria
  • External consultants with special roles
  • Users with temporary elevated permissions

Always Exclude Users Users who should never be added, even if they match all conditions. Useful for:

  • Suspended employees who still exist in the system
  • Test accounts that shouldn't receive group benefits
  • Users with conflicting access requirements

Conditional Blocks

Define the automatic membership rules using user attributes.

Common conditions:

  • Department equals "Marketing" - All marketing team members
  • Title contains "Manager" - All people with manager in their title
  • Office equals "Seattle" - All Seattle-based employees
  • EmployeeType equals "FullTime" - Exclude contractors and temps

You can combine conditions with AND logic to create precise rules:

  • Department = "Sales" AND Title contains "Director" - Only sales directors
  • Office = "NYC" AND Department = "Engineering" - NYC engineering team

Best Practices

Start with basic conditions and add complexity gradually. Test each rule before moving to production.

Name your groups clearly. Something like "Finance-Managers-AllOffices" tells you exactly who should be included.

Use the description field to explain complicated conditional rules for future reference.

Preview membership results before saving, especially when using Strict Mode.

Periodically review your dynamic groups to make sure they still match your organizational needs.

Common Use Cases

Department Distribution Lists

Condition: Department = "Human Resources"
Mode: Relaxed
Always Include: CEO, Legal Counsel
Result: HR team + key stakeholders for HR communications

Office Security Groups

Condition: Office = "London" AND EmployeeType = "FullTime"
Mode: Strict
Always Exclude: Contractors, Visitors
Result: Full-time London employees only

Project Team Access

Condition: Department = "Engineering" AND Title contains "Senior"
Mode: Relaxed
Always Include: Project Manager, Product Owner
Result: Senior engineers + project leadership

Troubleshooting

If users aren't being added:

  • Verify user attributes match your conditions exactly
  • Check spelling and capitalization in your rules
  • Confirm the user exists in Entra with the expected attributes

If members are unexpectedly removed:

  • Review if you're using Strict Mode unintentionally
  • Check if users are in the "Always Exclude" list
  • Verify user attributes haven't changed

If the group isn't updating:

  • Dynamic group evaluations run on a schedule
  • Manual sync may be needed for immediate updates
  • Check that the target group is correctly selected