🎉 Our Microsoft 365 Reporting & Management Tool is now available in Azure Marketplace 🚀
Microsoft Entra ID

How to List Dynamic Groups in Microsoft 365

Dynamic groups in Entra ID automatically manage membership using rules based on attributes like department, job title, device type, and so on. This simplifies tasks like onboarding users, license assignment, and policy enforcement. However, a simple misconfigured rule may cause unintended access issues and unexpected expenses. This guide shows how to list all Microsoft 365 dynamic groups to review membership accuracy and improve overall management.

Solution 1
Solution 2
Solution 3
Important Tips
Errors and Resolution Steps
FAQs

Get Dynamic Groups in Microsoft 365 Using Entra Admin Center

Microsoft 365 Permission Required
Global Reader Least Privilege
Global Administrator Most Privilege
  • Sign in to the Microsoft Entra admin center.
  • Navigate to Entra ID»Groups»All groups.
  • Then, click on the Add filter option and select Membership type from the Filter drop-down.
  • Ensure the Value is set to Dynamic and click Apply
  • This will now list all dynamic membership groups along with its name, object Id, group type, membership type, email address (if assigned), source, and more.
Get Dynamic Groups in Microsoft 365 Using Entra Admin Center

Find Dynamic Membership Group Details Using PowerShell

Microsoft 365 Permission Required
Group.Read.All Least Privilege
Directory.Read.All Most Privilege
  • Connect to the Microsoft Graph PowerShell module with required scope using the cmdlet below.
  • Windows PowerShell Windows PowerShell 
     Connect-MgGraph -Scopes "Group.Read.All"
  • Run the following cmdlet to get all dynamic groups along with their details such as display name, ID, mail nickname, and description in Microsoft 365.
  • Windows PowerShell Windows PowerShell 
     Get-MgGroup -All | Where-Object { $_.GroupTypes -contains "DynamicMembership" }
Find Dynamic Membership Group Details Using PowerShell
AdminDroid Microsoft 365 Group Reporting Tool

Gain Complete Visibility into Dynamic Groups to Manage Group Membership Efficiently

AdminDroid’s Microsoft 365 group reporting tool provides in-depth details of dynamic group configurations, membership rules, user assignments, and more. This helps admins to track changes, manage access, monitor license usage, and maintain accurate group structures across Microsoft 365.

Get Alerts for Dynamic Group Owner Changes to Strengthen Group Governance

Leverage AdminDroid’s default alert template for group owner changes to ensure that the right users hold ownership of critical dynamic groups in Microsoft 365.

Track Dynamic Group Members to Avoid Unauthorized Membership Changes

Monitor group membership summary report to track users, groups, guests, devices added through dynamic group rules and ensure group logic aligns with intended access.

Find Users Receiving Licenses via Group to Ensure Proper License Allocation

Track license-inherited users through group membership to identify unintended assignments from dynamic groups and remediate them immediately by updating the group rules.

Manage Dynamic Groups Effortlessly to Reduce Manual Effort and Save Time

With AdminDroid’s group management actions, admins can easily manage and automate routine dynamic group tasks such as assigning licenses, updating group owners, configuring group expiration policies, and more, all from a single unified interface.

Monitor External User Access Through Microsoft 365 Dynamic Groups

Identify Microsoft 365 dynamic groups with external users by applying the group membership type filter as Dynamic to monitor unintended guest access and ensure secure collaboration.

Gain Complete visibility on Dynamic Group License Changes

Easily audit Microsoft 365 group license changes to ensure no licenses are assigned or revoked accidentally from a dynamic group.

Overall, AdminDroid's Microsoft 365 management tool helps admins easily monitor and manage dynamic groups. With clear insights into group rules, memberships, and license usage, it ensures accurate access control, stronger governance, and simplified group management across the organization.

Explore a full range of reporting options
Download Live Demo

Important tips

Use group-based licensing with dynamic groups to automate user license assignments in Microsoft 365. This will streamline updates and minimizes admin effort.

Make use of dynamic groups to run targeted cyber-attack simulations and deliver effective training against threats like credential harvest, phishing attacks, and more.

Regularly monitor who created Microsoft 365 groups to avoid unnecessary dynamic group additions in your organization.

Common Errors and Resolution Steps

Here are the possible errors and troubleshooting fixes while handling dynamic groups in Microsoft 365.

Error Insufficient privileges to complete the operation. Status: 403 (Forbidden).

This error occurs when New-MgGroup cmdlet is executed in the Microsoft Graph PowerShell with an account that lacks the necessary privilege role.

Fix Execute the cmdlet below in the Windows PowerShell with the required privilege role, such as global administrator or group administrator. 
Connect-MgGraph -Scopes "Group.ReadWrite.All"

Error Another object with the same value for property <PropertyName> already exists.

This issue occurs when New-MgGroup cmdlet is executed with a value for a unique property (e.g., mailNickname) that is already used by another object in the tenant.

Fix Check if the value is in use before creating a dynamic group by using the cmdlet below and provide a unique value. Before executing the cmdlet, please replace the placeholders with appropriate property and property value. 
Get-MgGroup -Filter "<Property> eq '<PropertyValue>'"

Error Inherited license assignments cannot be removed from the user directly. To remove the license, you must remove them from their group.

This error occurs when you try to remove a license directly from a user whose license is assigned through group membership (inherited license).

Fix Remove the required user from the group to remove that specific license.

Error The group has active license. So, it cannot be deleted.

This error occurs when trying to delete a dynamic group which have an active license assignment in Microsoft 365.

Fix Remove the active license from the group using the cmdlet below and then try to delete the dynamic group. Before executing the cmdlet, replace the <group_id> with appropriate Group ID. 
Set-MgGroupLicense -GroupId "<group_id>" -AddLicenses @() -RemoveLicenses @( (Get-MgGroup -GroupId "<group_id>" -Property AssignedLicenses).AssignedLicenses | ForEach-Object { $_.SkuId } )
Microsoft Entra ID
Frequently Asked Questions

Effortlessly Manage Dynamic Group Memberships to Avoid Access Issues

How to create a dynamic membership group in Microsoft 365?
How to change the membership type of a group from dynamic to assigned in Microsoft 365?
How to find the dynamic Microsoft 365 groups that a specific user is a member of?
How to edit the configuration or rules of a dynamic group?

1. How to create a dynamic membership group in Microsoft 365?

As organizations grow and roles change, user access becomes complex. When users move between departments or locations, administrators must update group memberships for resources like SharePoint or business apps, which takes time and often causes errors. Dynamic groups in Microsoft 365 simplify the process by automatically adjusting memberships based on user attributes so that access stays accurate and consistent. Here is how to create a dynamic group in Microsoft 365.

Create a dynamic group in Entra admin center

  • Go to All groups page in Microsoft Entra admin center and click New group button.
  • Now fill in all the required fields such as Group type, Group name and Group description, based on your requirement. Since a role-assignable group cannot be dynamic, keep the role assignment toggle to No.
  • In the Membership type dropdown, select the required type, such as Dynamic User or Dynamic Device.
create-a-dynamic-group-in-entra-admin-center

Note: For security groups, all membership types are supported such as Assigned, Dynamic User, and Dynamic Device. However, for Microsoft 365 groups, only Assigned and Dynamic User membership types are supported.

  • Now click on No owners selected link under Owners section. After that, select the required owner and then click Select button.
  • Click Add dynamic query link under Dynamic user members or Dynamic device members option. Then use rule syntax or use the rule builder to create the rules and click Save option.
  • Now click Create to create a new dynamic group in Microsoft 365.
add-owners-and-membership-rules-to-the-group

Note: Members will be automatically added to the dynamic group based on the configured rule and it will take time based on the total user count.

Create dynamic membership group in Microsoft 365 using PowerShell

  • Connect to the Microsoft Graph PowerShell module using the cmdlet below with the required permissions.
Connect-MgGraph -Scopes "Group.ReadWrite.All"
  • Now, run the following cmdlet to create a new dynamic group in Entra using Windows PowerShell. Make sure to update the group name, description, and rules with your own values before execution.
New-MgGroup -DisplayName "<GroupDisplayName>" -MailNickname "<MailNickname>" -MailEnabled:$true -SecurityEnabled:$false -GroupTypes @("Unified","DynamicMembership") -MembershipRule '(user.<Property> -eq "<Value>")' -MembershipRuleProcessingState "On"

The execution of the cmdlet will create a mail-enabled dynamic M365 group and return information such as the display name, Id, mail nickname, description, and group types for the created group.

create-dynamic-group-in-m365-powershell

2. How to change the membership type of a group from dynamic to assigned in Microsoft 365?

When access to specific resources must be granted only to a defined set of users or when existing rules are outdated, a dynamic group may no longer meet the requirement. To address this, admins can convert the group’s membership type from dynamic to assigned and manually include only the required users. This method ensures precise access control and prevents unintended access.

Update a group’s membership type through the Microsoft Entra admin center

  • Navigate to All groups page and select a dynamic group after filtering.
  • Then, select Properties option under the Manage section.
  • In the Membership type dropdown change the option to Assigned instead of Dynamic User or Dynamic Device.
  • Once changed, click Save to store your changes.
edit-group-membership-type-via-entra-id

After saving, the dynamic group becomes an assigned group. Current members stay, but new members must be added or removed manually by the owner or admin.

Switch dynamic groups to assigned membership group using PowerShell

  • Run the following command to connect to Microsoft Graph PowerShell with the required permissions.
Connect-MgGraph -Scopes "Group.ReadWrite.All"
  • Now, execute the cmdlet below to change the group membership type from Dynamic to Assigned. Ensure to replace the <GroupObjectID> with the required group's object Id before execution.
$targetId = "<GroupObjectID>"

$group = Get-MgGroup -GroupId $targetId

if ($group.GroupTypes -contains "Unified") {
    Update-MgGroup -GroupId $targetId -GroupTypes @("Unified")
}
else {
    Update-MgGroup -GroupId $targetId -GroupTypes @()
}
convert-dynamic-group-to-assigned-powershell

Note: It is not possible to change the membership type of a dynamic distribution groups, as it is created and managed in Exchange Online.

3. How to find the dynamic Microsoft 365 groups that a specific user is a member of?

Tracking which dynamic Microsoft 365 groups a user belongs to can be a real headache for admins. Unlike static groups, dynamic group memberships are calculated automatically based on rules, so it’s not immediately obvious who belongs where. Admins often need this information to verify user access, troubleshoot permission issues, or ensure compliance with organizational policies. Here’s how you can quickly find a specific user’s membership in dynamic groups.

Get a specific user’s dynamic group memberships in Microsoft 365

  • Go to "All Users" tab under Entra ID»Users in the Microsoft Entra admin center.
  • Click on a user to open their properties, then click on Groups and click Add filters.
  • Next, select Membership type and click Apply to view all dynamic groups that the selected user belongs to.
dynamic-group-memberships-of-a-user-in-m365

List all dynamic groups a user is member of using PowerShell

  • Connect to the Microsoft Graph PowerShell module with required permissions using the cmdlet below.
Connect-MgGraph -Scopes "Group.ReadWrite.All"
  • Execute the cmdlet after replacing the <UserUPN> with the object ID of the required user to list all dynamic groups the user is a member of.
Get-MgUserMemberOf -UserId "<UserUPN>" -All | 

    Where-Object { $_.AdditionalProperties['@odata.type'] -eq '#microsoft.graph.group' } | 

    ForEach-Object { Get-MgGroup -GroupId $_.Id -Property Id,DisplayName,Description,MembershipRule } | 

    Where-Object { $_.MembershipRule } | 

    Select-Object Id, DisplayName
get-users-dynamic-group-membership-via-powershell

List all dynamic groups a user is member of using AdminDroid 365

  • Using AdminDroid, you can effortlessly list all dynamic groups a user is member using all users' group membership report.
  • Click Customize Columns, then select + Add columns from other reports. Search for and add the Group Membership Type column.
  • Filter the report by setting "Group Membership Type equals Dynamic" and "User’s mail equals required user email" to view the dynamic groups the user is a member of.
get-user-dynamic-group-membership-via-admindroid

4. How to edit the configuration or rules of a dynamic group?

Dynamic groups automatically reflect membership changes in an organization according to the rules defined. However, these rules may need updates when roles change or departments evolve. By fine-tuning the dynamic membership rule we can ensure that the group continues to include only the right users, aligned with current business needs and access requirements.

Update membership rules for a Microsoft Entra dynamic group

  • Go to All groups page and filter by Membership type to Dynamic to quickly view dynamic groups.
  • Select the dynamic group whose membership rule you want to change.
  • Choose Dynamic membership rules under the Manage section to open the rule editor.
  • Modify the existing rule or add a new condition based on your current attribute requirements such as “(user.department -eq "Finance") or (user.jobTitle -eq "Manager")” and then click Save.
edit-membership-rules-for-m365-dynamic-group

After updating the dynamic group membership rules, validate them to ensure the logic is correct and prevent misconfigurations.

Validate membership rule before creating a dynamic group to avoid unintended group memberships

  • Locate and select Validate Rules tab in the Dynamic membership rules page.
  • Click Add users to select a few users and click Select to proceed.
  • Once processed, the results will display as In group, Not in group, or Unknown.
  • Review the results to confirm that only users who match the rule appear as In group.
validate-membership-rule-for-dynamic-groups

This process helps ensure that only the intended users are part of the group and that the rule works exactly as expected.

Note: To understand why a user is included or excluded during validation, click the View details link next to the user’s name. This shows which rule conditions the user matched or didn’t match.

Kickstart Your Journey With
AdminDroid

Your Microsoft 365 Companion with Enormous Reporting Capabilities

Download Now
Browse All Guides
User Help Manuals Compliance Docs Customer Stories
All Guides 99+
Microsoft Entra ID
How to List Dynamic Groups in Microsoft 365
Microsoft Entra ID Guides
x
Delivering Reports on Time
Delivering Reports on Time
Want a desired Microsoft 365 reports every Monday morning? Ensure automated report distribution and timely delivery with AdminDroid's Scheduling to your email anytime you need.
Delivering Reports on Time
Schedule tailored reports to execute automatically at the time you set and deliver straight to the emails you choose. In addition, you can customize report columns and add inteligent filtering to the activities just from the previous day to suit your Microsoft 365 report requirements.
Set It, Schedule It, See Results- Your Reports, Your Way, On Your Time!
Time Saving
Automation
Customization
Intelligent Filtering
Give Just the Right Access to the Right People
Give Just the Right Access to the Right People
Grant fine-tuned access to any Microsoft 365 user with AdminDroid’s Granular Delegation and meet your organization’s security and compliance requirements.
Give Just the Right Access to the Right People
Create custom roles loaded with just the right permissions and give access to admins or normal users within AdminDroid. The result? A streamlined Microsoft 365 management experience that aligns your organization's security protocols and saves your invaluable time and effort.
Align, Define, Simplify: AdminDroid's Granular Delegation
Smart Organizational Control
Effortless M365 Management
Simplified Access
Advanced Alerts at a Glance
Advanced Alerts at a Glance
Receive quick notifications for malicious Microsoft 365 activities. Engage with the AdminDroid’s real-time alert policies crafted to streamline your security investigations.
Advanced Alerts at a Glance
Stay informed of critical activities like suspicious emails and high-risk logins, bulk file sharing, etc. Through creating and validating ideal alert policies, AdminDroid provides a comprehensive approach to real-time monitoring and management of potential threats within your organization.
AdminDroid Keeps You Always Vigilant, Never Vulnerable!
Proactive Protection
Real-time Monitoring
Security Intelligence
Threat Detection
Merge the Required Data to One Place
Merge the Required Data to One Place
Combine multiple required columns into one comprehensive report and prioritize the information that matters most to you with AdminDroid’s Advanced Column Customization.
Merge the Required Data to One Place
This column merging capability offers a flexible way to add different columns from various reports and collate all the essential data in one place. Want to revisit the customized report? Save it as a 'View’, and your unique report is ready whenever you need it.
Merge with Ease and Save as Views!
Custom Reporting
Unique View
Desired Columns
Easy Data Interpretation
Insightful Charts and Exclusive Dashboards
Insightful Charts and Exclusive Dashboards
Get a quick and easy overview of your tenant's activity, identify potential problems, and take action to protect your data with AdminDroid’s Charts and Dashboards.
Insightful Charts and Exclusive Dashboards
With AdminDroid charts and dashboards, visualize your Microsoft 365 tenant in ways you've never thought possible. It's not just about viewing; it's about understanding, controlling, and transforming your Microsoft 365 environment.
Explore Your Microsoft 365 Tenant in a Whole New Way!
Executive overviews
Interactive insights
Decision-making
Data Visualization
Efficient Report Exporting for Microsoft 365
Efficient Report Exporting for Microsoft 365
Downloading your reports in the right file format shouldn’t be a hassle with AdminDroid’s Report Export. Experience seamless report exporting in various formats that cater to your needs.
Efficient Report Exporting for Microsoft 365
Navigate through diverse options and export Microsoft 365 reports flawlessly in your desired file format. Tailor your reports precisely as you need them and save them directly to your computer.
Take Control, Customize and Deliver- Your Office 365 Data, Exported in Your Way!
Easy Export
Seamless Downloading
Data Control
Manage Microsoft 365

Get AdminDroid Office 365 Reporter Now!

Free Download Live Demo