Browse all topics
All guidesGlossary
Microsoft Entra (Identity)

Entra ID groups and group-based licensing

Group types in Entra ID, dynamic groups, and using groups to assign licences automatically.

Groups in Entra ID are the unit of access management and the basis for group-based licensing — a way to assign Microsoft 365 licences automatically based on group membership. Knowing the group types and their behaviours saves a lot of one-off user management.

Group types

Entra ID has two basic types:

  • Security groups — used to grant access to apps and resources. Can be mail-enabled to also act as a distribution list.
  • Microsoft 365 Groups — collaborative groups with a shared mailbox, SharePoint site, and (optional) Teams team. Used both for collaboration and as access principals.

Each can have assigned or dynamic membership:

  • Assigned — members are added manually.
  • Dynamic user — membership is a query against user attributes (department, country, jobTitle, etc.).
  • Dynamic device — membership is a query against device attributes (OS, ownership, compliance).

Dynamic groups update automatically as user attributes change in Entra ID.

Group-based licensing

Licences in Microsoft 365 can be assigned to groups. Any member of the group inherits the licence; remove them from the group and the licence is reclaimed.

This is invaluable for:

  • Department-driven licensing — assign E3 to "All Employees" via a dynamic group on department.
  • Onboarding/offboarding — HR sets the department attribute, the user gets the right licence automatically.
  • Add-ons — Power BI Pro to "Analysts," Copilot to "Pilot Users," via specific groups.

Limitations:

  • Group-based licensing requires Entra ID P1 for at least one user (which most Microsoft 365 plans include).
  • Conflict resolution: if a user lands in two groups with conflicting service plans, the explicit assignment wins where possible.
  • Track the provisioning status in the Entra admin center — sometimes a licence shortage or conflicting service-plan blocks assignment for some users.

Best practices

  • Standardise naming: LIC-M365-E3, LIC-Copilot, SEC-DataAccess-Finance. Predictable names help the next admin.
  • Avoid nested groups for licensing — Entra ID doesn't follow nested membership for licence assignment in many cases.
  • Use dynamic groups for stable, attribute-driven access; use assigned groups for ad-hoc access.
  • Lifecycle policies for Microsoft 365 Groups — expiration after N days inactive, with owner renewal.
  • Access reviews for sensitive groups — quarterly attestation by owners.

Groups and Conditional Access

CA policies target users by group. Combined with dynamic groups, you can express "MFA required for everyone in Finance" or "Block access from unmanaged devices for the All Admins group" without manual user-by-user assignment.

Treat groups as the primary admin abstraction. Everything else — access, licences, Conditional Access, app assignment — should hang off them.