This article will guide you through the process of creating Security Groups in Microsoft Entra ID (formerly Azure Active Directory). If you’re unsure about the purpose of Security Groups and how they can benefit you, don’t worry! We’ll cover the key advantages and then dive into a simple, step-by-step guide on how to create Security Groups in Entra.
In Microsoft Entra ID, Security Groups are essential for managing access and permissions for users, devices, and services across Microsoft 365, Azure, and other connected resources. Whether you're looking to assign licenses, manage app access, or enforce policies, Security Groups simplify the process of centralized access control.
Let’s walk through the steps on how to create Security Groups in Entra, ensuring you understand each key feature and benefit.
Primary Uses of Security Groups in Entra
1. Access Control for Resources
- Assign access permissions to SharePoint sites, Teams, Microsoft 365 Groups, file shares, applications, and other resources.
- Example: Granting a group of users read-only access to a specific SharePoint library.
2. Role Assignments in Azure or Entra
- Assign Azure roles or Entra roles to a group instead of individual users.
- Example: Give a security group the Global Reader role in Entra or Contributor role on an Azure subscription.
3. Conditional Access Policies
- Apply Conditional Access (CA) policies based on group membership.
- Example: Require MFA for users in a group when accessing a sensitive app.
4. App Assignment & Licensing
- Assign applications (e.g., enterprise apps or SaaS apps) to security groups to manage who can access them.
- Assign Microsoft 365 or Entra licenses to all users in a security group automatically.
5. Device Management
- Apply Intune device policies or configuration profiles to devices/users in a group.
- Example: Apply mobile device compliance rules only to users in a security group.
6. Delegated Administration
- Use groups to assign administrative units (AUs) or delegate limited admin roles to specific subsets of users.
Membership Types:
- Assigned: Manually add/remove users.
- Dynamic User: Auto-assign based on user attributes (e.g., department = "HR").
- Dynamic Device: Auto-assign based on device properties.
- Security vs. Microsoft 365 Groups:
- Security Groups: For access control (e.g., to resources, apps, policies).
- Microsoft 365 Groups: Collaboration-focused (used with Teams, Outlook, SharePoint), but can also be used for security in some cases.
How to Create a Security Group in Microsoft Entra
Prerequisites:
You must have at least User Administrator or Global Administrator permissions in Entra ID.
Step-by-Step Instructions:
1. Sign In to Microsoft Entra Admin Center
- Go to: https://entra.microsoft.com
- Sign in with your admin account.
2. Navigate to Groups
- In the left-hand navigation pane, select "Groups".
3. Click "New group"
- In the top menu, click the + New group button.
4. Configure the Group Settings
| Field | Description |
|---|---|
| Group type | Select Security (not Microsoft 365) |
| Group name | Enter a name for the group (e.g., "Finance Dept Access") |
| Group description | (Optional) Add a helpful description for the group’s purpose |
| Membership type | Choose one: - Assigned: You manually add users/devices - Dynamic User: Users are added based on attribute rules - Dynamic Device: Devices are added via rules (for Intune scenarios) For dynamic membership, you’ll need to define a rule (e.g., user.department -eq "Finance") |
5. Add Members (for Assigned type only)
- Click "No members selected" (if you're creating an Assigned group).
- Search and select users or devices to include.
- Click Select when done.
6. Create the Group
- Review your settings.
- Click "Create".
