Reasons to Pause Membership Processing for Entra ID Dynamic Groups

Posted on by Tony Redmond

Pause Membership Processing to Prevent Inconsistent Changes

A year ago, I wrote about the newly-introduced ability to pause membership processing for Entra ID (then Azure AD) dynamic groups. At the time, I noted that Microsoft had not announced the change. Pausing membership processing is now documented in the page covering the creation of dynamic groups. There we learn that accounts holding the global administrator, group administrator, user administrator, or Intune administrator roles can pause and resume dynamic group processing. However, nothing is said about when it’s a good idea to pause membership processing for dynamic groups.

Usually, Entra ID processes the membership rules for dynamic groups to update membership when service demand allows. The longest that changes for the membership of a dynamic group should remain unprocessed is 24 hours, and Microsoft sets that expectation when viewing group properties in the Entra ID admin center (Figure 1).

Properties of an Entra ID dynamic group Pause membership processing
Figure 1: Properties of an Entra ID dynamic group

In my experience, membership updates happen much faster. This theory is easily tested by making some changes to user accounts that affect the membership of a dynamic group and seeing how long Entra ID takes to process the changes. The properties of a dynamic group tells you when that processing occurred, but the best test is to check the membership to make sure that the changes are reflected in the set of members.

If Entra ID is unable to process membership changes within 24 hours, it flags the problem on top of the All Groups section of the Entra ID admin center, saying that “Dynamic group memberships have not been updated due to system delays.”

When to Pause Membership Processing

Returning to the original point, when should administrators pause membership processing for dynamic groups? The simple answer is “when the directory is in a state of ongoing change.”

Constant change is the nature of a directory like Entra ID. “Ongoing change” means that some form of event happens to cause extensive change affecting many user accounts. Change of this nature can cause a higher processing load for Entra ID to process the signals it receives about account updates.

Often changes to user accounts affect the properties most commonly used to build membership rules for dynamic groups, like department, job title, office location, or tenant-specific values stored in the fifteen custom (“extension”) attributes. Examples include:

  • Corporate restructuring: This includes department splits and merges, or name changes.
  • HR changes: Changes to properties such as job code and titles that might be used by membership rules.
  • Merger and acquisition: Large numbers of user accounts might join or leave an organization.
  • Office relocation: A new office is opened or one is closed, causing the physical location of people to change.

Usually, it’s possible to apply changes to Entra ID user accounts quickly, especially if scripted with PowerShell. However, the involvement of other systems that produce feeds into the directory might slow things down. In this situation, it might be wise to pause membership processing for dynamic groups until the directory stabilizes.

Pausing Membership Processing

It’s easy to implement a general pause for membership processing for all dynamic groups with a few lines of PowerShell. This code finds all dynamic groups and pauses membership processing for each group.

[array]$Groups = Get-MgGroup -Filter "groupTypes/any(c:c eq 'DynamicMembership')" -All | Sort-Object DisplayName
[int]$i = 0
ForEach ($Group in $Groups) {
  $i++
  Write-Host ("Pausing membership processing for group {0} ({1}/{2})" -f $Group.displayName, $i, $Groups.count)
  Update-MgGroup -GroupId $Group.Id -MembershipRuleProcessingState Paused
}

To reverse the process, run the same loop through the set of dynamic groups but this time set the MembershipRuleProcessingState parameter to On.

Update-MgGroup -GroupId $Group.Id -MembershipRuleProcessingState On

A side effect of pausing and restarting membership processing is that Entra ID resets the last update timestamp to 1/1/0001 (see this article). The next time Entra ID processes membership rules for a dynamic group, it stamps the group with a current timestamp.

No Need to Pause Membership Processing in Normal Circumstances

Entra ID copes easily with the normal load generated by day-to-day membership rule evaluation for dynamic groups. There is no need to pause membership processing in normal circumstances. However, if extensive changes are planned for user accounts, it’s wise to consider pausing membership updates until the directory settles down and everyone has time to think.

Learn about using Entra ID and the rest of Office 365 by subscribing to the Office 365 for IT Pros eBook. Use our experience to understand what’s important and how best to protect your tenant.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.