Table of Contents
New Pause Processing Toggle Appears in Entra ID Admin Center
Updated 22-Nov-2023
A recent Entra ID admin center update for Entra ID dynamic groups allows administrators to pause membership processing to resolve membership rules and identify group members. I can’t find any announcement about the change, and it’s not tagged as a preview, but a toggle is there to pause processing (Figure 1) and it works.
Switching the pause processing toggle back to off allows Entra ID to continue processing membership rules. The properties of a dynamic group tell you the current state of processing and when the last membership change happened. Common processing states for Entra ID dynamic groups are:
- Succeeded: Entra ID has evaluated the membership query and the membership is up to date.
- Evaluating: Entra ID is currently resolving the membership query to identify group members.
- Processing: Entra ID is currently processing the membership.
- Processing error: Entra ID was unable to evaluate the membership query.
- Updates paused: An administrator has paused updates. The membership remains static until updates resume.
- Not started: Entra ID has not yet started to evaluate the membership of a dynamic group.
Entra ID reassesses membership as demand on the service allows, with the goal of checking at least once daily. It’s therefore possible that Entra ID will not process changes made to user objects that bring them within the scope of a membership rule for up to 24 hours. My experience is that updates often occur earlier, but it’s wise to set this expectation.
Reporting Dynamic Membership Updates
To check the current situation with dynamic membership updates, we can use PowerShell to find all the dynamic groups in the tenant and report the timestamp for the last membership update, whether processing is enabled, and the current update status. Here’s how to do the job with the Microsoft Graph PowerShell SDK:
Connect-MgGraph -Scope Group.Read.All, GroupMember.Read.All [array]$Groups = Get-MgBetaGroup -Filter "groupTypes/any(c:c eq 'DynamicMembership')" -All If (!($Groups)) { Write-Host "No dynamic groups found" } Else { Write-Host ("Processing {0} dynamic groups" -f $Groups.count) } $Report = [System.Collections.Generic.List[Object]]::new() $Groups = $Groups | Sort-Object DisplayName ForEach ($Group in $Groups) { $Options = $Group.ResourceProvisioningOptions -join ", " [array]$Members = Get-MgGroupMember -GroupId $Group.Id [array]$Owners = Get-MgGroupOwner -GroupId $Group.Id $DynamicData = Get-MgBetaGroup -GroupId $Group.Id -Property MembershipRuleProcessingStatus $DataLine = [PSCustomObject] @{ Id = $Group.Id DisplayName = $Group.DisplayName Owners = $Owners.Count Members = $Members.Count ProcessingState = $Group.MembershipRuleProcessingState LastUpdate = $DynamicData.MembershipRuleProcessingStatus.LastMembershipUpdated Status = $DynamicData.MembershipRuleProcessingStatus.Status Options = $Options } $Report.Add($DataLine) } $Report | Out-GridView
You can see that the code uses separate calls to the Get-MgBetaGroup cmdlet to fetch the property holding the membership rule processing status for the groups. For some reason, the original call to fetch a set of filtered groups fails if this property is included in the list to be retrieved. As revealed by the Graph X-Ray add-on, the same flow happens in the Entra ID admin center.
The code also includes calls to the Get-MgGroupOwner, Get-MgGroupMember, and Get-MgUser cmdlets to fetch the set of owners and members for each group. Although the Get-MgGroupOwner and Get-MgGroupMember cmdlets returns the set of owners and members respectively for a group, they return object identifiers instead of display names. While we can use the information to report counts, to report the owner names, we need to run Get-MgUser. See these articles for more information about using the Microsoft Graph PowerShell SDK to work with Entra ID user accounts and Entra ID Groups. Figure 2 shows the output of the report.
Dynamic groups with paused membership updates show a last update of 1 January 2000. Most of the groups in Figure 2 have odd dates (1/1/0001). This situation occurred when I ran a script to pause membership processing for all dynamic groups. The next time Entra ID processes membership rules to validate group membership , it will update the date.
Dynamic Groups and Dynamic Distribution Lists
Entra ID dynamic groups and dynamic distribution lists are very different objects, but some people confuse the two or believe that the two objects are roughly the same. Apart from the requirement to have Entra ID Premium P1 licenses for Entra ID dynamic groups, the three biggest differences are:
- Dynamic distribution lists don’t exist in Entra ID. They are an Exchange object.
- Dynamic distribution lists support a wider set of member objects (any mail-enabled recipient).
- Dynamic distribution lists support a wider set of properties for building custom membership filters (queries).
See this article for more information about the differences between the two types of dynamic group.
Dynamic Restrictions
Because of the processing load required to evaluate and process group membership, Entra ID restricts the number of dynamic groups and dynamic administrative units combined per tenant to 5,000. In December 2021, Microsoft changed the way that Exchange Online evaluates membership of dynamic distribution lists in a similar attempt to save resources.
Reasons to Pause Membership Processing
Although I appreciate Microsoft adding the extra flexibility in pausing membership processing, I’m struggling to find a good use case. One might be in a merger and acquisition scenario where the directory is in a state of flux, and you want consistency in dynamic group memberships for a period. Apart from that, I don’t know why Microsoft introduced the feature. However, it’s here now and available if you need it.
Learn how to exploit the data available to Microsoft 365 tenant administrators through the Office 365 for IT Pros eBook. We love figuring out how things work.