Skip to main content

Microsoft Entra Groups

Microsoft Entra groups are the directory-level groups - security groups and Microsoft 365 groups - that live in Microsoft Entra ID, the identity service formerly known as Azure Active Directory. They matter to SharePoint because you can add an Entra group to a site permission level or sharing dialog and grant everyone in it access at once. That differs from a SharePoint group, which lives inside a single site. Managed centrally by IT and often synced or rule-driven, Entra groups are the scalable way to manage access for whole departments.
Related Features
Microsoft 365 Group, SharePoint Groups, Site Members, Site Owners, Site Visitors

Common Use Cases

  • Department access: granting a whole team access through one group
  • Centralized identity: using groups IT already manages
  • Dynamic membership: rule-based groups that update automatically
  • Security groups: mail-disabled groups used purely for access
  • Microsoft 365 groups: groups that also back a team site and mailbox
  • Scalable permissions: avoiding person-by-person assignments

Benefits

  • Manage once: membership changes flow to every resource
  • Centralized: IT governs membership in one place
  • Dynamic option: membership can update from attributes
  • Consistent access: the same group works across many sites
  • Fewer mistakes: no re-adding individuals everywhere
  • Directory-backed: tied to real identity and lifecycle

How It Works

  • Groups in Entra ID: security and Microsoft 365 groups in the directory
  • Added to permissions: an Entra group is granted a permission level
  • Nested into SharePoint groups: an Entra group can be a member of a site group
  • Membership flows through: access follows group membership
  • Dynamic rules: membership can be automated by attributes
  • Lifecycle managed: joiners and leavers update centrally

Limits and Nuances

  • Managed outside the site: membership is governed in Entra, not the site
  • Visibility: site owners may not see who is inside an Entra group
  • Different from SharePoint groups: one is directory-wide, one is site-scoped
  • Nesting rules: how groups nest affects effective access
  • Change latency: membership changes can take time to apply
  • Governance needed: broad groups can cause oversharing if misused

Common Questions About Microsoft Entra Groups

What are Microsoft Entra groups?

Microsoft Entra groups are directory-level groups in Microsoft Entra ID, the identity service formerly called Azure Active Directory. They come as security groups, used purely for access, and Microsoft 365 groups, which also back a team site and shared mailbox. In SharePoint, you can grant one of these groups a permission level so everyone in it gets access at once.

How are Entra groups different from SharePoint groups?

An Entra group lives in the central directory and can be used across many sites and Microsoft 365 services, while a SharePoint group lives inside a single site and only organizes permissions there. Entra groups are managed by IT for the whole organization; SharePoint groups are managed by site owners. The two often work together, with an Entra group nested inside a SharePoint group.

What is a dynamic membership group?

A dynamic group is an Entra group whose membership is set by rules against user attributes, such as department or location, rather than maintained by hand. When someone attributes change, they are added to or removed from the group automatically. Used for SharePoint access, dynamic groups keep permissions aligned with the org chart without anyone updating each site.

Can I use an Entra group to share a site?

Yes. In the sharing or permissions dialog you can add an Entra security group or Microsoft 365 group and assign it a permission level, granting access to all its members. This is the scalable alternative to adding individuals one at a time, since future joiners and leavers are handled by the group rather than by editing the site.

Why might a site owner not see who is in an Entra group?

Because the group membership is managed centrally in Entra ID rather than in the site, a site owner may see the group name on the permissions but not the full list of people inside it. This is by design for central governance, but it means owners should understand which groups they are granting access to, since the group controls who effectively gets in.

When should I use Entra groups for SharePoint access?

Use them whenever access should follow organizational structure rather than individual names. Greg Zelfond, the consultant behind LookBook 365, recommends granting access through directory groups for departments and roles, so membership is managed once in Entra and reflected everywhere. For small, site-specific arrangements, a SharePoint group or direct permission can still be simpler.