Anavem
EnglishFrancais
Anavem
Languagefr
How to Create Dynamic Teams in Microsoft Teams with Entra ID Rules

How to Create Dynamic Teams in Microsoft Teams with Entra ID Rules

Set up dynamic Microsoft Teams that automatically manage membership based on user attributes like department, location, and job title using Microsoft Entra ID dynamic group rules.

Evan MaelEvan Mael
March 27, 2026 15 min
mediummicrosoft-teams 8 steps 15 min

Why Use Dynamic Teams in Microsoft Teams?

Dynamic teams in Microsoft Teams automatically manage membership based on user attributes stored in Microsoft Entra ID, eliminating the need for manual user management. When employees join, change roles, or move locations, their team memberships update automatically based on rules you define.

This approach is particularly valuable for organizations with frequent personnel changes, multiple office locations, or project-based team structures. Instead of manually adding and removing users from teams, dynamic membership ensures the right people have access to the right conversations and resources based on their current role and location.

How Do Dynamic Teams Work with Microsoft Entra ID?

Dynamic teams leverage Microsoft 365 groups with dynamic membership rules that query user attributes in Microsoft Entra ID. You can create rules based on department, location, job title, company name, or any other populated user attribute. The system evaluates these rules periodically and updates team membership accordingly.

The process involves creating a dynamic Microsoft 365 group first, then adding Teams functionality to it. This maintains the automatic membership management while providing the full Teams collaboration experience. Processing typically takes 2-24 hours for membership changes to reflect, making it ideal for stable organizational structures rather than rapidly changing project teams.

What Are the Prerequisites for Dynamic Teams?

Dynamic team functionality requires Microsoft Entra ID P1 licenses for all users who will be included in dynamic groups. You'll also need appropriate administrative permissions and properly populated user attributes in your directory. The PowerShell approach offers more control and automation capabilities compared to the web-based admin centers, making it the preferred method for IT professionals managing multiple dynamic teams.

Implementation Guide

Full Procedure

01

Install and Connect Microsoft Graph PowerShell

First, install the Microsoft Graph PowerShell SDK and connect with the required permissions. This gives you programmatic access to create and manage dynamic groups.

# Install Microsoft Graph modules
Install-Module Microsoft.Graph -Scope CurrentUser -Force

# Import required modules
Import-Module Microsoft.Graph.Groups
Import-Module Microsoft.Graph.Teams
Import-Module Microsoft.Graph.Users

Connect to Microsoft Graph with the necessary scopes:

# Connect with required permissions
Connect-MgGraph -Scopes "Group.ReadWrite.All","Team.ReadWrite.All","User.Read.All"

Verification: Run Get-MgContext to confirm you're connected and check your permissions.

Pro tip: Save your connection context by running Select-MgProfile -Name "v1.0" to ensure you're using the stable API version.
02

Verify User Attributes in Entra ID

Before creating dynamic rules, verify that your users have the required attributes populated. Dynamic membership rules depend on these attributes being present and accurate.

# Check user attributes for your target users
Get-MgUser -Filter "department eq 'IT'" -Property DisplayName,Department,City,JobTitle | Select-Object DisplayName,Department,City,JobTitle

# Check specific user attributes
Get-MgUser -UserId "user@contoso.com" -Property Department,City,JobTitle,CompanyName

Common attributes used in dynamic rules:

  • user.department - Department name
  • user.city - City location
  • user.jobTitle - Job title
  • user.companyName - Company name
  • user.country - Country

Verification: Ensure at least 2-3 test users have the attributes you plan to use in your dynamic rule.

Warning: Users without the required attributes will not be included in the dynamic group, even if they should be based on your intended criteria.
03

Create the Dynamic Microsoft 365 Group

Create a Microsoft 365 group with dynamic membership rules. This group will automatically include users based on the attributes you specify.

# Define the dynamic group parameters
$groupParams = @{
    DisplayName = "IT-India-Dynamic"
    Description = "Dynamic team for IT users in Indian offices"
    MailEnabled = $true
    MailNickname = "itindiadynamic"
    SecurityEnabled = $false
    GroupTypes = @("Unified", "DynamicMembership")
    MembershipRule = '(user.department -eq "IT") and (user.city -in ["Bengaluru", "Mumbai", "Chennai"])'
    MembershipRuleProcessingState = "On"
}

# Create the dynamic group
$newGroup = New-MgGroup @groupParams
Write-Host "Group created with ID: $($newGroup.Id)"

# Wait for initial provisioning
Start-Sleep -Seconds 30

Common dynamic rule examples:

  • Department-based: (user.department -eq "Sales")
  • Location-based: (user.city -eq "London")
  • Multiple conditions: (user.department -eq "Marketing") and (user.country -eq "United States")
  • Job title pattern: (user.jobTitle -contains "Manager")

Verification: Run Get-MgGroup -GroupId $newGroup.Id to confirm the group was created with dynamic membership enabled.

04

Add Team Functionality to the Dynamic Group

Convert your dynamic Microsoft 365 group into a Teams-enabled group. This creates the team interface while maintaining the dynamic membership.

# Create team from the dynamic group
$teamParams = @{
    GroupId = $newGroup.Id
}

try {
    $newTeam = New-MgTeam @teamParams
    Write-Host "Team created successfully for group: $($newGroup.DisplayName)"
} catch {
    Write-Error "Failed to create team: $($_.Exception.Message)"
}

# Wait for team provisioning
Start-Sleep -Seconds 60

Configure team settings (optional but recommended):

# Update team settings
$teamSettings = @{
    MemberSettings = @{
        AllowCreateUpdateChannels = $true
        AllowDeleteChannels = $false
        AllowAddRemoveApps = $true
        AllowCreateUpdateRemoveTabs = $true
        AllowCreateUpdateRemoveConnectors = $false
    }
    GuestSettings = @{
        AllowCreateUpdateChannels = $false
        AllowDeleteChannels = $false
    }
    MessagingSettings = @{
        AllowUserEditMessages = $true
        AllowUserDeleteMessages = $true
        AllowOwnerDeleteMessages = $true
        AllowTeamMentions = $true
        AllowChannelMentions = $true
    }
}

Update-MgTeam -TeamId $newGroup.Id -BodyParameter $teamSettings

Verification: Check the Teams client or run Get-MgTeam -TeamId $newGroup.Id to confirm the team is accessible.

05

Add Team Owners and Configure Permissions

Add owners to your dynamic team. Owners can manage team settings, channels, and apps, but cannot manually add or remove members due to the dynamic nature.

# Add team owners
$ownerEmails = @("admin@contoso.com", "teamlead@contoso.com")

foreach ($email in $ownerEmails) {
    try {
        $user = Get-MgUser -Filter "userPrincipalName eq '$email'"
        $ownerRef = @{
            "@odata.id" = "https://graph.microsoft.com/v1.0/users/$($user.Id)"
        }
        New-MgGroupOwnerByRef -GroupId $newGroup.Id -BodyParameter $ownerRef
        Write-Host "Added owner: $email"
    } catch {
        Write-Warning "Failed to add owner $email : $($_.Exception.Message)"
    }
}

Verify owners and current membership:

# Check group owners
Get-MgGroupOwner -GroupId $newGroup.Id | Select-Object Id, @{Name="Email"; Expression={(Get-MgUser -UserId $_.Id).UserPrincipalName}}

# Check current dynamic membership (may take time to populate)
Get-MgGroupMember -GroupId $newGroup.Id | Select-Object Id, @{Name="Email"; Expression={(Get-MgUser -UserId $_.Id).UserPrincipalName}}

Verification: Owners should appear in the Teams client under team settings, and dynamic members should start appearing within 2 hours.

Pro tip: Add yourself as an owner initially to test and configure the team before it goes live to all dynamic members.
06

Monitor and Validate Dynamic Membership Processing

Dynamic membership processing can take anywhere from a few minutes to 24 hours. Monitor the processing status and validate that the correct users are being added.

# Check membership rule processing status
$group = Get-MgGroup -GroupId $newGroup.Id -Property MembershipRule,MembershipRuleProcessingState
Write-Host "Rule: $($group.MembershipRule)"
Write-Host "Processing State: $($group.MembershipRuleProcessingState)"

# Get current member count
$memberCount = (Get-MgGroupMember -GroupId $newGroup.Id).Count
Write-Host "Current members: $memberCount"

# List all members with their attributes
Get-MgGroupMember -GroupId $newGroup.Id | ForEach-Object {
    $user = Get-MgUser -UserId $_.Id -Property DisplayName,Department,City,JobTitle
    [PSCustomObject]@{
        Name = $user.DisplayName
        Department = $user.Department
        City = $user.City
        JobTitle = $user.JobTitle
    }
} | Format-Table

Test your membership rule syntax:

# Validate rule syntax (create a test group first)
$testRule = '(user.department -eq "IT") and (user.city -in ["Bengaluru", "Mumbai"])'

# Check which users would match your rule
Get-MgUser -Filter "department eq 'IT'" -Property DisplayName,Department,City | 
    Where-Object { $_.City -in @("Bengaluru", "Mumbai") } | 
    Select-Object DisplayName,Department,City

Verification: Compare the users returned by your manual filter with the actual group members. They should match once processing completes.

Warning: If membership processing appears stuck after 24 hours, check your rule syntax and ensure all referenced user attributes exist and are populated.
07

Configure Team Channels and Settings

Set up channels and configure team-specific settings. Since membership is dynamic, focus on creating a structure that works for any user matching your criteria.

# Create additional channels
$channels = @(
    @{ DisplayName = "Projects"; Description = "Project discussions and updates" },
    @{ DisplayName = "Resources"; Description = "Shared resources and documentation" },
    @{ DisplayName = "Announcements"; Description = "Team announcements" }
)

foreach ($channel in $channels) {
    $channelParams = @{
        TeamId = $newGroup.Id
        DisplayName = $channel.DisplayName
        Description = $channel.Description
        MembershipType = "standard"
    }
    
    try {
        New-MgTeamChannel @channelParams
        Write-Host "Created channel: $($channel.DisplayName)"
    } catch {
        Write-Warning "Failed to create channel $($channel.DisplayName): $($_.Exception.Message)"
    }
}

Configure team-wide settings for dynamic membership:

# Set team discovery and joining settings
$discoverySettings = @{
    IsDiscoverable = $true  # Allow users to find the team
    Description = "This is a dynamic team for IT users in Indian offices. Membership is automatically managed based on your Entra ID profile."
}

Update-MgTeam -TeamId $newGroup.Id -BodyParameter $discoverySettings

# List all channels to verify
Get-MgTeamChannel -TeamId $newGroup.Id | Select-Object DisplayName,Description

Verification: Check the Teams client to ensure all channels are visible and the team description explains the dynamic nature to users.

Pro tip: Pin important channels and create a welcome message explaining that membership is automatic based on user attributes.
08

Test and Troubleshoot Dynamic Membership

Test your dynamic team by modifying user attributes and monitoring membership changes. This helps validate your rules and troubleshoot any issues.

# Create a test user or modify existing user attributes
$testUser = "testuser@contoso.com"

# Update user attributes to match your rule
$userUpdate = @{
    Department = "IT"
    City = "Bengaluru"
    JobTitle = "Software Engineer"
}

Update-MgUser -UserId $testUser -BodyParameter $userUpdate
Write-Host "Updated test user attributes"

# Monitor membership changes (check periodically)
function Test-DynamicMembership {
    param($GroupId, $TestUserEmail)
    
    $members = Get-MgGroupMember -GroupId $GroupId
    $testUser = Get-MgUser -Filter "userPrincipalName eq '$TestUserEmail'"
    
    if ($members.Id -contains $testUser.Id) {
        Write-Host "✓ Test user is a member of the dynamic group" -ForegroundColor Green
    } else {
        Write-Host "✗ Test user is not yet a member" -ForegroundColor Yellow
        Write-Host "This is normal - processing can take up to 24 hours"
    }
    
    return $members.Count
}

# Run the test
$memberCount = Test-DynamicMembership -GroupId $newGroup.Id -TestUserEmail $testUser

Common troubleshooting commands:

# Check for processing errors
Get-MgGroup -GroupId $newGroup.Id -Property MembershipRuleProcessingStatus

# Verify rule syntax
$rule = '(user.department -eq "IT") and (user.city -in ["Bengaluru", "Mumbai"])'
Write-Host "Current rule: $rule"

# Check attribute population across your user base
Get-MgUser -Filter "department eq 'IT'" -Property Department,City | 
    Group-Object City | 
    Select-Object Name, Count

Verification: Users matching your criteria should appear in the team within 2-24 hours. Check both the Entra ID group members and the Teams client.

Warning: Attribute changes can take time to propagate. Don't modify rules frequently as each change restarts the processing cycle.

Frequently Asked Questions

How long does it take for dynamic team membership to update in Microsoft Teams?+
Dynamic team membership typically updates within 2-24 hours after user attributes change in Microsoft Entra ID. The initial processing when creating a new dynamic team can take up to 24 hours. Microsoft processes these changes in batches, so immediate updates are not guaranteed. For critical access needs, consider using static teams or hybrid approaches.
Can I convert an existing static Microsoft Teams team to dynamic membership?+
Yes, you can convert existing static teams to dynamic membership by updating the underlying Microsoft 365 group. Use the Update-MgGroup PowerShell command to add DynamicMembership to the GroupTypes array and set your membership rule. However, existing manually-added members will be removed if they don't match the dynamic rule, so plan this conversion carefully.
What user attributes can I use in dynamic team membership rules?+
You can use any populated user attribute from Microsoft Entra ID including department, city, country, jobTitle, companyName, userType, and custom extension attributes. Common examples include user.department -eq 'Sales', user.city -in ['London', 'Paris'], or user.jobTitle -contains 'Manager'. The attribute must be populated for users to be included in the dynamic group.
Do I need special licenses for dynamic teams in Microsoft Teams?+
Yes, dynamic team functionality requires Microsoft Entra ID P1 or P2 licenses for all users who will be included in dynamic groups. Users without these licenses cannot be part of dynamic groups, even if they match the membership rules. Standard Microsoft 365 licenses alone are not sufficient for dynamic membership features.
Can team owners manually add or remove members from dynamic teams?+
No, team owners cannot manually add or remove members from dynamic teams. Membership is controlled entirely by the dynamic rules based on user attributes in Microsoft Entra ID. Owners can still manage team settings, channels, and apps, but membership management is automatic. To add someone manually, you would need to update their attributes or modify the dynamic rule.
Evan Mael
Written by

Evan Mael

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#microsoft-teams#entra-id#powershell

Further Intelligence

Deepen your knowledge with related resources

How to Get Windows 11 26H1: What It Is, Who It's For, and How to Install It
tutorial
Windows

How to Get Windows 11 26H1: What It Is, Who It's For, and How to Install It

Deep Dive
How to Configure Suspicious File Blocking in Microsoft Defender Using Intune
tutorial
Cybersecurity

How to Configure Suspicious File Blocking in Microsoft Defender Using Intune

Deep Dive
How to Control Windows Start Menu Shortcuts Using Microsoft Intune
tutorial
Cloud Computing

How to Control Windows Start Menu Shortcuts Using Microsoft Intune

Deep Dive

Discussion

Share your thoughts and insights

Sign in to join the discussion

Sign inCreate account