How to Pause Membership Processing for Azure AD Dynamic Group Membership

Posted on by Tony Redmond

New Pause Processing Toggle Appears in Azure AD Admin Center

A recent Azure AD admin center update for Azure AD dynamic groups allows administrators to pause processing of the membership query that identifies group members. I can’t find any announcement about the change, and it’s not tagged as a preview, but a toggle is there to pause processing (Figure 1) and it works.

Figure 1: Pause processing for an Azure AD dynamic group

Switching the pause processing toggle back to off allows Azure AD to continue processing membership rules. The properties of a dynamic group tell you the current state of processing and when the last membership change happened. Common processing states for Azure AD dynamic groups are:

  • Succeeded: Azure AD has evaluated the membership query and the membership is up to date.
  • Evaluating: Azure AD is currently resolving the membership query to identify group members.
  • Processing: Azure AD is currently processing the membership.
  • Processing error: Azure AD was unable to evaluate the membership query.
  • Updates paused: An administrator has paused updates. The membership remains static until updates resume.
  • Not started: Azure AD has not yet started to evaluate the membership of a dynamic group.

Azure AD reassesses membership as demand on the service allows, with the goal of checking at least once daily. It’s therefore possible that Azure AD will not process changes made to user objects that bring them within the scope of a membership rule for up to 24 hours. My experience is that updates often occur earlier, but it’s wise to set this expectation.

Reporting Dynamic Membership Updates

To check the current situation with dynamic membership updates, we can use PowerShell to find all the dynamic groups in the tenant and report the timestamp for the last membership update, whether processing is enabled, and the current update status. Here’s how to do the job with the Microsoft Graph PowerShell SDK:

Connect-MgGraph -Scope Group.Read.All, GroupMember.Read.All
Select-MgProfile Beta
[array]$Groups = Get-MgGroup -Filter "groupTypes/any(c:c eq 'DynamicMembership')" -All
If (!($Groups)) { 
    Write-Host "No dynamic Azure AD groups found"
} Else { 
   Write-Host ("Processing {0} dynamic Azure AD groups" -f $Groups.count) }
$Report = [System.Collections.Generic.List[Object]]::new()
$Groups = $Groups | Sort-Object DisplayName
ForEach ($Group in $Groups) {
  $Options = $Group.ResourceProvisioningOptions -join ", "
  [array]$Members = Get-MgGroupMember -GroupId $Group.Id
  [array]$Owners = Get-MgGroupOwner -GroupId $Group.Id
  $DynamicData = Get-MgGroup -GroupId $Group.Id -Property MembershipRuleProcessingStatus
  $DataLine = [PSCustomObject] @{
    Id              = $Group.Id
    DisplayName     = $Group.DisplayName
    Owners          = $Owners.Count
    Members         = $Members.Count
    ProcessingState = $Group.MembershipRuleProcessingState
    LastUpdate      = $DynamicData.MembershipRuleProcessingStatus.LastMembershipUpdated
    Status          = $DynamicData.MembershipRuleProcessingStatus.Status
    Options         = $Options }
  $Report.Add($DataLine)
}

You can see that the code uses separate calls to the Get-MgGroup cmdlet to fetch the property holding the membership rule processing status for the groups. For some reason, the original call to fetch a set of filtered groups fails if this property is included in the list to be retrieved. As revealed by the Graph X-Ray add-on, the same flow happens in the Azure AD admin center.

The code also includes calls to the Get-MgGroupOwner, Get-MgGroupMember, and Get-MgUser cmdlets to fetch the set of owners and members for each group. Although the Get-MgGroupOwner and Get-MgGroupMember cmdlets returns the set of owners and members respectively for a group, they return object identifiers instead of display names. While we can use the information to report counts, to report the owner names, we need to run Get-MgUser. See these articles for more information about using the Microsoft Graph PowerShell SDK to work with Azure AD users and Azure AD Groups. Figure 2 shows the output of the report.

Reporting Azure AD dynamic groups and their membership status
Figure 2: Reporting Azure AD dynamic groups and their membership status

Dynamic groups with paused membership updates show a last update of 1 January 2000. Two other groups in Figure 2 have odd dates (1/1/0001). These are old dynamic groups (created in 2017) whose membership hasn’t changed since. When a membership change happens, the date will be correct.

Dynamic Groups and Dynamic Distribution Lists

Azure AD dynamic groups and dynamic distribution lists are very different objects, but some people confuse the two or believe that the two objects are roughly the same. Apart from the requirement to have Azure AD Premium P1 licenses for Azure AD dynamic groups, the three biggest differences are:

  • Dynamic distribution lists don’t exist in Azure AD. They are an Exchange object.
  • Dynamic distribution lists support a wider set of member objects (any mail-enabled recipient).
  • Dynamic distribution lists support a wider set of properties for building custom membership filters (queries).

See this article for more information about the differences between the two types of dynamic group.

Dynamic Restrictions

Because of the processing load required to evaluate and process group membership, Azure AD restricts the number of dynamic groups and dynamic administrative units combined per tenant to 5,000. In December 2021, Microsoft changed the way that Exchange Online evaluates membership of dynamic distribution lists in a similar attempt to save resources.

Reasons for Disabling Membership Processing

Although I appreciate Microsoft adding the extra flexibility in pausing membership processing, I’m struggling to find a good use case. One might be in a merger and acquisition scenario where the directory is in a state of flux, and you want consistency in dynamic group memberships for a period. Apart from that, I don’t know why Microsoft introduced the feature. However, it’s here now and available if you need it.

Learn how to exploit the data available to Microsoft 365 tenant administrators through the Office 365 for IT Pros eBook. We love figuring out how things work.

5 Replies to “How to Pause Membership Processing for Azure AD Dynamic Group Membership”

  1. As you mentioned, the purpose of pausing dynamic membership processing is unclear, it would be better if you were able to pause the processing then be able to perform a what-if query similar to that of conditional access… that would make this useful in the case of organisational structure changes or mergers.

    Reply

  2. great script. it is exactly what I am looking for. however, i never get results. The gridview output will not show up. once I run the script, I can select $Results the correct information is scrolled on the output, but I cannot get the gridview that is sorted. I suspect that i am missing one little piece but for the life of me cannot determine what that would be. Any ideas?

    Reply

    1. If the $Report is populated with data, you should be able to sort the data and pipe to the Out-GridView cmdlet with a command like:

      $Report | Sort-Object DisplayName | Out-GridView

      Does that not work?

      Reply

  3. Thank you! I now get results, but one output for each group (I have 102 dynamic groups). I’ll work through what I have to get it all in one window. This will help us with monitoring our dynamic group’s status

    Reply

    1. It’s PowerShell, so you can do what you like with the code to extend it or amend it to fit your circumstances. I try to explain the principle and leave detailed implementations to those who need a solution.

      Reply

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.