Skip to main content
Create Dynamic User Pilot groups in Microsoft Entra
  1. Posts/

Create Dynamic User Pilot groups in Microsoft Entra

·281 words·2 mins·
Infrastructure & Architecture Entra ID Microsoft 365 Process Improvement Efficiency How-To Scalability
Aiden Arnkels-Webb
Author
Aiden Arnkels-Webb
I’m a cybersecurity lead and fractional CISO/CTO helping professional services firms build secure, scalable infrastructure. I share practical solutions and strategic insights on this siteā€”all free, no gatekeeping. For done-with-you or done-for-you implementation, I work with firms through Rootwire.
Table of Contents

As IT professionals, we often find the need to push out changes to a small subset of our full user base. Manually maintaining pilot groups with users joining and leaving can create a lot of overhead.

A better way is using Dynamic groups - but how do you segment users cleanly in to different groups automatically? How do you avoid capturing Guests, or other non-human user accounts?

The answer is Dynamic queries.

We can use the user.objectId property to act as our random seed for splitting users in to groups. As a GUID, the user.objectid property’s first character will always be between 0-9 or a-f. With 16 different options, each individual character has a 6.25% chance of occurring.

We can use the user.userType property to differentiate between Members of the tenant and Guests. Use user.userType -eq "Member" for tentant members, or user.userType -eq "Guest" for Guests

user.accountEnabled -eq true ensures we only capture enabled users. Disabled users like leavers are automatically excluded

(user.assignedPlans -any (assignedPlan.servicePlanId -eq "c1ec4a95-1f05-45b3-a911-aa3fa01094f5" -and assignedPlan.capabilityStatus -eq "Enabled")) captures users with a Microsoft 365 Business Premium licence. Change the GUID for servicePlanId to your preferred licecne type. A reference for service plan ID’s is availabe here

Here are the rings I use

User_Pilot_Ring_1
#

Dynamic Query:

(user.objectId -startsWith "0") and (user.userType -eq "Member") and (user.accountEnabled -eq true) and (user.assignedPlans -any (assignedPlan.servicePlanId -eq "c1ec4a95-1f05-45b3-a911-aa3fa01094f5" -and assignedPlan.capabilityStatus -eq "Enabled"))

User_Pilot_Ring_2
#

Dynamic Query:

(user.objectId -match "^[0-4]") and (user.userType -eq "Member") and (user.accountEnabled -eq true) and (user.assignedPlans -any (assignedPlan.servicePlanId -eq "c1ec4a95-1f05-45b3-a911-aa3fa01094f5" -and assignedPlan.capabilityStatus -eq "Enabled"))

User_Pilot_Ring_3
#

Dynamic Query:

(user.objectId -match "^[0-9]|^[a-b]") and (user.userType -eq "Member") and (user.accountEnabled -eq true) and (user.assignedPlans -any (assignedPlan.servicePlanId -eq "c1ec4a95-1f05-45b3-a911-aa3fa01094f5" -and assignedPlan.capabilityStatus -eq "Enabled"))
^[0-9]|[a-b]

Related