ASD's Blueprint for Secure Cloud

Teams Dynamic Security group

This section describes the design decisions associated with Teams Teams Dynamic Security group for system(s) built using ASD's Blueprint for Secure Cloud.

Estimated reading time: 2 minutes

Dynamic Security Groups are Microsoft Entra ID security groups that are populated based on device and/or user attributes. Dynamic Security Groups can be leveraged to control access to locations, services and features.

The membership of a Dynamic Security Group is updated whenever an attribute of a device or user is modified. If the user/device no longer matches the Group rule, then that user/device is removed. Conversely if a user/device now matches the Group rule, then they are added. When a user is added the Group can be configured so that the added user receives an email notifying them of the addition.

Naming of Dynamic Security groups can be streamlined using a Naming Policy. The Naming Policy ensures that the groups within the environment conform to a standard and their purpose can be easily identified.

Security & Governance

  • None identified


  • None identified


  • None identified


  • None identified

Do you have a suggestion on how the above page could be improved? Get in touch! ASD's Blueprint for Secure Cloud is an open source project, and we would love to get your input. Submit an issue on our GitHub, or send us an email at

Acknowledgement of Country icon

Acknowledgement of Country
We acknowledge the Traditional Owners and Custodians of Country throughout Australia and their continuing connections to land, sea and communities. We pay our respects to them, their cultures and their Elders; past, present and emerging. We also recognise Australia's First Peoples' enduring contribution to Australia's national security.

Authorised by the Australian Government, Canberra