Overview: I have lost count of the number of poor Active Directory and Azure Active Directory environments I have encountered. I don't think I've ever seen a good Active Directory, actually. Certainly nothing significant over 5K 15k users.
I'm working with a multinational, and we need to enhance our security measures. Things are a bit all over the place, with oddly named and inconsistent elements, which is basically the norm for a 300k internal user enterprise with a history of multiple acquisitions.
I've identified a couple of properties that will create a nice hierarchy, but the issue is that I'm using more than the allowed 5k Dynamic AAD Security Groups.
 |
| Summary of Entra, Microsoft 365 groups, and Distribution Lists work |
Group Types to be aware of relating to Entra
1. Static AAD Security Groups
- Need to add users manually or automate the process for anything but the smallest Entra users.
- Static AAD Security groups can be nested.
2. Dynamic AAD Security Groups
- Up to 5,000 dynamic groups. Updated Oct 2025: 15,000
- You can inherit Security groups or be inherited (no nesting).
3. Distribution AAD Groups
- Used for email and calendars, not security.
- Only use distribution lists if the user does not have a P1 Entra licence.
- Simpler and better to email-enable Static Security Groups.
4. O365 Groups/Teams Groups called Microsoft 365 Group
- A Microsoft 365 Group can inherit from O365 groups or AAD Security groups.
- They are managed within the org, so it's not the best idea to place heavy security on manually managed teams.
Resolution:
I have a whole hierarchy of users within divisions and subdivisions, and I add users statically via automation to their lowest-level AAD Security Group. Then I can add the child groups. This gives me multiple groups that have an increasing number of users as we go up the hierarchy. Additive groups with positive security provide the best options for me. Stop using Distribution lists and make the AAD Security Groups email-enabled.
Alternative option on Email:
Create an O365/Teams group, then add the Security groups to the team, and this will now be email-enabled. This is more for a collaboration-type approach or if you want to use dynamic groups.
Future Wishes:
If only Entra supported more dynamic AAD Groups per tenant or allowed Dynamic groups to be nested in static AAD groups.
