I'm managing user groups across Active Directory (AD), Entra ID, and Microsoft 365, and I'm finding that Entra's dynamic groups fall short in several areas. They can't reference HR data like employee type or hire date, can't check for existing memberships in AD groups, and lack essential features like dry runs, audit trails, and versioning. In previous roles, organizations often filled these gaps with PowerShell scripts or relied on costly Identity Governance and Administration (IGA) platforms. I'm considering creating a lightweight policy engine that integrates HR, AD, and Entra data to evaluate rules and sync results back to various groups with built-in simulations and logging. Is this a common challenge for others, or do dynamic groups and some scripting suffice for most businesses? What tools or strategies do you use?
8 Answers
In my last job, we relied on PowerShell. HR provided user data via FTP from ADP, which we processed with PowerShell scripts to manage security groups and log changes. This was then synced to Entra ID. It worked pretty well for us.
I agree with the previous points, but I just want to add that creating a custom internal tool might be a bad move. It's likely to generate more technical debt and lead to bigger problems later on.
Honestly, I've never faced issues like these. For most needs, versioning and auditing aren't necessary. Plus, you can sync additional fields via AD Connect to improve your dynamic group queries with the extension attributes.
I think you've got some inaccuracies in your statement. Dynamic groups can actually use data from Directory Extensions, which often includes HR data. They can also check existing AD groups if they've been synced properly.
I have no clue but I'm definitely following this discussion for more insights!
But do you experience similar issues?
We use Netwrix's GroupID, and it might be what you’re looking for. It has features that cover the gaps you're concerned about.
Using PowerShell patches can be a temporary solution until it fails. A lightweight policy engine that merges HR data and has audit logging could really improve your process. Give it a shot; it might solve your problems effectively!
I'm using a couple of extension attributes for this sort of integration. We have Aquera to sync data from ADP to AD, but it's not great and I'd prefer to create a more automated solution myself. If you can't find a suitable tool, you might need to get creative using PowerShell or Azure Automation as long as HR shares their data.
Why not use Microsoft Identity Manager (MIM) for this?
We’re actually looking into Aquera now! What’s it cost?
That's true, but only if all the AD groups are synced and the data is in the extension attributes. It can be quite a bit of setup before you can actually leverage it.