2 Ways to Create Security Group in Azure Portal: Step-by-Step Guide

By Microsoft Techy in Microsoft 365 on November 1, 2024November 2, 2024

In this “Create security group in Azure Portal” article, we will learn about how to create a security group in Azure Portal step by step. We will also understand what a security group is in Azure Portal or Microsoft 365.

Creating security groups in Azure Portal is essential for managing access and safeguarding your resources. Security groups allow administrators to group users, devices, and resources with specific permissions, facilitating a streamlined, secure, and effective management of your Azure environment. In this step-by-step guide, we’ll walk you through how to create a security group in Azure Portal, ensuring optimal security practices along the way.

Table of Contents

How to Create Security Group in Azure Portal: Step-by-Step Guide

What is a Security Group in Azure?

A security group in Azure is a collection of rules that controls access to resources by grouping users, devices, or other resources. Each security group can have specific permissions associated with it, which are then applied to the group’s members. By using security groups, organizations can efficiently manage access rights across the Azure platform, reducing administrative overhead while enhancing security and compliance.

Why Use Security Groups in Azure?

Security groups in Azure help to:

Centralize Access Management: Easily manage permissions for groups of users and resources.
Reduce Errors and Save Time: Avoid repetitive tasks by setting access policies for a group instead of individual users.
Improve Security Compliance: Maintain a structured access framework that aligns with compliance standards and data protection policies.

Pre-requisites for Creating Security Groups

Before creating a security group in Azure Portal, ensure you have:

Administrator Privileges in your Azure subscription, as creating security groups requires specific permissions.
Access to Azure Active Directory (AAD) since security groups are managed within AAD.

Step-by-Step Guide to Create a Security Group in Azure Portal

Let’s go through the detailed steps to create a security group in Azure Portal.

Step 1: Log into Azure Portal

Open your web browser and go to the Azure Portal.
Sign in with your administrator credentials.

Step 2: Navigate to Azure Active Directory

Once logged in, locate Azure Active Directory on the main portal dashboard. If you don’t see it immediately, use the search bar at the top of the page and type in “Azure Active Directory.”
Click on Azure Active Directory to open its management section.

Step 3: Access ‘Groups’ Section

Inside the Azure Active Directory menu, scroll down and select Groups. This section allows you to view, create, and manage all groups within your organization’s directory.

Step 4: Create a New Security Group

At the top of the Groups section, click on the + New Group button to initiate the creation process.

Step 5: Configure Group Settings

Group Type: In the new group configuration panel, choose Security for the group type. The “Security” type is used for controlling access to resources.
Group Name: Enter a name for your group. This should be descriptive enough to identify the group’s purpose. For example, if the group will manage access for developers, you could name it Developer Security Group.
Group Description: Add a brief description to provide more context. This step is optional but useful for clarity, especially if multiple people are managing the directory.
Membership Type: Choose a membership type. There are three types available:
- Assigned: Manually add members to the group.
- Dynamic User: Automatically adds users to the group based on specific user attributes.
- Dynamic Device: Automatically adds devices based on certain device attributes.
Select Assigned for manual addition of users (we’ll discuss dynamic membership later in this article).

Step 6: Add Members to the Security Group

After configuring the group details, you’ll have the option to add members. Click on Members to search and select users you want to add to this security group.
Use the search bar to locate specific users or devices, select each one, and click Select.
Once all members are added, review the group details and click Create.

Your new security group is now created! This group can now be assigned access permissions across your Azure resources.

Using Security Groups with Azure Resources

Now that your security group is set up, you can assign permissions to Azure resources.

Navigate to the Resource: Go to any resource you want to manage access to, such as a virtual machine, storage account, or application.
Access the ‘Access Control (IAM)’ Section: In the resource’s menu, select Access Control (IAM) to open the permissions settings.
Assign Role to Security Group:
- Click on + Add and choose Add role assignment.
- Select the appropriate role (e.g., Contributor, Reader) based on the level of access required.
- Under Members, choose Select Members and search for the security group you created.
- Click Save to apply the role assignment.

This process ensures that all members of the security group have the designated permissions for that specific resource.

Best Practices for Managing Security Groups in Azure

Effectively managing security groups in Azure requires planning and regular reviews. Here are some best practices to follow:

Use Descriptive Naming Conventions: Create a clear and consistent naming convention to quickly identify groups and their purposes.
Limit the Number of Members per Group: Avoid adding too many users to a single group. This can complicate access control and reduce security.
Leverage Dynamic Membership: If certain groups need to automatically include users based on attributes (like job role or department), use dynamic user membership to keep groups updated.
Regularly Audit Group Membership: Conduct periodic audits to ensure that group memberships align with current roles and responsibilities.
Remove Inactive or Unused Groups: Regularly review and delete any security groups that are no longer needed. This reduces clutter and potential security vulnerabilities.

Troubleshooting Common Issues with Security Groups

Creating and managing security groups in Azure may occasionally result in some common issues:

Access Denied Errors: If group members face “Access Denied” errors, check if the group is correctly assigned the required permissions in the IAM section of the specific Azure resource.
Slow Propagation of Permissions: After assigning permissions, it may take a few minutes for changes to propagate. Log out and log back in if permissions don’t apply immediately.
Dynamic Membership Misconfiguration: If dynamic membership rules are not functioning as expected, revisit the attribute rules to confirm they align with user or device properties.

Demo: Create a Security Group in Azure Portal

Login to the Azure portal and enter this text “Groups” in the search box, then click on the Groups, and you will get the below screen along with all security and Microsoft 365 group types.

Steps to create a security group in Azure portal

Click on the “New group” menu.

On the next “New group” creation screen, we need to pass the below parameters:

Group type: Select security (there are two options, Security and Microsoft 365).
Group name: Enter your group name.
Group description: This is an optional parameter.
Microsoft Entra roles can be assigned to the group: The default selection is “no,” however, you can switch to “yes.“. See the explanation for what that is.
Membership type: The default selection is “Assigned.” Other options are “Dynamic User” and “Dynamic Device.” Using this, you can select dynamic or assigned membership for the group. The explanation is given below.
Owners: This is an optional parameter. You can select owners for your group.
Users: This is an optional parameter. You can select users for your group.
Roles: This is an optional parameter. You can assign roles to your group.

Create new group in Azure portal

Microsoft Entra roles can be assigned to the group:

The “Microsoft Entra roles can be assigned to the group” setting allows you to assign administrative roles (like Global Admin, User Admin, etc.) to an entire group rather than individual users. By default, this is set to “No” to prevent unintended access escalation. However, switching it to “Yes” enables you to grant Entra ID (Azure AD) roles to all members of the group, which can simplify permissions management when you need multiple users to have the same admin privileges.

Switch this setting to ‘Yes’ to use this group to assign roles. Once set, the group’s eligibility for role assignment is permanent.

Membership type:

The Membership Type in Azure security groups determines how members are added:

Assigned: Members are manually added to the group by an administrator.
Dynamic User: Users are automatically added or removed based on specific user attributes (like department or job title), using rules defined by the admin.
Dynamic Device: Devices are automatically added or removed based on device attributes (like operating system or location), also based on admin-defined rules.

This flexibility helps manage memberships efficiently, especially in large or constantly changing environments.

Note:

If you switch Microsoft Entra roles can be assigned to the group to “Yes,” the “Membership type” will be disabled.

Click on the “Create” button, and then your security group will be created. I can see my security group below:

Create new security group in Azure portal

Now, you can open this security group to assign owners, members, and roles and to perform much other administrative stuff. I will see these in very detail in my video demo.

Here, from Azure Portal, we can either create a security type group or a Microsoft 365 type group; there are other types of groups as well, such as a distribution list group and a mail-enabled security group. For this, I have written a separate article; it is recommended to go through my article on various groups in Microsoft 365.

Groups in Microsoft 365: Which Group Type to Use and When

Note:

We can also create a security group using the Microsoft 365 admin centre portal explained in the above article.

Using PowerShell Script Create Security Group in Azure Portal

You can use the Azure PowerShell to create a security group in Azure Active Directory (AAD). Here’s the PowerShell command to create a security group:


# Step 1: Connect to Azure AD
Connect-AzAccount

# Step 2: Define variables for group creation
$GroupName = "YourSecurityGroupName"
$GroupDescription = "Description for the security group"
$MailNickname = "YourGroupMailNickname" # Required but does not create an email for Security groups
$GroupType = "Security" # Specify "Security" for a security group

# Step 3: Create the security group
New-AzADGroup -DisplayName $GroupName -MailNickname $MailNickname -SecurityEnabled $true -GroupType $GroupType -Description $GroupDescription

Explanation of the Command:

Below is the explanation about the above command:

Connect-AzAccount: Connects you to your Azure account in PowerShell.
New-AzADGroup: Command to create a new group in Azure AD.
- -DisplayName: The name of the group.
- -MailNickname: A required parameter, though it doesn’t create an email address for a security group.
- -SecurityEnabled: Set to $true for security groups.
- -GroupType: Specifies the type of group; use "Security" to make it a security group.
- -Description: Adds a description to clarify the purpose of the group.

Make sure you have the AzureAD module installed to run this command, and you’re signed in with the administration account or with an account that has permission to create groups in Azure Active Directory.

Differences Between Security Group and Microsoft 365 Group in Azure

Here’s a comparison table outlining the differences between Security Groups and Microsoft 365 Groups in Azure, including when to use each type, key features, and use cases:

Feature/Aspect	Security Group	Microsoft 365 Group
Purpose	Manage access to resources (e.g., apps, files, policies) for users and devices.	Enable collaboration through shared tools like Outlook, SharePoint, Teams, and OneNote.
Primary Use Case	Access control for security purposes across Azure and Microsoft resources.	Facilitating collaboration with shared resources (email, files, calendar, Teams) for a specific team or project.
Membership Types	Assigned, Dynamic User, Dynamic Device	Assigned, Dynamic User
Resource Access	Grants permissions to Azure resources (VMs, databases, apps) but doesn’t include collaboration tools.	Provides access to collaborative tools such as shared mailbox, SharePoint site, calendar, and Planner.
Default Configuration	Does not include email or collaboration tools.	Automatically creates an associated Microsoft 365 email and Teams environment.
Supported Resources	Azure AD roles, resource access policies, conditional access policies	Microsoft 365 apps and resources (Outlook, Teams, SharePoint, Planner, etc.)
Group Type	Security	Microsoft 365
Visibility	Not visible in Microsoft 365 applications	Visible in Microsoft 365 applications, including Outlook and Teams.
Ideal For	Managing access policies for apps and resources across Azure or for role assignments in Entra ID.	Teams, departments, or projects that require shared tools for ongoing collaboration and communication.
Access to Microsoft 365 Services	No (only access permissions)	Yes (includes email, calendar, SharePoint site, and Teams)
Common Scenarios	– Granting access to apps, network security groups, or files. – Controlling device or user access based on policies. – Assigning Entra roles to groups.	– Project teams needing shared email, files, and planning tools. – Departments needing a central communication and document hub. – Collaborative groups using Teams or SharePoint.
Integration with Microsoft Teams	Not integrated	Integrated – creates a Team in Microsoft Teams if enabled.
Dynamic Membership Rules	Supports both users and devices for dynamic group membership.	Only supports users for dynamic membership.

When to Choose Each Group Type:

Choose a Security Group if you need to control resource access, enforce security policies, or apply Azure role-based access.
Choose a Microsoft 365 Group if you need a collaborative workspace with email, file sharing, and team communication features.

YouTube Video Demo: Security Groups in Microsoft Azure

Conclusion

Thus, in this article, we have learnt how to create a security group in Azure Portal and what the difference is between a security group and a Microsoft 365 group in Azure Portal and their use cases.

By following this step-by-step guide, you’ve learned how to create a security group in Azure Portal, configure its settings, and assign permissions. Leveraging Azure security groups enhances your organization’s security posture by allowing for centralized and efficient access management across your Azure resources. Whether managing permissions for a handful of users or an entire department, using security groups in Azure can streamline your administrative tasks and improve security compliance.

To further optimize your security setup, explore Azure’s advanced identity and access management tools such as conditional access policies, multi-factor authentication (MFA), and Privileged Identity Management (PIM) for an extra layer of protection. Happy securing!

About Post Author

Microsoft Techy

As a SharePoint and Power Platform Maven, my greatest joy comes from sharing my expertise with colleagues, friends, and the tech community, helping them navigate the ever-evolving world of technology and guiding them through the dynamic landscape of modern technology.

See author's posts

Related

Tags: Azure Portal, Microsoft 365, Microsoft 365 Admin Center

Do you have a better solution or question on this topic? Please leave a commentCancel reply

Contact Us: support@global-sharepoint.com | Support this site| Privacy Policy| Sitemap

Copyright © 2025 Global SharePoint. All rights reserved.