Membership in a group for a user account can be assigned directly or dynamically using a query based on a tag (key/value pair) that has been labeled on a user.
Membership in a group for a service account can only be assigned directly.
Groups can be used by policies to grant access permissions to the group members.
Refer to the Create a Group guide for additional details.
Each org has the following built-in groups:
|Built-in group for all administrators of the organization
|Built-in group for read-only access
For example, a query can be created to dynamically assign all the users that log in using
microsoft.com by using the built-in tag
To dynamically assign users to a group, a query can be defined which consists of the following:
|Create new groups
|Delete a group
|Modify existing groups
|create, delete, edit, manage, view
Displays the permissions granted to principals for the group.
To view the CLI documentation for groups, click here.