With Microsoft’s introduction of this new feature, Groups can now be added as members of a dynamic group via the Azure Portal.
With this preview, admins can configure dynamic groups with the memberOf attribute in the Azure Portal, Microsoft Graph, and PowerShell.
Points to ponder
- When you add a security groups as a memberOf dynamic groups, only direct members of the security group become members of the dynamic group.
- A mix-up of different types of groups is allowed. The below types of groups can participate in this nesting feature.
- Microsoft 365 Groups
- Security groups
- Groups that are synced from on-premises
Pre-requisites
A user had to satisfy the below criteria to use this feature.
✓ User must possess any of the roles – Global Administrator, Intune Administrator, or User Administrator role.
✓ The Azure AD tenant must possess Azure AD Premium license.
How to use memberOf attribute in a dynamic group
Follow the below steps to make use of the attribute in a dynamic group
- Login to the Azure Portal as an admin with any of the roles mentioned in the previous step
- Navigate to Azure Active Directory -> Groups. Click on ‘New group’
3. Fill in the necessary group details
4. The Group type can be either ‘Security’ or ‘Microsoft 365’
5. Choose Membership type : If you choose a Security group – you have to choose between the Membership types – ‘Dynamic User’ or ‘Dynamic Device’ as applicable. For a ‘Microsoft 365’ Group – you have only one Dynamic option – Dynamic User
6. Select “Add dynamic query”
7. Member Of is not yet supported in the rule builder. So, select Edit to frame the rule in the Rule syntax box
8. Enter the query as applicable and click OK.
To add users part of another group, enter the query as below
user.memberof -any (group.objectId -in [‘groupId1’, ‘groupId2’,…])
To add devices part of another group, enter the query as below
device.memberof -any (group.objectId -in [‘groupId1’, ‘groupId2’,…])
9. Save the dynamic query & Create the group.
View of the created Dynamic Group
The members of the groups included in the dynamic query gets added to the Dynamic Group automatically.
When members are added / removed from the member group, it reflects in the dynamic group as well.
Preview limitations
- An Azure AD Tenant can have only 500 dynamic groups using memberOf attribute.
- Any dynamic group is limited to have a max of 50 member groups.
- When you add a security group as a memberOf dynamic groups, only direct members of the security group become members of the dynamic group.
- Dynamic group rule builder and validate feature are not supported for memberOf at this time.
- You can’t use one memberOf dynamic group to define the membership of another memberOf dynamic group. For example, Dynamic Group A, which has the memberOf B and C in it, cannot be made memberOf Dynamic Group D.
- MemberOf can’t be used with other rules. For example, if we combine the below rules, it will fail.
- A rule that states “dynamic group A should contain members of group B” and
- A rule that states “dynamic group A can contain only users who belong to department ‘Finance’
- MemberOf can’t be used clubbed with other operators.
Reference : Microsoft Documentation : Group membership in a dynamic group
