With Microsoft’s introduction of this new feature, Groups can now be added as members of a dynamic group via the Azure Portal.
With this preview, admins can configure dynamic groups with the memberOf attribute in the Azure Portal, Microsoft Graph, and PowerShell.
Points to ponder
- When you add a security groups as a memberOf dynamic groups, only direct members of the security group become members of the dynamic group.
- A mix-up of different types of groups is allowed. The below types of groups can participate in this nesting feature.
- Microsoft 365 Groups
- Security groups
- Groups that are synced from on-premises
A user had to satisfy the below criteria to use this feature.
✓ User must possess any of the roles – Global Administrator, Intune Administrator, or User Administrator role.
✓ The Azure AD tenant must possess Azure AD Premium license.
How to use memberOf attribute in a dynamic group
Follow the below steps to make use of the attribute in a dynamic group
- Login to the Azure Portal as an admin with any of the roles mentioned in the previous step
- Navigate to Azure Active Directory -> Groups. Click on ‘New group’
- Fill in the necessary group details
- The Group type can be either ‘Security’ or ‘Microsoft 365’
- Choose Membership type : If you choose a Security group – you have to choose between the Membership types – ‘Dynamic User’ or ‘Dynamic Device’ as applicable. For a ‘Microsoft 365’ Group – you have only one Dynamic option – Dynamic User
- Select “Add dynamic query”
- Member Of is not yet supported in the rule builder. So, select Edit to frame the rule in the Rule syntax box
- Enter the query as applicable and click OK.
To add users part of another group, enter the query as below
user.memberof -any (group.objectId -in [‘groupId1’, ‘groupId2’,…])
To add devices part of another group, enter the query as below
device.memberof -any (group.objectId -in [‘groupId1’, ‘groupId2’,…])
- Save the dynamic query & Create the group.
View of the created Dynamic Group
The members of the groups included in the dynamic query gets added to the Dynamic Group automatically.
When members are added / removed from the member group, it reflects in the dynamic group as well.
Preview limitations
- An Azure AD Tenant can have only 500 dynamic groups using memberOf attribute.
- Any dynamic group is limited to have a max of 50 member groups.
- When you add a security group as a memberOf dynamic groups, only direct members of the security group become members of the dynamic group.
- Dynamic group rule builder and validate feature are not supported for memberOf at this time.
- You can’t use one memberOf dynamic group to define the membership of another memberOf dynamic group. For example, Dynamic Group A, which has the memberOf B and C in it, cannot be made memberOf Dynamic Group D.
- MemberOf can’t be used with other rules. For example, if we combine the below rules, it will fail.
- A rule that states “dynamic group A should contain members of group B” and
- A rule that states “dynamic group A can contain only users who belong to department ‘Finance’
- MemberOf can’t be used clubbed with other operators.
Reference : Microsoft Documentation : Group membership in a dynamic group
