As you maybe already are aware of Azure AD Dynamic Groups are available within Azure Active Directory. These groups can be dynamically filled with members based on properties like Country, Department, Job Title and many more attributes.
Since the 3rd of June 2022 Microsoft however has released a new functionality which enables you to create dynamic groups with members of other groups using the memberOf attribute. As example you will be able to create Dynamic-Group-A with the members of Security-Group-X and Security-Group-Y.
This brings in a serious advantage for cloud features which don’t support the use of nested groups (which I would never encourage you to use anyway). This as this feature can replace the use of a group with nested groups, and instead is using a dynamic query rule to get the actual members from these other groups (without nesting these groups), which is shown in the image below.
With this new functionality any group type is supported (Security & Microsoft 365), there currently are however a few limitations:
- Your tenant is currently limited to 500 dynamic groups which can leverage the memberOf attribute.
- Each dynamic group can have up to 50 memberOf statements in the memberOf dynamic rule syntax.
- Only direct members of the included security group are included (so members of nested groups aren’t added).
- You can’t combine the memberOf with other dynamic rules (i.e. memberOf when Country equals Netherlands).
- You can’t use the rule builder and validation feature today for the memberOf feature in dynamic groups.
- You can’t use other operators with memberOf (i.e. you cannot create a rule which states memberOf group A can’t be in Dynamic group B).
Now we know the limitations, let’s check how this feature works!
Creating the new Azure AD Dynamic Group with memberOf statement
Now before we configure this new feature, let’s grab 3 different groups which we want to include in de memberOf statement in this example. For that, I will use three groups:
- All French Users (Type Dynamic Security group).
- All Dutch Users (Type Assigned Security group).
- All UK Users (Type Assigned Microsoft365 group).
Each group contains one member in my example which is:
1. Johny Bravo within the ‘All UK Users’ group.
2. Cow and Chicken within the ‘All Dutch Users’ group.
3. Donald Duck within the ‘All French Users’ group.
Now let’s create a new group within the Azure AD with the following properties:
- Group type: Security
- Group name: All Users in Europe
- Group description: This group dynamically includes all users from the EU country groups
- Membership type: Dynamic User
Once finished hit ‘Add dynamic query’.
In the new pane on the right hit ‘Edit’ to edit the Rule Syntax (this as the memberOf property can’t be selected as a Property today).
In the Rule Syntax edit please fill in the following ‘Rule Syntax’:
user.memberof -any (group.objectId -in [’44a9a91b-a516-48f9-8b17-2bc82f6e4a94′, ‘77303eb7-c9a2-4622-b3ca-7c6865620cbb’, ‘e27129bc-c041-4ba7-9fee-06ae22d147bd’])
This whereby the three ID’s mentioned are the ObjectID’s of the groups which you want to include as members in this dynamic security group.
NOTE: As mentioned earlier only direct members of the included groups are include, so members of nested groups aren’t added. If you want to add these members as well include these nested groups into your memberOf statement as well.
Once you’ve determined your rule syntax, please hit ‘Save’.
And hit ‘Create’ again to create the group!
Now verify the group has been created successfully.
And wait until the dynamic group has been updated, this should be nearly instant, but with extensive rules and members it can take up to a maximum 2,5 hours.
After a few minutes you will see that the new group ‘All users in Europe’ has three members which are a direct member of the included groups in the memberOf statement.
We can now use this group to apply configuration & settings in the Azure AD, Endpoint Manager and all other tools & features in the Azure AD which are able to use Security Groups from the Azure AD.
Conclusion
The new memberOf statement in dynamic groups allows you to easily create a group with direct members being ‘sourced’ from other groups. This is especially helpful when it comes to features which don’t support the use of nested groups. We probably shouldn’t expect these functionalities to support the use of nested groups this as the memberOf functionality in dynamic groups solves this issue for you. My advice for you would be to use this functionality for these circumstances and once Microsoft has reduced the maximum update window for Dynamic Groups to a lower amount as 2,5 hours I would even advice you to get rid of your nested groups and instead use the memberOf functionality in Azure AD Dynamic groups.
As usual I hope you enjoyed reading this blog post and it was valuable to you, please stay tuned for some more new blogs about new Azure AD Groups features which are coming soon! I promise they will be worth waiting for! 🙂
Identity Man 
In the text you have a wrong GUID in the “all UK Users” that dosent meet the screenshots. is this intended?. This is a bit confusing. 🙂
LikeLike
Thanks for the heads-up! This should now be corrected 🙂
LikeLike
Can i also add a on premis security group that was synced to azure by AD Sync to a dynamic group?
LikeLike
Hi Fabian,
Yes you can! 🙂
LikeLike
Can you do the reverse of this? For example, can I make a rule that says “Include all users but NOT members of ‘examplegroupname'”?
LikeLike
Hi Tony,
As described in the limitations (last bullet) this is unfortunately today not possible.
LikeLike
Been playing with this lately, but finding that you cant add other complex query items (additional and/or statements). Seems to break at that point.
LikeLike
Hi Tim,
That’s correct and mentioned in the limitations in this blog as well.
LikeLike
Hi – I’ve tried to create a rule like this (both by creating a group from scratch and changing an existing assigned group to a dynamic one, but AAD keeps giving me an error without any useful details saying it failed. I wonder if you could take a look at my query and let me know if I’ve entered it incorrectly?
user.memberof -any (group.objectId -in [’d1baca1d-a3e9-49db-a0dd-22ceb72b06b3′])
I believe this is right – I’ve copied the ObjectID from the sub-group and pasted it in as required, enclosed by square brackets and single quotes.
Robert
LikeLike
Can you make sure the single quotes aren’t copied over with incorrect grammar, copy and pasting could make it ugly.
Your query statement looks perfect so nothing wrong there as far as I can see.
LikeLike
Thanks Pim – it must have been that, because I tried again earlier in the week and it worked fine!
Robert
LikeLike
I had to switch my single quotes to double quotes to created the team, and then change it back for the rule to apply.
LikeLike
glad it’s sorted 🙂
LikeLike
When trying to create an exclusion rule (i.e., leave out explicit members of a specific security group), I get the following syntax error:
“Dynamic membership rule validation error: Wrong property applied.
Property ‘objectId’ cannot be applied to object ‘Group'”
My rule syntax is as follows:
user.memberof -any (group.objectId -notin [‘my-group-object-id’])
Any ideas?
LikeLike
As mentioned on the blog as well, you can’t use the -notin statement today, that means you can only include from other groups without excluding.
LikeLike
hello, nice post, thank you. I have a query about some syntax that is returning “invalid object type”. I am trying to add a memberof clause to an existing query, like this:
(user.extensionAttribute13 -eq “ABC”) or (user.extensionAttribute13 -eq “DEF”) or (user.extensionAttribute13 -eq “GHI”) or (user.extensionAttribute13 -eq “JKL”) or user.memberof -any (group.objectId -in [‘abc123’])
The first bit (i.e. the user.extensionAttribute -eq stuff) works fine on its own. The second bit (i.e. the memberof stuff) works well on its own. But together they throw the error “invalid object type.
I have tried putting a set of brackets around the last clause but its the same result.
I wonder if you know where I am going wrong…
Many thanks,
Brian
LikeLike
Hi Brian,
In the limitations it’s mentioned that combining the memberof statement with other operators isn’t supported and won’t work. See below (mentioned on the top of my blog):
You can’t use other operators with memberOf (i.e. you cannot create a rule which states memberOf group A can’t be in Dynamic group B).
Hope this helps and let’s hope Microsoft will fix this in a future iteration of Dynamic Groups.
LikeLike
Hi Pim – Do you know if there is likely to be any support for complex statements coming in the near future, or perhaps have any suggestions for the best way to work around this limitation? I was thinking of using a Power Automate Flow \ Logic App to monitor changes in two Dynamic groups A & B (using user.memberof) and add them to a third group C where users are members of both A & B, seems a bit convoluted if this feature will be improved soon! Thanks
LikeLike
Hi Dale,
Good question, the best solution right now is the solution you are suggesting (unfortunately)…. I’m not aware of the removal of this limitation, but I’m more than happy to bring this to attention with the product group.
Sorry I don’t have a better answer for you.
LikeLike
From a security perspective it would be dangerous to allow dynamic membership based on NOT being a memberOf. Someone with lesser privileges might then remove a member from another group to allow him to become member of a group with higher privileges 😉
So there are reasons why the limitations are there I guess.
LikeLike
That totally depends on the scenario, sometimes it doesn’t have anything to do with ‘higher privileges’. I think it’s just not possible today as a query statement but definitely be something which could pop-up in the future.
LikeLike