Using the new Azure AD Dynamic Groups memberOf Property

As you maybe already are aware of Azure AD Dynamic Groups are available within Azure Active Directory. These groups can be dynamically filled with members based on properties like Country, Department, Job Title and many more attributes.

Since the 3rd of June 2022 Microsoft however has released a new functionality which enables you to create dynamic groups with members of other groups using the memberOf attribute. As example you will be able to create Dynamic-Group-A with the members of Security-Group-X and Security-Group-Y.

This brings in a serious advantage for cloud features which don’t support the use of nested groups (which I would never encourage you to use anyway). This as this feature can replace the use of a group with nested groups, and instead is using a dynamic query rule to get the actual members from these other groups (without nesting these groups), which is shown in the image below.

With this new functionality any group type is supported (Security & Microsoft 365), there currently are however a few limitations:

  • Your tenant is currently limited to 500 dynamic groups which can leverage the memberOf attribute.
  • Each dynamic group can have up to 50 memberOf statements in the memberOf dynamic rule syntax.
  • Only direct members of the included security group are included (so members of nested groups aren’t added).
  • You can’t combine the memberOf with other dynamic rules (i.e. memberOf when Country equals Netherlands).
  • You can’t use the rule builder and validation feature today for the memberOf feature in dynamic groups.
  • You can’t use other operators with memberOf (i.e. you cannot create a rule which states memberOf group A can’t be in Dynamic group B).

Now we know the limitations, let’s check how this feature works!

Creating the new Azure AD Dynamic Group with memberOf statement

Now before we configure this new feature, let’s grab 3 different groups which we want to include in de memberOf statement in this example. For that, I will use three groups:

  • All French Users (Type Dynamic Security group).
  • All Dutch Users (Type Assigned Security group).
  • All UK Users (Type Assigned Microsoft365 group).

Each group contains one member in my example which is:

1. Johny Bravo within the ‘All UK Users’ group.

2. Cow and Chicken within the ‘All Dutch Users’ group.

3. Donald Duck within the ‘All French Users’ group.

Now let’s create a new group within the Azure AD with the following properties:

  • Group type: Security
  • Group name: All Users in Europe
  • Group description: This group dynamically includes all users from the EU country groups
  • Membership type: Dynamic User

Once finished hit ‘Add dynamic query’.

In the new pane on the right hit ‘Edit’ to edit the Rule Syntax (this as the memberOf property can’t be selected as a Property today).

In the Rule Syntax edit please fill in the following ‘Rule Syntax’:

user.memberof -any (group.objectId -in [’44a9a91b-a516-48f9-8b17-2bc82f6e4a94′, ‘77303eb7-c9a2-4622-b3ca-7c6865620cbb’, ‘e27129bc-c041-4ba7-9fee-06ae22d147bd’])

This whereby the three ID’s mentioned are the ObjectID’s of the groups which you want to include as members in this dynamic security group.

NOTE: As mentioned earlier only direct members of the included groups are include, so members of nested groups aren’t added. If you want to add these members as well include these nested groups into your memberOf statement as well.

Once you’ve determined your rule syntax, please hit ‘Save’.

And hit ‘Create’ again to create the group!

Now verify the group has been created successfully.

And wait until the dynamic group has been updated, this should be nearly instant, but with extensive rules and members it can take up to a maximum 2,5 hours.

After a few minutes you will see that the new group ‘All users in Europe’ has three members which are a direct member of the included groups in the memberOf statement.

We can now use this group to apply configuration & settings in the Azure AD, Endpoint Manager and all other tools & features in the Azure AD which are able to use Security Groups from the Azure AD.


The new memberOf statement in dynamic groups allows you to easily create a group with direct members being ‘sourced’ from other groups. This is especially helpful when it comes to features which don’t support the use of nested groups. We probably shouldn’t expect these functionalities to support the use of nested groups this as the memberOf functionality in dynamic groups solves this issue for you. My advice for you would be to use this functionality for these circumstances and once Microsoft has reduced the maximum update window for Dynamic Groups to a lower amount as 2,5 hours I would even advice you to get rid of your nested groups and instead use the memberOf functionality in Azure AD Dynamic groups.

As usual I hope you enjoyed reading this blog post and it was valuable to you, please stay tuned for some more new blogs about new Azure AD Groups features which are coming soon! I promise they will be worth waiting for! 🙂

19 thoughts on “Using the new Azure AD Dynamic Groups memberOf Property

  1. Fabian says:

    In the text you have a wrong GUID in the “all UK Users” that dosent meet the screenshots. is this intended?. This is a bit confusing. 🙂


  2. Tony says:

    Can you do the reverse of this? For example, can I make a rule that says “Include all users but NOT members of ‘examplegroupname'”?


  3. Robert Dick says:

    Hi – I’ve tried to create a rule like this (both by creating a group from scratch and changing an existing assigned group to a dynamic one, but AAD keeps giving me an error without any useful details saying it failed. I wonder if you could take a look at my query and let me know if I’ve entered it incorrectly?

    user.memberof -any (group.objectId -in [’d1baca1d-a3e9-49db-a0dd-22ceb72b06b3′])

    I believe this is right – I’ve copied the ObjectID from the sub-group and pasted it in as required, enclosed by square brackets and single quotes.



    1. Pim Jacobs says:

      Can you make sure the single quotes aren’t copied over with incorrect grammar, copy and pasting could make it ugly.
      Your query statement looks perfect so nothing wrong there as far as I can see.


  4. Yousef A says:

    When trying to create an exclusion rule (i.e., leave out explicit members of a specific security group), I get the following syntax error:

    “Dynamic membership rule validation error: Wrong property applied.
    Property ‘objectId’ cannot be applied to object ‘Group'”

    My rule syntax is as follows:
    user.memberof -any (group.objectId -notin [‘my-group-object-id’])

    Any ideas?


  5. Brian Corbett says:

    hello, nice post, thank you. I have a query about some syntax that is returning “invalid object type”. I am trying to add a memberof clause to an existing query, like this:

    (user.extensionAttribute13 -eq “ABC”) or (user.extensionAttribute13 -eq “DEF”) or (user.extensionAttribute13 -eq “GHI”) or (user.extensionAttribute13 -eq “JKL”) or user.memberof -any (group.objectId -in [‘abc123’])

    The first bit (i.e. the user.extensionAttribute -eq stuff) works fine on its own. The second bit (i.e. the memberof stuff) works well on its own. But together they throw the error “invalid object type.

    I have tried putting a set of brackets around the last clause but its the same result.

    I wonder if you know where I am going wrong…

    Many thanks,



    1. Pim Jacobs says:

      Hi Brian,

      In the limitations it’s mentioned that combining the memberof statement with other operators isn’t supported and won’t work. See below (mentioned on the top of my blog):
      You can’t use other operators with memberOf (i.e. you cannot create a rule which states memberOf group A can’t be in Dynamic group B).

      Hope this helps and let’s hope Microsoft will fix this in a future iteration of Dynamic Groups.


  6. Dale says:

    Hi Pim – Do you know if there is likely to be any support for complex statements coming in the near future, or perhaps have any suggestions for the best way to work around this limitation? I was thinking of using a Power Automate Flow \ Logic App to monitor changes in two Dynamic groups A & B (using user.memberof) and add them to a third group C where users are members of both A & B, seems a bit convoluted if this feature will be improved soon! Thanks


    1. Pim Jacobs says:

      Hi Dale,

      Good question, the best solution right now is the solution you are suggesting (unfortunately)…. I’m not aware of the removal of this limitation, but I’m more than happy to bring this to attention with the product group.

      Sorry I don’t have a better answer for you.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s