As you maybe already are aware of Azure AD Dynamic Groups are available within Azure Active Directory. These groups can be dynamically filled with members based on properties like Country, Department, Job Title and many more attributes.
Since the 3rd of June 2022 Microsoft however has released a new functionality which enables you to create dynamic groups with members of other groups using the memberOf attribute. As example you will be able to create Dynamic-Group-A with the members of Security-Group-X and Security-Group-Y.
This brings in a serious advantage for cloud features which don’t support the use of nested groups (which I would never encourage you to use anyway). This as this feature can replace the use of a group with nested groups, and instead is using a dynamic query rule to get the actual members from these other groups (without nesting these groups), which is shown in the image below.
With this new functionality any group type is supported (Security & Microsoft 365), there currently are however a few limitations:
- Your tenant is currently limited to 500 dynamic groups which can leverage the memberOf attribute.
- Each dynamic group can have up to 50 memberOf statements in the memberOf dynamic rule syntax.
- Only direct members of the included security group are included (so members of nested groups aren’t added).
- You can’t combine the memberOf with other dynamic rules (i.e. memberOf when Country equals Netherlands).
- You can’t use the rule builder and validation feature today for the memberOf feature in dynamic groups.
- You can’t use other operators with memberOf (i.e. you cannot create a rule which states memberOf group A can’t be in Dynamic group B).
Now we know the limitations, let’s check how this feature works!
Creating the new Azure AD Dynamic Group with memberOf statement
Now before we configure this new feature, let’s grab 3 different groups which we want to include in de memberOf statement in this example. For that, I will use three groups:
- All French Users (Type Dynamic Security group).
- All Dutch Users (Type Assigned Security group).
- All UK Users (Type Assigned Microsoft365 group).
Each group contains one member in my example which is:
1. Johny Bravo within the ‘All UK Users’ group.
2. Cow and Chicken within the ‘All Dutch Users’ group.
3. Donald Duck within the ‘All French Users’ group.
Now let’s create a new group within the Azure AD with the following properties:
- Group type: Security
- Group name: All Users in Europe
- Group description: This group dynamically includes all users from the EU country groups
- Membership type: Dynamic User
Once finished hit ‘Add dynamic query’.
In the new pane on the right hit ‘Edit’ to edit the Rule Syntax (this as the memberOf property can’t be selected as a Property today).
In the Rule Syntax edit please fill in the following ‘Rule Syntax’:
user.memberof -any (group.objectId -in [’44a9a91b-a516-48f9-8b17-2bc82f6e4a94′, ‘77303eb7-c9a2-4622-b3ca-7c6865620cbb’, ‘e27129bc-c041-4ba7-9fee-06ae22d147bd’])
This whereby the three ID’s mentioned are the ObjectID’s of the groups which you want to include as members in this dynamic security group.
NOTE: As mentioned earlier only direct members of the included groups are include, so members of nested groups aren’t added. If you want to add these members as well include these nested groups into your memberOf statement as well.
Once you’ve determined your rule syntax, please hit ‘Save’.
And hit ‘Create’ again to create the group!
Now verify the group has been created successfully.
And wait until the dynamic group has been updated, this should be nearly instant, but with extensive rules and members it can take up to a maximum 2,5 hours.
After a few minutes you will see that the new group ‘All users in Europe’ has three members which are a direct member of the included groups in the memberOf statement.
We can now use this group to apply configuration & settings in the Azure AD, Endpoint Manager and all other tools & features in the Azure AD which are able to use Security Groups from the Azure AD.
The new memberOf statement in dynamic groups allows you to easily create a group with direct members being ‘sourced’ from other groups. This is especially helpful when it comes to features which don’t support the use of nested groups. We probably shouldn’t expect these functionalities to support the use of nested groups this as the memberOf functionality in dynamic groups solves this issue for you. My advice for you would be to use this functionality for these circumstances and once Microsoft has reduced the maximum update window for Dynamic Groups to a lower amount as 2,5 hours I would even advice you to get rid of your nested groups and instead use the memberOf functionality in Azure AD Dynamic groups.
As usual I hope you enjoyed reading this blog post and it was valuable to you, please stay tuned for some more new blogs about new Azure AD Groups features which are coming soon! I promise they will be worth waiting for! 🙂