Did you try setting up your own nested dynamic group in Azure AD?
Well, you’re not alone. Fortunately, Microsoft announced a feature specifically for dynamic groups using a special attribute.
Note that as of writing this article, this new feature is available in public preview. Not sure yet when they will have it as a rule builder.
Table of Contents:
What is the new dynamic group feature in Azure AD?
Basically, the feature will enable you to create dynamic Azure AD groups based on other pre-existing groups in the directory.
Below is a good representation of how it works:
This makes of the special attribute:
This means that apps that weren’t able to read group-based membership can now read the entire membership of new dynamic groups.
You can also use this new feature outside of apps, like when you assign licenses and role-based access control to users.
How to create dynamic nested Azure AD groups
Follow these steps:
- Navigate to your Azure Active Directory first
- Go to the “Groups” page
Create a new group by clicking on its button:
On the new group creation page:
- Select your preferred group type
- Enter the group’s name and description
- Select either “Dynamic User” or “Dynamic Device” on the membership type
- Click the “Add dynamic query” link below
The attribute I mentioned earlier isn’t in the rule builder yet. Because of that, you need to manually enter the syntax:
- Click the “Edit” button in the rule syntax box
- Copy and paste the syntax below
- Make sure to change the group IDs in the syntax
For user rule syntax:
user.memberof -any (group.objectId -in ['groupId', 'groupId'])
For device rule syntax:
device.memberof -any (group.objectId -in ['groupId', 'groupId'])
If you’re not sure where to find the group ID, it’s readily shown on the page that shows all the groups in the directory:
Current limitations of the new nested group feature
While the feature is in preview, there are some limitations in place such as:
- Up to 500 dynamic groups per Azure AD tenant that use the memberOf attribute (total dynamic group member quote is 5,000)
- Up to 50 member groups per dynamic group
- Dynamic groups with the memberOf attribute can only have direct members of security groups (when adding security groups to the dynamic group)
- Dynamic groups that use the memberOf attribute can’t be used for defining other memberOf dynamic groups
- The memberOf attribute can’t be used with other rules in Azure AD as well as with other operators
What do you think of this new preview feature? Feel free to share your thoughts and questions in the comment section.
For inquiries and other concerns, please use the site’s contact page and I’ll get back to you as soon as possible.