Last Updated on July 27, 2023
Did you try setting up your own nested dynamic group in Azure AD?
Well, you’re not alone. Fortunately, Microsoft announced a feature specifically for dynamic groups using a special attribute.
Note that as of writing this article, this new feature is available in public preview. Not sure yet when they will have it as a rule builder.
Table of Contents:
What is the new dynamic group feature in Azure AD?
Basically, the feature will enable you to create dynamic Azure AD groups based on other pre-existing groups in the directory.
Below is a good representation of how it works:
This makes of the special attribute:
memberOf
This means that apps that weren’t able to read group-based membership can now read the entire membership of new dynamic groups.
You can also use this new feature outside of apps, like when you assign licenses and role-based access control to users.
Sign up for exclusive updates, tips, and strategies
How to create dynamic nested Azure AD groups
Follow these steps:
- Navigate to your Azure Active Directory first
- Go to the “Groups” page
Create a new group by clicking on its button:
On the new group creation page:
- Select your preferred group type
- Enter the group’s name and description
- Select either “Dynamic User” or “Dynamic Device” on the membership type
- Click the “Add dynamic query” link below
Related: Types of Groups in Microsoft 365: Comparing Groups
The attribute I mentioned earlier isn’t in the rule builder yet. Because of that, you need to manually enter the syntax:
- Click the “Edit” button in the rule syntax box
- Copy and paste the syntax below
- Make sure to change the group IDs in the syntax
For user rule syntax:
user.memberof -any (group.objectId -in ['groupId', 'groupId'])
For device rule syntax:
device.memberof -any (group.objectId -in ['groupId', 'groupId'])
If you’re not sure where to find the group ID, it’s readily shown on the page that shows all the groups in the directory:
Current limitations of the new nested group feature
While the feature is in preview, there are some limitations in place such as:
- Up to 500 dynamic groups per Azure AD tenant that use the memberOf attribute (total dynamic group member quote is 5,000)
- Up to 50 member groups per dynamic group
- Dynamic groups with the memberOf attribute can only have direct members of security groups (when adding security groups to the dynamic group)
- Dynamic groups that use the memberOf attribute can’t be used for defining other memberOf dynamic groups
- The memberOf attribute can’t be used with other rules in Azure AD as well as with other operators
What do you think of this new preview feature? Feel free to share your thoughts and questions in the comment section.
For inquiries and other concerns, please use the site’s contact page and I’ll get back to you as soon as possible.
thanks alot of information goodjobs
Hi How to create a child group in Azure AD group
You can create nested groups with Azure AD Dynamic Groups. Within your dynamic query, you can create a user rule like this: user.memberof -any (group.objectId -in [‘groupId’, ‘groupId’]).
Thanks for this explanation. I am stumped on a calendaring issue catalyzed by the coming deprecation of Exchange Online Public Folders. We need to migrate Public Folders to 365 Groups while retaining the nested hierarchies that currently exist. If For example, currently in Public Folders, being a member of Calendar A in Outlook also means you have access to Calendar A-1, A-2, etc. In theory, if I was to set up the target child groups as Dynamic 365 Groups, then migrate each Public Folder to its new corresponding Dynamic 365 Group, would the calendars retain their hierarchy post-migration? So that… Read more »