How to Create ”Nested” Groups With Azure AD Dynamic Groups

How to Create ”Nested” Groups With Azure AD Dynamic Groups

Did you try setting up your own nested dynamic group in Azure AD?

Well, you’re not alone. Fortunately, Microsoft announced a feature specifically for dynamic groups using a special attribute.

Note that as of writing this article, this new feature is available in public preview. Not sure yet when they will have it as a rule builder.

What is the new dynamic group feature in Azure AD?

Basically, the feature will enable you to create dynamic Azure AD groups based on other pre-existing groups in the directory.

Below is a good representation of how it works:

Diagram explaining how nested dynamic groups work

This makes of the special attribute:


This means that apps that weren’t able to read group-based membership can now read the entire membership of new dynamic groups.

You can also use this new feature outside of apps, like when you assign licenses and role-based access control to users.

Sign up for exclusive updates, tips, and strategies

    How to create dynamic nested Azure AD groups

    Follow these steps:

    • Navigate to your Azure Active Directory first
    • Go to the “Groups” page
    Select the group services in Azure Directory

    Create a new group by clicking on its button:

    Click the new group button in Azure Directory

    On the new group creation page:

    • Select your preferred group type
    • Enter the group’s name and description
    • Select either “Dynamic User” or “Dynamic Device” on the membership type
    • Click the “Add dynamic query” link below
    Create a new dynamic Azure AD group

    The attribute I mentioned earlier isn’t in the rule builder yet. Because of that, you need to manually enter the syntax:

    • Click the “Edit” button in the rule syntax box
    • Copy and paste the syntax below
    • Make sure to change the group IDs in the syntax
    Click the edit button in the rule syntax box

    For user rule syntax:

    user.memberof -any (group.objectId -in ['groupId', 'groupId'])

    For device rule syntax:

    device.memberof -any (group.objectId -in ['groupId', 'groupId'])

    If you’re not sure where to find the group ID, it’s readily shown on the page that shows all the groups in the directory:

    Where to find the Object ID for Azure AD Groups

    Current limitations of the new nested group feature

    While the feature is in preview, there are some limitations in place such as:

    • Up to 500 dynamic groups per Azure AD tenant that use the memberOf attribute (total dynamic group member quote is 5,000)
    • Up to 50 member groups per dynamic group
    • Dynamic groups with the memberOf attribute can only have direct members of security groups (when adding security groups to the dynamic group)
    • Dynamic groups that use the memberOf attribute can’t be used for defining other memberOf dynamic groups
    • The memberOf attribute can’t be used with other rules in Azure AD as well as with other operators

    What do you think of this new preview feature? Feel free to share your thoughts and questions in the comment section.

    For inquiries and other concerns, please use the site’s contact page and I’ll get back to you as soon as possible.

    About Ryan Clark

    As the Principal Solutions Architect at Mr. SharePoint, I help companies of all sizes better leverage Modern Workplace and Digital Process Automation investments. I am also a Microsoft Most Valued Professional (MVP) for Office Apps & Services.

    Notify of
    Inline Feedbacks
    View all comments
    Would love your thoughts, please comment.x
    Scroll to Top