As you may be already aware, Azure AD provides a capability to create dynamic groups of users or devices.
Well, good news as now you can also reference other groups to be members of such dynamic group.
This feature is currently in preview and there are few limitations:
- The MemberOf attribute is not yet available in the query builder; you have to manually enter the rule using either
user.memberof -any (group.objectId -in [‘groupId’, ‘groupId’]) for a user dynamic group
or
device.memberof -any (group.objectId -in [‘groupId’, ‘groupId’]) for a device dynamic group
- There a limit of 500 dynamic groups using the MemberOf attribute with a member quota of 5000
- Each dynamic group can reference up to 50 other groups
- Only direct members of a security group can become members of the dynamic group
- You can now reference other dynamic group
with the memberof syntax, do you know if it’s possible to exclude people who are a member of certain groups?
for example:
user.member of -any (group.objectid -in [‘GroupA’] -and group.objectid -NotIn [‘GroupB’])
Hi Eric
at this stage this is not possible to have something similar to your example
this is a preview, so probably for now a limitation for the preview
In GroupA but not in GroupB is a basic logic operation; please tell us that this capability is coming soon!
I have no idea when or if this will be available
How to create dynamic rule for (NOT IsMemberOf(“XXXXXXX”))
As replied to another comment, this is not available for now
This a preview feature for now, so this may become available
Hi Benoit, thanks for your valauble hints.
Say that I want to push an Intune device config profile to the devices of users for which Department =”Marketing” (ex.) , are you aware of any conbination of user.memberof and device.memberof that can address my need?
I am not sure I am trying to berach teh reccomandation to not mix users and devices, in dynamic membership rules.
Thanks in advance,
Nicola
Hi Nicola
with the example you gave (Department = Marketing) you only need one Dynamic User Group; devices don’t have Department attribute
The use of dynamic group referencing other group is useful when you have to group users/devices which don’t have a common attribute/value combination except being member of same other groups
I am trying to apply this syntax in my dynamic rules, and I keep getting “Failed to save dynamic group. Dynamic membership rule validation error: Invalid object type.”
My syntax is: (user.accountEnabled -eq True) and (user.userType -eq “Member”) and (user.assignedPlans -any (assignedPlan.service -ne “Unassigned” -and assignedPlan.capabilityStatus -eq “Enabled”)) and (user.memberof -any (group.objectId -in [‘omitted-Object-Id’]))
Any ideas? It works fine without the memberof section
device.memberof is an invalid object type for property memberof for me