Azure AD – You can now create dynamic groups referencing other group

As you may be already aware, Azure AD provides a capability to create dynamic groups of users or devices.

Well, good news as now you can also reference other groups to be members of such dynamic group.

image

This feature is currently in preview and there are few limitations:

  • The MemberOf attribute is not yet available in the query builder; you have to manually enter the rule using either

user.memberof -any (group.objectId -in [‘groupId’, ‘groupId’]) for a user dynamic group

or

device.memberof -any (group.objectId -in [‘groupId’, ‘groupId’]) for a device dynamic group

  • There a limit of 500 dynamic groups using the MemberOf attribute with a member quota of 5000
  • Each dynamic group can reference up to 50 other groups
  • Only direct members of a security group can become members of the dynamic group
  • You can now reference other dynamic group

10 thoughts on “Azure AD – You can now create dynamic groups referencing other group”

  1. with the memberof syntax, do you know if it’s possible to exclude people who are a member of certain groups?

    for example:
    user.member of -any (group.objectid -in [‘GroupA’] -and group.objectid -NotIn [‘GroupB’])

    1. Hi Eric

      at this stage this is not possible to have something similar to your example
      this is a preview, so probably for now a limitation for the preview

  2. Hi Benoit, thanks for your valauble hints.

    Say that I want to push an Intune device config profile to the devices of users for which Department =”Marketing” (ex.) , are you aware of any conbination of user.memberof and device.memberof that can address my need?

    I am not sure I am trying to berach teh reccomandation to not mix users and devices, in dynamic membership rules.

    Thanks in advance,

    Nicola

    1. Hi Nicola
      with the example you gave (Department = Marketing) you only need one Dynamic User Group; devices don’t have Department attribute
      The use of dynamic group referencing other group is useful when you have to group users/devices which don’t have a common attribute/value combination except being member of same other groups

  3. I am trying to apply this syntax in my dynamic rules, and I keep getting “Failed to save dynamic group. Dynamic membership rule validation error: Invalid object type.”

    My syntax is: (user.accountEnabled -eq True) and (user.userType -eq “Member”) and (user.assignedPlans -any (assignedPlan.service -ne “Unassigned” -and assignedPlan.capabilityStatus -eq “Enabled”)) and (user.memberof -any (group.objectId -in [‘omitted-Object-Id’]))

    Any ideas? It works fine without the memberof section

Leave a Comment

Your email address will not be published. Required fields are marked *