Edit

Share via

Configure dynamic membership groups with the memberOf attribute in the Azure portal (preview)

Overview

This feature preview in Microsoft Entra ID enables admins to create dynamic membership groups and administrative units that populate by adding members of other groups using the memberOf attribute. Apps that couldn't read group-based membership previously in Microsoft Entra ID can now read the entire membership of these new memberOf groups. Not only can these groups be used for apps but they can also be used for licensing assignments.

Warning

This is a preview feature and isn't intended for production use. The use of this feature comes with limitations that can affect dynamic group processing in the tenant. Review the Preview limitations section before using this feature.

The following diagram illustrates how you could create Dynamic-Group-A with members of Security-Group-X and Security-Group-Y. Members of the groups inside Security-Group-X and Security-Group-Y don't become members of Dynamic-Group-A.

Diagram that shows how the memberOf attribute works.

With this preview, admins can configure dynamic membership groups with the memberOf attribute in the Azure portal, Microsoft Graph, and PowerShell. Security groups, Microsoft 365 groups, and groups that are synced from on-premises Active Directory can all be added as members of these dynamic membership groups. They can also all be added to a single group. For example, the dynamic group could be a security group, but you can use Microsoft 365 groups, security groups, and groups that are synced from on-premises to define its membership.

Prerequisites

You must be at least a User Administrator to use the memberOf attribute to create a Microsoft Entra dynamic group. You must have a Microsoft Entra ID P1 or P2 license for the Microsoft Entra tenant.

Preview limitations

  • This preview should only be used in test environments as it can affect dynamic group processing in the tenant. These limitations are being addressed, and updates will be provided when they're available.
  • Each Microsoft Entra tenant is limited to 500 dynamic groups using the memberOf attribute. The memberOf groups count toward the total dynamic group quota of 15,000.
  • Each dynamic group can have up to 50 member groups.
  • When you add members of security groups to memberOf dynamic membership groups, only direct members of the security group become members of the dynamic group.
  • You can't use one memberOf dynamic group to define the membership of another memberOf dynamic group. For example, Dynamic Group A, with members of group B and C in it, can't be a member of Dynamic Group D.
  • The memberOf attribute can't be used with other rules. For example, a rule that states dynamic group A should contain members of group B and also should contain only users located in Redmond will fail.
  • The dynamic group rule builder and validate feature can't be used for memberOf at this time.
  • The memberOf attribute can't be used with other operators. For example, you can't create a rule that states "Members Of group A can't be in Dynamic group B."
  • Users included in memberOf dynamic membership groups might cause a slower processing time for your tenant, if the tenant has a large number of groups or frequent dynamic membership groups updates.
  • Membership of a memberOf dynamic group doesn't automatically update when a child group is deleted or when members are removed from a child group. The affected users or devices remain members of the memberOf dynamic group until the rule is modified.

Get started

This feature is available in the Azure portal, Microsoft Graph, and PowerShell. However, the memberOf attribute isn’t currently supported in the rule builder UI. To use memberOf in the Azure portal, you must define the rule by using the rule editor (advanced syntax).

Create a memberOf dynamic group

  1. Sign in to the Microsoft Entra admin center as at least a User Administrator.

  2. Browse to Entra ID > Groups > All groups.

  3. Select New group.

  4. Fill in group details. The group type can be Security or Microsoft 365, and the membership type can be set to Dynamic User or Dynamic Device.

  5. Select Add dynamic query.

  6. MemberOf isn't yet supported in the rule builder UI. Select Edit to write the rule in the Rule syntax box.

    1. Example user rule: user.memberof -any (group.objectId -in ['groupId'])
    2. Example device rule: device.memberof -any (group.objectId -in ['groupId'])

    Note

    Replace 'groupId' with the object ID of the source group whose members you want to include in the dynamic group.

    The two examples are alternatives:

    • Use the user rule when creating a Dynamic user group.
    • Use the device rule when creating a Dynamic device group.

    To include multiple source groups, specify multiple group object IDs. For example:

    user.memberof -any (group.objectId -in ['<groupObjectId1>', '<groupObjectId2>'])

  7. Select OK.

  8. Select Create group.

  • Last updated on