Home » How the New “Nested” Dynamic Group Functionality in Azure AD Works

How the New “Nested” Dynamic Group Functionality in Azure AD Works

by Grant Shepard
8 minutes read

If you’ve ever thought, “why can’t this app read group-based memberships,” you’re in good company – we’ve thought the same thing. The good news is Azure AD’s latest feature is going to make your life (and ours) much easier. As of June, the ability to create nested dynamic groups in Azure AD is in public preview and it’s worth exploring.

Whether you’re interested in leveraging the new “memberOf” attribute for apps or licensing assignments, there are a couple of things you should know. Let’s dive into the functionality of nested dynamic groups, how they work to distribute permissions, access, licenses, and more in a highly streamlined way, the current limitations, and what to do next.

What Are Nested Dynamic Groups?

This new dynamic group functionality enables Azure Active Directory (AKA “Azure AD”) users to create nested dynamic groups using existing groups as templates. Assuming you’re a user with the proper permissions, you can now populate a dynamic group by quickly adding members of other select groups using the memberOf attribute.  

One of the most practical implications of this new feature is that, while some apps could not read group-based memberships before, they  can now if you use memberOf groups. In addition to using memberOf groups for apps, you can also use them to create nested security groups as well as other countless use cases, such as licensing assignments. 

As of now, the memberOf attribute is functional in the Azure portal, PowerShell, and Microsoft Graph. Users can be added from several different existing groups, including Microsoft 365 groups, security groups, and any group in an on-premises Active Directory installation that is synced with your systems.  

How Do Nested Dynamic Groups Work?

Before you try to explore the new memberOf attribute, you need to make sure that you have the proper privileges. User Administrators, Intune Administrators, or Global Administrators are the only ones able to use this attribute. Additionally, a premium license is required. 

If you meet these criteria, the first step is to sign-in to your Azure portal. Once inside, navigate to the Groups section of Azure Active Directory and then click the option to add a new group. You will be asked for the group details, and you’ll be required to select a group type. For this purpose, you can choose from either Microsoft 365 or Security.  

While setting up the group, you will also be asked to select a membership type for all members of the group. You can choose either Dynamic Device or Dynamic User to use the new memberOf attribute. Once you make your selection, click “Add dynamic query” to move to the next step. 

Since there is not yet a graphical user interface (GUI) for setting up a dynamic group, you will need to use the “Edit” option to create your rule in the rule syntax box. If you need guidance on how to write the rule, Microsoft provided some examples when they first announced the public preview. Once you write the rule, click “Ok” to save your edits and then click “Create group.”  

Voila – you’re now using nested dynamic groups.  

What Are the Current Limitations of Dynamic Groups?

While it’s tempting to go all in with dynamic groups in Azure AD, it’s worth reminding yourself that this feature is still in the public preview phase, so there are some rough edges that Microsoft needs to smooth out. Over the next few months, there will also likely be some additional settings or changes to the current process. 

Before you start using the new nested dynamic groups, it’s important to understand their current limitations. Here’s an overview: 

  • You will need a premium license assigned to each Azure AD tenant that plans to use this new feature, and each tenant is limited to 500 dynamic groups with the memberOf attribute.  
  • Keep an eye on your quotas as your memberOf groups will count towards the total group member quota, which is set to 5,000 for all Azure AD accounts. 
  • Within a given dynamic group, there can be up to 50 member groups. If you have a very expansive and/or complex member database, you need to plan your moves carefully. 
  • The hierarchy only goes so deep. In other words, you cannot use Dynamic Group A to define the members of Dynamic Group D. When adding members to a dynamic group, those members must be pulled from a non-dynamic group. 
  • As of now, you cannot create a dynamic group and apply other rules. For example, if you are creating Dynamic Group A and setting it up to contain members of Group C, you cannot also set a rule for it to contain only users from California.  
  • Similarly, you cannot combine memberOf with other operators within a rule. For example, a rule that states members of Group D cannot be in Dynamic Group A. Additionally, neither the dynamic group rule builder nor validator can be used for memberOf groups right now.  

Users are hopeful that many of these limitations will be removed in the future, which is likely since Microsoft’s language is already hinting at it in some places. However, you should keep these limitations in place for the foreseeable future as you plan on how to best use these new dynamic group options.  

Where To Go From Here

One of the most significant practical implications of the new nested dynamic groups feature is that, while some apps could not read group-based memberships before, they now can if you use memberOf groups. In addition to using memberOf groups for apps, you can also use them to create nested security groups and for countless other use cases, such as licensing assignments. 

In any situation where you need to create hierarchical groups, nested dynamic groups will now come to mind as a top option for easily putting together a solution that meets your unique needs. All the while, your team will be glad that they’re saving time on tedious tasks related to group management, while you benefit from more consistent and reliable management overall.  

If you’re still feeling a bit hesitant on leveraging this new feature at your organization, Dynamic Consultants Group can be a great friend in the unknown. We’ve dedicated time to fully understanding the new features of Microsoft Azure and we’re confident we can help you and your team thrive with the new updates. Don’t hesitate to talk with an expert if you need more insight.