Forum Discussion
Dynamic group membership rules stopped working
We've been using the following the following dynamic membership rule to check if a user is a member of another group:
user.memberOf -any (group.objectId -in ['2b930be6-f46a-4a70-b1b5-3e4e0c483fbf'])
The group is an Active Directory group that is represented in Entra with the stated Entra group object Id.
The validation fails for every user and looks like this:
It seems that all out dynamic groups are affected and stopped working.
Have you seen this before?
Thanks.
5 Replies
- Avoid the use of the https://learn.microsoft.com/en-us/entra/identity/users/groups-dynamic-rule-member-of operator if possible. It's currently in preview, and it comes with bugs and limitations. It can also introduce more complexity, particularly if a tenant has a large number of groups or frequent updates. The recommendation is to delete existing memberOf groups in your tenant.
From <https://learn.microsoft.com/en-us/entra/identity/users/manage-dynamic-group#optimizing-rule-efficiency>
I don't think this feature will make it out of preview -- I could be wrong
I'm also seeing it not working with (user.objectId -in ["object_ID"]) as well. I was trying to set this up today, and it wasn't validating or pulling users in.
I hope someone here has a solution for this. In parallel, I'm going to open a ticket.
- Also, similar problem in this thread:
https://learn.microsoft.com/en-us/answers/questions/1615450/dynamic-group-with-memberof-syntax-failing
Looks like this feature is still a preview feature with bugs. - I can confirm that I can reproduce the same behavior. Both for devices and users.
However no indication from Microsoft to have stopped support for this.
Their own documentation from september include this method:
https://learn.microsoft.com/en-us/entra/identity/users/groups-dynamic-rule-member-of
I think we need Microsoft to take a close look of this.
