Create "nested" groups with Azure AD Dynamic Groups

Published Jun 06 2022 01:37 PM 16.3K Views
Microsoft

We are thrilled to announce that the ability to create dynamic groups based on the memberOf attribute is available in Public Preview!  

 

This feature will help you better manage group memberships by allowing you to build dynamic Azure AD Security Groups and M365 groups based on other groups – create hierarchical groups with ease! For example, you can now create Dynamic-Group-A with members of Group-X and Group-Y 

 

Karen_Walker_0-1654274851700.png

  

The groups that define the membership of the dynamic group can be any group type represented in Azure Active Directory, such as user or device security groups, Microsoft 365 groups, and groups synced from on-premises, or a mix of all three! And, unlike existing nested security groups today, memberOf dynamic groups return a flat list of members, so can be used for licensing assignment and application assignment.  

 

To learn more about memberOf and how you can start taking advantage of this new functionality, please read our documentation. 

 

 

Learn more about Microsoft identity: 

14 Comments
%3CLINGO-SUB%20id%3D%22lingo-sub-3475057%22%20slang%3D%22en-US%22%3ERe%3A%20Create%20%22nested%22%20groups%20with%20Azure%20AD%20Dynamic%20Groups%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3475057%22%20slang%3D%22en-US%22%3E%3CP%3EFinally%20%3AD%3C%2Fimg%3E%26nbsp%3B%3CBR%20%2F%3EThought%20this%20would%20never%20come%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3476339%22%20slang%3D%22en-US%22%3ERe%3A%20Create%20%22nested%22%20groups%20with%20Azure%20AD%20Dynamic%20Groups%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3476339%22%20slang%3D%22en-US%22%3E%3CP%3Ecool!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3478658%22%20slang%3D%22en-US%22%3ERe%3A%20Create%20%22nested%22%20groups%20with%20Azure%20AD%20Dynamic%20Groups%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3478658%22%20slang%3D%22en-US%22%3E%3CP%3EFinally%20much%20awaited%20one.%20%3Athumbs_up%3A%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3479837%22%20slang%3D%22en-US%22%3ERe%3A%20Create%20%22nested%22%20groups%20with%20Azure%20AD%20Dynamic%20Groups%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3479837%22%20slang%3D%22en-US%22%3E%3CP%3EGreat%20news%20!%20Now%20the%20customers%20can%20cascade%20groups%20like%20in%20AD%20OnPrem%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3480254%22%20slang%3D%22en-US%22%3ERe%3A%20Create%20%22nested%22%20groups%20with%20Azure%20AD%20Dynamic%20Groups%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3480254%22%20slang%3D%22en-US%22%3E%3CP%3EAwesome!%20Had%20several%20customers%20asking%20for%20solutions%20that%20from%20an%20architectural%20perspective%20would%20require%20nested%20groups%20to%20create%20a%20group%20hierarchy.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3480371%22%20slang%3D%22en-US%22%3ERe%3A%20Create%20%22nested%22%20groups%20with%20Azure%20AD%20Dynamic%20Groups%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3480371%22%20slang%3D%22en-US%22%3E%3CP%3EAwesome%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20also%20solves%20the%20problem%20with%20the%20limitation%20for%20one%20group%20on%20SSPR%20(Self%20Service%20Password%20Reset)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EVery%20much%20appreciated!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3118024%22%20slang%3D%22en-US%22%3ECreate%20%22nested%22%20groups%20with%20Azure%20AD%20Dynamic%20Groups%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3118024%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20are%20thrilled%20to%20announce%20that%20the%20ability%20to%20create%20dynamic%20groups%20based%20on%20the%20memberOf%20attribute%20is%20available%20in%20Public%20Preview!%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20feature%20will%20help%20you%20better%20manage%20group%20memberships%20by%20allowing%20you%20to%20build%20dynamic%20Azure%20AD%20Security%20Groups%20and%20M365%20groups%20based%20on%20other%20groups%20%E2%80%93%20create%20hierarchical%20groups%20with%20ease!%20For%20example%2C%20you%20can%20now%20create%20Dynamic-Group-A%20with%20members%20of%20Group-X%20and%20Group-Y.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20groups%20that%20define%20the%20membership%20of%20the%20dynamic%20group%20can%20be%20any%20group%20type%20represented%20in%20Azure%20Active%20Directory%2C%20such%20as%20user%20or%20device%20security%20groups%2C%20Microsoft%20365%20groups%2C%20and%20groups%20synced%20from%20on-premises%2C%20or%20a%20mix%20of%20all%20three!%20And%2C%20unlike%20existing%20nested%20security%20groups%20today%2C%20memberOf%20dynamic%20groups%20return%20a%20flat%20list%20of%20members%2C%20so%20can%20be%20used%20for%20licensing%20assignment%20and%20application%20assignment.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ETo%20learn%20more%20about%20memberOf%20and%20how%20you%20can%20start%20taking%20advantage%20of%20this%20new%20functionality%2C%20please%20read%20our%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fenterprise-users%2Fgroups-dynamic-rule-member-of%22%20rel%3D%22noopener%20noreferrer%22%20target%3D%22_blank%22%3Edocumentation.%3C%2FA%3E%E2%80%AF%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ELearn%20more%20about%20Microsoft%20identity%3A%26nbsp%3B%3C%2FP%3EReturn%20to%20the%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-active-directory-identity%2Fbg-p%2FIdentity%22%20target%3D%22_blank%22%3EAzure%20Active%20Directory%20Identity%20blog%20home%3C%2FA%3E%26nbsp%3B%20Join%20the%20conversation%20on%20%3CA%20href%3D%22https%3A%2F%2Ftwitter.com%2Fazuread%2Fstatus%2F1278418103903363074%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%20target%3D%22_blank%22%3ETwitter%3C%2FA%3E%20and%20%3CA%20href%3D%22https%3A%2F%2Fwww.linkedin.com%2Fshowcase%2Fmicrosoft-security%2F%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%20target%3D%22_blank%22%3ELinkedIn%3C%2FA%3E%26nbsp%3B%20Share%20product%20suggestions%20on%20the%20%3CA%20href%3D%22https%3A%2F%2Ffeedback.azure.com%2Fd365community%2Fforum%2F22920db1-ad25-ec11-b6e6-000d3a4f0789%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%20target%3D%22_blank%22%3EAzure%20Feedback%20Forum%3C%2FA%3E%26nbsp%3B%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-3118024%22%20slang%3D%22en-US%22%3E%3CP%3ECreate%20dynamic%20groups%20with%20members%20of%20other%20groups%20using%20the%20memberOf%20attribute%3C%2FP%3E%3CP%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-3118024%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EProduct%20Announcements%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3481301%22%20slang%3D%22en-US%22%3ERe%3A%20Create%20%22nested%22%20groups%20with%20Azure%20AD%20Dynamic%20Groups%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3481301%22%20slang%3D%22en-US%22%3E%3CP%3EDoes%20this%20solve%20the%20issue%20of%20Conditional%20Access%2C%20Enterprise%20App%20Assignments%2C%20%26amp%3B%20Intune%20not%20working%20nicely%20with%20nested%20groups%3F%20That%20would%20be%20something!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20so%2C%20I%20would%20advise%20caution%20on%20this%20powerful%20feature%20because%20you%20setup%20a%20dependency%20between%20groups%20and%20may%20unintentionally%20affect%20another%20group%20that%20depends%20on%20it.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3481974%22%20slang%3D%22en-US%22%3ERe%3A%20Create%20%22nested%22%20groups%20with%20Azure%20AD%20Dynamic%20Groups%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3481974%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F216541%22%20target%3D%22_blank%22%3E%40Thomas%20Nielsen%3C%2FA%3E%26nbsp%3B%20AFAIK%20SPPR%20already%20worked%20with%20nested%20groups...%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3484197%22%20slang%3D%22en-US%22%3ERe%3A%20Create%20%22nested%22%20groups%20with%20Azure%20AD%20Dynamic%20Groups%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3484197%22%20slang%3D%22en-US%22%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F216541%22%20target%3D%22_blank%22%3E%40Thomas%20Nielsen%3C%2FA%3E%26nbsp%3BSSPR%20supports%20group%20nesting.%20We've%20been%20nesting%20dynamic%20groups%20within%20a%20single%20static%20for%20a%20while%20now%20(5%2B%20years)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1132242%22%20target%3D%22_blank%22%3E%40PeterHoldridge79%3C%2FA%3E%26nbsp%3BConditional%20Access%20supports%20nested%20groups%20as%20well.%20There%20was%20a%20time%20when%20the%20whatif%20tool%20didn't%20like%20it.%20I've%20not%20used%20that%20since%20Report-Only%20became%20mainstream.%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fenterprise-users%2Fdirectory-service-limits-restrictions%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EService%20limits%20and%20restrictions%20-%20Azure%20Active%20Directory%20-%20Microsoft%20Entra%20%7C%20Microsoft%20Docs%3C%2FA%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EAt%20this%20time%2C%20the%20following%20scenarios%20are%20supported%20with%20nested%20groups%3A%3C%2FSPAN%3E%3C%2FP%3E%3CUL%3E%3CLI%3EOne%20group%20can%20be%20added%20as%20a%20member%20of%20another%20group%2C%20and%20you%20can%20achieve%20group%20nesting.%3C%2FLI%3E%3CLI%3EGroup%20membership%20claims.%20When%20an%20app%20is%20configured%20to%20receive%20group%20membership%20claims%20in%20the%20token%2C%20nested%20groups%20in%20which%20the%20signed-in%20user%20is%20a%20member%20are%20included.%3C%2FLI%3E%3CLI%3EConditional%20access%20(when%20a%20conditional%20access%20policy%20has%20a%20group%20scope).%3C%2FLI%3E%3CLI%3ERestricting%20access%20to%20self-serve%20password%20reset.%3C%2FLI%3E%3CLI%3ERestricting%20which%20users%20can%20do%20Azure%20AD%20Join%20and%20device%20registration.%3C%2FLI%3E%3C%2FUL%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EThe%20following%20scenarios%20are%26nbsp%3B%3C%2FSPAN%3E%3CEM%3Enot%3C%2FEM%3E%3CSPAN%3E%26nbsp%3Bsupported%20with%20nested%20groups%3A%3C%2FSPAN%3E%3C%2FP%3E%3CUL%3E%3CLI%3EApp%20role%20assignment%2C%20for%20both%20access%20and%20provisioning.%20Assigning%20groups%20to%20an%20app%20is%20supported%2C%20but%20any%20groups%20nested%20within%20the%20directly%20assigned%20group%20won't%20have%20access.%3C%2FLI%3E%3CLI%3EGroup-based%20licensing%20(assigning%20a%20license%20automatically%20to%20all%20members%20of%20a%20group).%3C%2FLI%3E%3CLI%3EMicrosoft%20365%20Groups.%3C%2FLI%3E%3C%2FUL%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3485805%22%20slang%3D%22en-US%22%3ERe%3A%20Create%20%22nested%22%20groups%20with%20Azure%20AD%20Dynamic%20Groups%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3485805%22%20slang%3D%22en-US%22%3E%3CUL%3E%3CLI%3E%3CEM%3EMemberOf%20can't%20be%20used%20with%20other%20rules.%20For%20example%2C%20a%20rule%20that%20states%20dynamic%20group%20A%20should%20contain%20members%20of%20group%20B%20and%20also%20should%20contain%20only%20users%20located%20in%20Redmond%20will%20fail.%3C%2FEM%3E%3C%2FLI%3E%3C%2FUL%3E%3CP%3EToo%20bad%20we%20can't%20combine%20the%20%22%3CSPAN%3Euser.memberof%20-any%20(group.objectId%20-in%20%5B'groupId'%2C%20'groupId'%5D)%22%20with%20other%20rules%20for%20a%20dynamic%20group.%20Maybe%20in%20the%20future%3F%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3486218%22%20slang%3D%22en-US%22%3ERe%3A%20Create%20%22nested%22%20groups%20with%20Azure%20AD%20Dynamic%20Groups%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3486218%22%20slang%3D%22en-US%22%3E%3CP%3EThis%20is%20great%20news!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3492724%22%20slang%3D%22en-US%22%3ERe%3A%20Create%20%22nested%22%20groups%20with%20Azure%20AD%20Dynamic%20Groups%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3492724%22%20slang%3D%22en-US%22%3E%3CP%3EAwesome%20stuff%20thanks%20for%20the%20update%20%E2%98%BA%EF%B8%8F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3495410%22%20slang%3D%22en-US%22%3ERe%3A%20Create%20%22nested%22%20groups%20with%20Azure%20AD%20Dynamic%20Groups%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3495410%22%20slang%3D%22en-US%22%3E%3CP%3EThis%20is%20magical.%26nbsp%3B%20I%20just%20tried%20it%20thought%20and%20it%20ain't%20working.%26nbsp%3B%20Has%20this%20rolled%20out%20to%20everyone%3F%26nbsp%3B%20How%20can%20I%20tell%20if%20this%20functionality%20is%20live%20in%20my%20tenant%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3514828%22%20slang%3D%22en-US%22%3ERe%3A%20Create%20%22nested%22%20groups%20with%20Azure%20AD%20Dynamic%20Groups%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3514828%22%20slang%3D%22en-US%22%3E%3CP%3EThis%20is%20really%20epic%20and%20this%20opens%20up%20a%20lot%20of%20possibilities%20on%20all%20Microsoft365%20Group%20connected%20applications.%20I%20tested%20it%20with%20all%20kinds%20of%20groups%20(Security%2C%20distribution%2C%20email%20enabled%20security%20groups%20and%20Microsoft365%20groups)%20and%20works%20like%20a%20bomb.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F798409%22%20target%3D%22_blank%22%3E%40skdyer%3C%2FA%3E%26nbsp%3Baccording%20to%20me%20its%20already%20live%20for%20everyone%2C%20did%20you%20use%20the%20query%20mentioned%20above%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E
Co-Authors
Version history
Last update:
‎Jun 06 2022 01:11 PM
Updated by: