Dynamic Groups Enhancement Now at Preview for Azure Active Directory Users
Microsoft this week previewed a way to create dynamic groups in Azure Active Directory that avoids some of the limitations with its existing "nested groups" approach.
This "memberOf" dynamics group preview capability lets IT pros sync Azure AD group types into a dynamic group, which can be done for various purposes. The types of groups that can be synced include "any group type represented in Azure Active Directory," namely:
- User or device security groups,
- Microsoft 365 groups and
- "Groups synced from on-premises, or a mix of all three"
The memberOf approach opens possibilities that were limited under the nested groups approach. For instance, Microsoft indicated that "unlike existing nested security groups today, memberOf dynamic groups return a flat list of members, so [it] can be used for licensing assignment and application assignment."
Microsoft affirmed those notions in this June 7 Twitter thread by Alex Simons, corporate vice president program manager for the Microsoft Identity Division.
The synced groups don't become members of the dynamic group, which gives IT pros a free hand to create ad hoc dynamic groups. The number of dynamic groups that can be created using the preview is limited to 500 groups, and each dynamic group can have "up to 50 member groups," Microsoft explained in a "Preview Limitations" section of its document on the topic.
The Azure Portal, PowerShell or the Microsoft Graph can be used to set up these dynamic groups, the document explained. IT pros need to have the right permissions to do so. Supported roles include the "Global Administrator, Intune Administrator or User Administrator."
There's also a licensing restriction to using memberOf dynamic groups. "You must have an Azure AD Premium license for the Azure AD tenant" to use it, according to the document.
Kurt Mackie is senior news producer for 1105 Media's Converge360 group.