Dynamic Groups: Member of group
Would be good to have the possibility to use membership in other groups as a condition in a dynamic group membership rule.
(user.objectId -memberOf group.objectId)
(user.objectId -notMemberOf group.ObjectId)
Use case 1 - Group Based Licensing.
If the user is member of a group that gives them a E5 license, don't let them be member of a group that gives them E3.
Use case 2 - Exceptions
All users should have a MDM policy applied, accept those of a specific group.
Thank you for your feedback! The feature team is aware of this suggestion and will keep it under consideration. There are technical challenges to overcome in order to make this happen. Please keep the votes coming if this feature matters to you.
Hernan Lopez commented
We have found a way to overcome this temporarily. We run a scheduled task which gets all group memberships on a given user, and adds each group name as a string on an extendedattribute.
After this we extended the AD sync to include this extendedattribute in the sync, so user has this extendedattribute available on object.
We then run the dynamic group membership rules based on lookup of substring in the extendedattribute.
It has some issues, substrings must be unique, otherwise you would get a much bigger userscope.
Groups must be unique, and the lookup must address the entire group name.
Not ideal, but works
Still under review 3 years later . what a joke MS are .
This is much needed option to create dynamic group based on some org structure.
I also have a group of accounts that don't have MFA enabled, mainly because they are service accounts. I'd like to reuse that group to create a dynamic security group for all MFA enabled Accounts.
Richard Cornell commented
I have a group of accounts that don't have MFA enabled, mainly because they are service accounts. I'd like to reuse that group to create a dynamic group when deciding who has SSPR i.e. all users except those who don't have MFA.
Why is this not a thing? Really.
Really need this. I have users who are part of several groups. I want to automate teams memberships based on the users onprem AD group membership.
CHAUSSADE REMY commented
@Azure AD Team :
News ?? since 2018/04/10 ?
We need this feature too...
Chad Gross commented
Definitely surprised this isn't currently possible - especially considering back in the early days we had IFMEMBER.exe to use in login scripts, and have been able to target AD GPO preferences by security group membership since Server 2008, and both methods allowed for complex analysis of group membership for proper targeting (Member of A and member of B but not member of C) Admins have been basing policies off of complex group membership for 20 years, and now it's been under review for almost 4 years.
We need this feature too (+3000 employees here), thank you regards
So this request was raised back in 2017, last update was April 2018!
What is happening with this request? Do you not understand how vital it is to have this functionality?
Really need this for Intune app installation.
I need multiple Microsoft 365 installers because of Visio and Project.
And I need a dynamic groups based on license groups to assign the correct installer.
Installation could be so simple when memberof and notmemberof are possible for dynamic groups.
Microsoft E3 Only > Installer with Microsoft 365 Enterprise apps without Project and Visio
Microsoft E3 + Project P3 > Installer with M365 Enterprise apps with Project
Microsoft E3 + Visio P2 > Installer with M365 Enterprise apps with Visio
Microsoft E3 + Project P3 + Visio P2 > Installer with Microsoft Enterprise apps with Project and Visio
Get-AzADGroup has lost the Get-AzureADGroup -filter functionality so we've got no way of distinguishing by the "Membership type" attribute. Please add this functionality
Just do it
Kevin Hill commented
Would be especially useful for creating departmental Teams where existing AD groups are already maintained, and synced to AzureAD.
Jeroen den Otter commented
any updates on this? It has been 3 years almost 4 Microsoft?! Really bad service
Welp, I guess this isn't implemented. Seems like it'd be simple enough, hopefully this gets pushed through. Upvoting!
We need this option. Please implement this.