How can we improve Azure Active Directory?

Dynamic Groups: Member of group

Would be good to have the possibility to use membership in other groups as a condition in a dynamic group membership rule.

(user.objectId -memberOf group.objectId)
(user.objectId -notMemberOf group.ObjectId)

Use case 1 - Group Based Licensing.
If the user is member of a group that gives them a E5 license, don't let them be member of a group that gives them E3.

Use case 2 - Exceptions
All users should have a MDM policy applied, accept those of a specific group.

399 votes
Sign in
Sign in with: Microsoft
Signed in as (Sign out)

We’ll send you updates on this idea

Anders Eide shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

Thank you for your feedback! The feature team is aware of this suggestion and will keep it under consideration. There are technical challenges to overcome in order to make this happen. Please keep the votes coming if this feature matters to you.



Sign in
Sign in with: Microsoft
Signed in as (Sign out)
  • Vasquez, Matty commented  ·   ·  Flag as inappropriate

    Please add this feature, we really need this to help replicate and consolidate memberships across O365 Groups, MS Teams and SharePoint Sites so staff are not having to be manually added to multiple Sites and Groups by different owners in different systems!

  • Dan Smith commented  ·   ·  Flag as inappropriate

    I could really use this right about now...

    I need to create a dynamic group which consists of any users who are not presently members of another particular group.

  • Rob Hosler commented  ·   ·  Flag as inappropriate

    I would make much more sense to have the dynamic group membership set by the membership of one or more other AD groups than to have a rule like (user.objectID -eq "S-1-1-11-...") Might as well just add the user(s) to the group manually. Most of the rule available would likely produce only one user or the entire directory.

    I can't imagine a business case where I would want to maintain a set of dynamic rules like "I want any one with this mobile number to be a member of my group." or "I want every 'Mike' in the company in this group"

  • Eric Wilborn commented  ·   ·  Flag as inappropriate

    Yes please. I have an end user that curates a leadership team group in O365 and then another end user that curates the same leadership list for on-prem SharePoint. This would reduce the workload and keep them in sync.

  • Anonymous commented  ·   ·  Flag as inappropriate

    This would make licensemanagement so much easier.

    We are getting our accounts as an import in our AD on premises.
    from there they are imported in Azure by AAD-connect.
    It would be so nice to make the groups (made by the import in AD on premises) the source for our license groups in Azure.

  • Anonymous commented  ·   ·  Flag as inappropriate

    +1 for Ritesh. Can we get an update from the AAD Team at Microsoft given the nearly year old previous response?

  • Jake Thomas commented  ·   ·  Flag as inappropriate

    This would be amazing for our Intune deployment process.

    Here's an example:
    80% of users in our organization get Office 365 with all core apps except Access, Groove, and Publisher. We deploy this to them based on whether or not they have an Office E3 license.
    An additional 5% of our users have Project or Visio. Being licensed could put them in a group to get Visio or Project automatically assigned and deployed.

  • Matt Schultz (BCBSNE) commented  ·   ·  Flag as inappropriate

    Yes, and TreVon and Joel mentioned, if we could use memberof as a dynamic group criteria, this would make it less important for O365 groups to support nested groups (although that would still be a great addition!).

← Previous 1

Feedback and Knowledge Base