Flattening Group Memberships to a Single Group

In previous blog posts (Part 1, Part 2), we discussed a powerful feature in Entra ID (formerly Azure Active Directory) known as dynamic membership rules. In short, Entra ID’s dynamic membership rules feature allows you to use any attributes from Entra ID’s base set or custom extension properties to construct groups that automatically add and remove members based on those attributes’ values. These groups can be either Microsoft 365 or Security groups and can be used in most places in Entra ID.

But beyond the attributes we would typically use in dynamic membership rules, there is an attribute we can use to essentially grab the users who are members of other groups. This allows you to effectively create a “flattened” group where everyone is a direct member of a single group.

Why would you want to do this?

The Problem

Suppose you have a group called All Employees, which is made up of several other groups such as Sales Employees, IT Employees, and Manufacturing Employees. You want to use the “All Employees” list to grant access to applications and to create a Microsoft 365 group.

Unfortunately, nested groups are still somewhat limited in how they can be used in Entra ID. For example, application assignments for access and provisioning along with group-based licensing do not support nested groups. And although you can simply add smaller groups individually where the full population is needed, there is benefit in having a single group that represents “All Employees.” For instance, if the company expands, you’d need to go to several places to add a new division.

Nested groups are not supported at all for Microsoft 365 groups. Therefore, you must either separately maintain an All Employees group or rely on sending to multiple different groups any time company-wide communication is necessary.

Luckily, we can “flatten” multiple groups into one group using Entra ID’s dynamic membership rules.

The Solution

To implement a flattened group, create a group with dynamic membership rules as usual. If you need help creating the group, read Part 2 of our dynamic group memberships blog post series. 

Here is where things get interesting. Instead of using dropdown menus to configure the rules, click Edit in the Rules Syntax section to manually enter the query needed:

A text box will open on the right-hand side where you can enter your query. To pull in the members of other groups, enter the following query:

user.memberof -any (group.objectId -in ['groupId', 'groupId'])Code language: CSS (css)

Replace groupId with the objectId of the groups you want to “flatten.” Currently, you can include up to 50 groups to pull members from. You can obtain a group’s objectId from the group’s Overview page within the Azure portal, or you can use a PowerShell cmdlet such as Get-MgGroup.

Click OK, Save, Create Group. The new group’s membership will be calculated in the background. For larger tenants, it can take up to 24 hours. For a smaller tenant, you can expect to see the group membership update within a few minutes.

Limitations

Now let’s discuss some of this feature’s limitations. The first limitation is that dynamic membership rules will not flatten a group that has groups inside of it—you must explicitly include those nested groups in the group query. As mentioned above, there is currently a limit of 50 groups to pull members from, and you cannot pull members from another dynamic group to circumvent this limit. You are also limited to creating a total of 500 dynamic groups using the memberOf filter criteria.

Perhaps the biggest limitation is that you cannot combine the dynamic membership rules feature with other attributes. As an example, you cannot build out a group constructed of everyone in the “All IT Employees” group made of subgroups who also works in the Chicago, Illinois, office. However, a simpler solution might just be to get a few more attributes populated in your Entra ID tenant, and then use a normal dynamic membership rule that does not rely on another group. And that‘s where Ravenswood can help…

Here to Help

The experts at Ravenswood Technology Group have the business and technical expertise to determine the best design for your Entra ID and Microsoft 365 groups. We can help you decide whether flattening multiple groups together is the best path or if there is a better way to accomplish your business goal. With either approach, though, we want to make the process automatic for you. We can guide you through all the stages of making automated group management a reality in your organization. Contact our experts today!

[RELEVANT BLOG CONTENT]

6 Tips to Harden Your Windows LAPS Deployment

In a previous blog post, we covered how to migrate to Windows Local Administrator Password Solution (LAPS). With Windows LAPS deployments gaining traction, it’s important

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.