HELP, my AAD dynamic group does not update
This is a knowledgebase item. Hope it helps you out someday if you are using group membership “nested” in a dynamic Azure AD group and it does not update anymore.
Note. The feature “Group membership in a dynamic group in Azure Active Directory” is still in preview on the publication date (21 March 20, 2023) of this kb item.
On June 6th, 2022, Microsoft announced a new feature in Azure AD. A feature to get the ability to create dynamic groups based on the memberOf attribute. This allows the admin to create dynamic Azure AD Security Groups and Microsoft 365 groups based on other groups. Like a nested group, this feature will help you handle group users more effectively and create hierarchical groups with simplicity.
Example query
To create the Dynamic-Group-A group, you can use the following dynamic query.
User:
user.memberof -any (group.objectId -in ['groupId', 'groupId'])Device:
device.memberof -any (group.objectId -in ['groupId', 'groupId'])The reason why your AAD dynamic group does not update
For a project, I used this method to create an all-user group based on several department groups. This works like charms. I really like this method but what happens when the admins delete a group that is part of your dynamic query? The dynamic group does not update anymore.
So, it can happen that you are not aware that the dynamic group is not updating anymore, and your users will not get your security settings for example.
As you can see in the below picture it looks like everything is ok, the dynamic rule processing status is succeeded. But the groups are not populated and the last membership change is still stuck on the date when one of the groups has been deleted.
My test configuration
For this issue, I replicated the configuration in my test tenant to check if I had the same behavior. So first I created a dynamic all-user group based on 3 other groups. In this case, Netherlands, Germany, and Spain.
I created the groups and copied the group object id and created the all-user group with the dynamic query.
I waited till the group was populated and all the users were part of the all-user group and deleted the groups, Spain and Belgium lost the battle.
After more than a day, the last membership change of the dynamic all user group was not changed. This property was still stuck on the same date and time.
I did the same test for a dynamic device group, and with static groups and again I had the same result. Hmm. This Azure AD group does not update as well.
Configure the dynamic device group query
Delete one of the groups that are in the dynamic query
Also the dynamic device group does not update anymore
I created a new group to check what happened when I enter a dynamic query where one of the group object ids does not exist. The creation of the group was successful. I waited 24 hours to be sure that the group was processed by Azure AD
Note. It can take up to 24 hours to update a dynamic group.
And in this case, I had a failed dynamic rule processing status instead of Succeeded
The solution to fix your AAD group that does not update anymore
If you are using the memberof option in the dynamic rule syntax of your AAD group and your AAD does not update anymore. Please check if all the groups in your query still exist.
If not, remove the objectid that does not exist anymore from the dynamic query and your dynamic AAD group will be updated again.
Hi! My name is René Laas. I have passion and enthusiasm for the Microsoft 365 Cloud. I am based in the Netherlands.
Rami Al-zayat 
Albert Stoynov
Andrea De Santis
Giorgio Trovato
Leave a Reply
Want to join the discussion?Feel free to contribute!