Unable to create group membership in a dynamic group

Question

Unable to create group membership in a dynamic group

Joey Karijowiredjo 20

I'm unable to create group membership in a dynamic group especially for devices.

I'm following along with the official MS docs and use the query they provided: https://learn.microsoft.com/en-us/azure/active-directory/enterprise-users/groups-dynamic-rule-member-of

I was able to create a group earlier this week, but suddenly I'm getting an error saying: "Property objectid cannot be applied to object group", preventing me to create the so called nested dynamic groups.

I also tried to modify an already made dynamic group, by adding a objectId from a group we wanted to include but that didn't work also. It gave me the same error.

Trying to validate the query only gives you a question mark with the error message.

The query used: device.memberof -any (group.objectId -in ['groupId', 'groupId'])

It looks like the 'group.objectId' is a bit broken, according to the error message...

I'm certain I followed the instructions, letter by letter but it just won't work anymore.

For work, we need some dynamic groups that can take members from other groups so we don't have to deal with nesting groups in groups as that will sometimes give some issues.

I tried creating a dynamic group in my own test tenant and I get the same error.

Is the functionality broken or is something else going on?

Rahul Jindal [MVP] 8,076 Reputation points MVP

2023-09-17T21:13:09.5266667+00:00

I recently spent some time with the feature and blogged about my experience. This may help - https://rahuljindalmyit.blogspot.com/2023/09/working-with-entra-id-memberof.html
Jacky Lam 5 Reputation points

2023-09-18T07:30:04.0633333+00:00

Same issue here. I have other groups created previously with the exact same syntax of user.memberof -any (group.objectId -in ["GROUP-ID"]) but I cannot create another group even the the exact same statement, throwing the same error you got.
Anthony Strainer 0 Reputation points

2023-09-18T15:07:42.7566667+00:00

Adding a "me too" to this, worked fine last week, now doesn't either in our Prod tenant or my separate test tenant. Fails both in the portal and via Terraform. Existing group seem to be fine.
veli anlama 0 Reputation points

2023-09-19T09:46:08.6566667+00:00

Same issue Anthony Strainer mentioned here
Tim Stevenson 30 Reputation points

2023-09-20T04:33:14.6366667+00:00

Having the same issue, found this artical: https://learn.microsoft.com/en-us/azure/active-directory/enterprise-users/groups-dynamic-rule-member-of saying do it with the same code, Its also referenced here https://learn.microsoft.com/en-us/azure/active-directory/enterprise-users/groups-dynamic-membership#supported-properties but its still not working.
Upadhyay, Kartik - Admin 0 Reputation points

2023-09-20T14:00:59.2666667+00:00

Same issue for me as well. Was working fine last week.
Hrishikesh Chowdhury (EA) 0 Reputation points

2023-09-20T19:18:07.3333333+00:00

I am also having same issues, dynamic query same syntax is not working now
Tim Stevenson 30 Reputation points

2023-09-20T21:02:42.8833333+00:00

We ended up creating a job with Microsoft, and have been told there is a Known issue in the Backend and it is being investigated.
JamesTran-MSFT 32,846 Reputation points Microsoft Employee

2023-09-25T19:35:11.8266667+00:00

@Joey Karijowiredjo

I wanted to check in and see if you had any other questions or if you were able to resolve this issue?

If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.

If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.
Joey Karijowiredjo 20 Reputation points

2023-09-25T19:44:11.8+00:00

It seems indeed that it got fixed by Microsoft. I was suddenly able to create the nested dynamic groups again.

Rahul Jindal [MVP] 8,076 Reputation points MVP

2023-09-17T21:13:09.5266667+00:00

I recently spent some time with the feature and blogged about my experience. This may help - https://rahuljindalmyit.blogspot.com/2023/09/working-with-entra-id-memberof.html
Jacky Lam 5 Reputation points

2023-09-18T07:30:04.0633333+00:00

Same issue here. I have other groups created previously with the exact same syntax of user.memberof -any (group.objectId -in ["GROUP-ID"]) but I cannot create another group even the the exact same statement, throwing the same error you got.
Anthony Strainer 0 Reputation points

2023-09-18T15:07:42.7566667+00:00

Adding a "me too" to this, worked fine last week, now doesn't either in our Prod tenant or my separate test tenant. Fails both in the portal and via Terraform. Existing group seem to be fine.
veli anlama 0 Reputation points

2023-09-19T09:46:08.6566667+00:00

Same issue Anthony Strainer mentioned here
Tim Stevenson 30 Reputation points

2023-09-20T04:33:14.6366667+00:00

Having the same issue, found this artical: https://learn.microsoft.com/en-us/azure/active-directory/enterprise-users/groups-dynamic-rule-member-of saying do it with the same code, Its also referenced here https://learn.microsoft.com/en-us/azure/active-directory/enterprise-users/groups-dynamic-membership#supported-properties but its still not working.
Upadhyay, Kartik - Admin 0 Reputation points

2023-09-20T14:00:59.2666667+00:00

Same issue for me as well. Was working fine last week.
Hrishikesh Chowdhury (EA) 0 Reputation points

2023-09-20T19:18:07.3333333+00:00

I am also having same issues, dynamic query same syntax is not working now
Tim Stevenson 30 Reputation points

2023-09-20T21:02:42.8833333+00:00

We ended up creating a job with Microsoft, and have been told there is a Known issue in the Backend and it is being investigated.
JamesTran-MSFT 32,846 Reputation points Microsoft Employee

2023-09-25T19:35:11.8266667+00:00

@Joey Karijowiredjo

I wanted to check in and see if you had any other questions or if you were able to resolve this issue?

If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.

If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.
Joey Karijowiredjo 20 Reputation points

2023-09-25T19:44:11.8+00:00

It seems indeed that it got fixed by Microsoft. I was suddenly able to create the nested dynamic groups again.

Answer 1

Crystal-MSFT 32,971 Microsoft Vendor

@Joey Karijowiredjo, Thanks for posting in Q&A. Based on my test in my lab, I find I can add the dynamic group rule with device group object id. In the article, it mentioned some limitation with the group. for example: only direct members of the included groups can be included.

User's image

Please ensure the group object id we add meet the requirement.

Hope the above information can help.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Joey Karijowiredjo 20 Reputation points

2023-09-18T06:57:05.59+00:00
I have made sure I'm meeting every requirement!

I'm only including groups where there are only devices and made sure there is no nesting of some sorts. I also checked if the groups weren't already a member of another group. This was not the case as they are standalone and havo no connections to any groups. So with that out of the way I tested it multiple times just to encounter the same error.

I even made newly fresh groups, just to test things out.

I made a NEW (dynamic) group and an already existing dynamic group which only has devices in them.

I even tried with multiple(!) test groups, where I kept making them from scratch. One NEW standalone (dynamic) group and a NEW dynamic group where I want it to be a member of.

I made another NEW dynamic group where I want to include the 2 groups mentioned in step 1. I am using the following rule for this: device.memberof -any (group.objectId -in ['groupId-1', 'groupId-2'])

I save my settings, ultimately to end up with an error message
Joey Karijowiredjo 20 Reputation points

2023-09-18T07:19:20.0433333+00:00

Also, I managed to make a construction like this earlier this week. I also tried modifying a group, where I wanted to add/include another dynamic group to pull in those devices. But then it just suddenly stopped working and giving me errors, despite following along with the MS docs.
Crystal-MSFT 32,971 Reputation points Microsoft Vendor

2023-09-18T07:20:31.3133333+00:00

@Joey Karijowiredjo, Thanks for your confirmation. For your issue, I think it is strange. I suggest open case to check in the background to troubleshoot the issue.

https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/how-to-get-support

Answer 2

Joey Karijowiredjo 20

Microsoft fixed the issue as I was able to create dynamic nested groups again on the 22nd of September 2023.

Unable to create group membership in a dynamic group

2 answers

Activity