Maximum Size of Dynamic Security Group using user.memberof -any (group.objectId -in ['ObjectID1','ObjectID2'])

SD 0 Reputation points
2024-03-11T18:13:08.3333333+00:00

I can only find information on Preview.

Simple question

Maximum Size of Dynamic Security Group using user.memberof -any (group.objectId -in ['ObjectID1','ObjectID2'])

if you can point to a Microsoft source that is not:

https://learn.microsoft.com/en-us/entra/identity/users/groups-dynamic-rule-member-of
Preview limitations

  • Each Microsoft Entra tenant is limited to 500 dynamic groups using the memberOf attribute. The memberOf groups count toward the total dynamic group member quota of 5,000.
  • Each dynamic group can have up to 50 member groups.
  • When you add members of security groups to memberOf dynamic groups, only direct members of the security group become members of the dynamic group.
  • You can't use one memberOf dynamic group to define the membership of another memberOf dynamic group. For example, Dynamic Group A, with members of group B and C in it, can't be a member of Dynamic Group D.
  • The memberOf attribute can't be used with other rules. For example, a rule that states dynamic group A should contain members of group B and also should contain only users located in Redmond will fail.
  • The dynamic group rule builder and validate feature can't be used for memberOf at this time.
  • The memberOf attribute can't be used with other operators. For example, you can't create a rule that states "Members Of group A can't be in Dynamic group B."
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,301 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Akhilesh 4,455 Reputation points Microsoft Vendor
    2024-03-12T12:34:24.65+00:00

    Hi @SD

    Thank you for reaching out to the community forum!

    By default, Each Microsoft Entra tenant is limited to 500 dynamic groups using the memberOf attribute. The memberOf groups count toward the total dynamic group member quota of 5,000, Each dynamic group can have up to 50 member groups.

    Even with custom dynamic rules in place for a Dynamic Security Group, these limits of 500 dynamic groups and a 5,000-group member quota still apply, if you considering that the Microsoft source is not correct could you please share the documented information or result of your research on the custom dynamic rules this will help us and others in the community as well.

    I hope the information above is helpful. 

    If you have any question or concern, please feel free to let us know.   

    Thanks,

    Akhilesh.

    If the Answer is helpful, please click "Accept the answer" and upvote it.