Dynamic membership groups in Microsoft Entra ID (formerly Azure Active Directory) are a powerful way to automate group management. With the memberOf attribute, administrators can automatically include users who are direct members of other security groups, Microsoft 365 groups, or synced on-premises AD groups.
But while the functionality is straightforward, the licensing rules often cause confusion. Can a single tenant license unlock dynamic membership? Or does every user need a license? Let’s break it down.
What Is the memberOf Attribute?
The memberOf attribute allows you to build dynamic groups that automatically pull in all direct members of specified groups.
Key details to know:
- Each tenant can have up to 500 dynamic groups using
memberOf. - Each dynamic group can include up to 50 source groups.
- Nested groups are not supported—only direct members count.
- You cannot combine
memberOfwith other dynamic rule operators. - A dynamic group built with
memberOfcannot itself be used in anothermemberOfrule. - These rules can sometimes result in slower processing on large tenants.
Licensing Requirements: Per-User, Not Per-Tenant
This is where many admins stumble.
Microsoft requires a Microsoft Entra ID P1 or P2 license for every unique user included in any dynamic membership group.
That means:
- You do not need to manually assign licenses to each user.
- But your tenant must own enough licenses to cover the total number of unique users across all dynamic groups.
📌 Example: If 1,000 unique users are members of dynamic groups, your tenant must have at least 1,000 Entra ID P1 (or P2) licenses.
As Microsoft MVP Vasil Michev explained:
“You don’t have to assign licenses to users for them to be members of dynamic membership groups, but you must have the minimum number of licenses in the Microsoft Entra organization to cover all such users.”
No Licensing Needed for Devices
Dynamic membership also works for devices. The good news?
If you create dynamic groups for devices based on attributes, no license is required.
This licensing model applies only to user-based dynamic groups.
Best Practices for Using memberOf
To stay compliant and avoid performance issues, follow these tips:
✅ Count your unique users across all dynamic groups and ensure your tenant has enough licenses.
✅ Test rules on smaller groups first before rolling out widely.
✅ Avoid nesting or complex rule combos—they aren’t supported.
✅ Monitor processing performance in large environments.
✅ Plan license allocation strategically, especially in hybrid environments.
Quick Reference Table
| Feature | Details |
|---|---|
Max memberOf dynamic groups | 500 per tenant |
| Source groups per dynamic group | 50 |
| Nested group support | ❌ Not supported |
| Licensing requirement | 1x Entra ID P1/P2 license per unique user across all dynamic groups |
| Devices | No license required |
| Performance impact | Possible delays in large environments |
Final Thoughts
Dynamic membership groups with the memberOf attribute can save admins huge amounts of time by automating group membership. However, the licensing rules are strict: every unique user in a dynamic group must be covered by a P1 or P2 license.
Don’t rely on a single tenant license—it won’t keep you compliant. Instead, plan your licenses per user and use dynamic groups strategically for maximum benefit.
By following these best practices, you’ll stay compliant and make the most of Microsoft Entra ID’s automation capabilities.
