Create Dynamic Groups in Entra ID with Location and Group Membership Rules

Dynamic groups in Microsoft Entra ID automatically populate membership based on user attributes (city, state, department) or membership in other groups. This recipe addresses a common requirement: combining location-based criteria with group membership in a single logical grouping — for example, "everyone in a specific region plus everyone in a specific team."

A critical Entra ID limitation drives this design: the memberOf attribute cannot be combined with other rules (like user.city or user.state) in a single dynamic membership rule. Attempting to do so returns a DynamicGroupQueryParseError. The workaround is a three-group architecture: two dynamic groups (one per rule type) rolled up under a static parent group using nested group membership.

Run this recipe when you need to create distribution lists, access groups, or notification targets that combine geographic/organizational attributes with explicit team membership.

After completing this recipe you will have:

• A location-based dynamic security group that auto-populates from user attributes (city, state, country).
• A memberOf dynamic security group that mirrors the membership of a source team/group.
• A static parent security group with both dynamic groups nested as members, providing a single handle for the combined population.
• A reusable architecture pattern for future requests that combine dynamic criteria with group membership.

Known limitations

• memberOf cannot be combined with other rules — this is why we use 3 groups instead of 1.
• Nested group transitivity is inconsistent across M365 services. Group-based licensing, some Conditional Access scenarios, and certain Exchange features do not resolve nested group membership. Test your specific use case.
• Security groups are not mail-enabled. If you need a distribution list for email, create a mail-enabled distribution group or Microsoft 365 group separately — security groups cannot be converted.
• Licensing: Dynamic membership requires Entra ID P1 or P2 licenses for every user in scope. memberOf dynamic groups are in preview with a tenant limit of 500 groups.

Gotchas

• Initial population of dynamic groups can take several minutes after creation — don't panic if membership is empty at first.
• User attributes like city and state are free-text. Your rule must account for variations (e.g., "Vaud" vs "VD").
• Using contains() in Graph $filter on groups is not supported — use startswith() or eq.
• The correct memberOf syntax is user.memberOf -any (group.objectId -in ['guid']), not group.id.