Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,367 questions
Dynamic Group rule MemberOf another group but exclude a few users
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(9.6, 13%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EFJ%3C/text%3E%3C/svg%3E)
Filbrun, Jordan A
0
Reputation points
I have a dynamic group that I am struggling to get working. Here is the rule syntax:
user.memberof -any (group.objectId -in ['objectID']) -AND (user.userPrincipalName -notIn ["user1@contoso.com","user2@contoso.com"])
The group has all regular employees at the company, and I want to exclude just a few members. Why is this syntax not working? It works with everything before the -AND but adding the second part breaks it.
{count} votes
-
James Hamil 24,311 Reputation points Microsoft Employee2024-08-27T20:13:42.85+00:00 Hi @Filbrun, Jordan A , what's not working about it? Are you getting an error? The
userPrincipalNameattribute is case-sensitive, so make sure that you are using the correct capitalization for the email addresses you are trying to exclude.Check if the users you are trying to exclude are actually members of the group you are using in the
memberOfclause. If they are not members of that group, then the rule will not work as expected. -
Filbrun, Jordan A 0 Reputation points
2024-08-27T20:25:37.94+00:00 The Dynamic Rules processing status is "failed". I dont see any other errors. If I edit the rules and try to save it when the syntax is wrong, it won't allow me to save but it is saving as you see it in the post so the syntax seems correct. I have verified the UPNs are correct case wise. The users are members of the group.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(3.2, 94%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETL%3C/text%3E%3C/svg%3E)
Thangaraj Lakshmanan 185 Reputation points2024-08-28T13:26:25.35+00:00 Hi @Filbrun, Jordan A , Good day !
Give a try on the below syntax, it may help you on this matter.
(user.memberof -any (group.objectId -in ['objectID'])) -AND (user.userPrincipalName -notIn ["user1@contoso.com","user2@contoso.com"])
Regards,
Lakshmanan T -
Filbrun, Jordan A 0 Reputation points
2024-08-28T21:08:24.1033333+00:00 Based on the Docs and the Preview status of the memberOf functionality, it seems that nothing outside of merging groups in a list is supported. I can't believe we still don't have this functionality as it would be immensely useful.
-
James Hamil 24,311 Reputation points Microsoft Employee
2024-08-29T18:52:07.8+00:00 @Filbrun, Jordan A can you try one last query for me?
(user.userType -eq "Member") and (user.objectId -in (user.memberOf -any (group.objectId -eq 'objectID'))) and (user.userPrincipalName -notIn ["user1@contoso.com","user2@contoso.com"]) -
James Hamil 24,311 Reputation points Microsoft Employee
2024-09-03T19:22:59.6+00:00 Hi @Filbrun, Jordan A , did you need any more help with this question? Please let me know and I can help you further.
Thank you,
James
-
James Hamil 24,311 Reputation points Microsoft Employee
2024-09-04T19:02:36.13+00:00 Hi @Filbrun, Jordan A , did you need any more help with this question? Please let me know and I can help you further.
Thank you,
James
Sign in to comment
Sign in to answer