This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 31%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDH%3C/text%3E%3C/svg%3E)
Hi,
I want to exclude all disabled users from a Dynamic Distribution Group but I am not sure of the syntax I would use.
This is the current syntax.
(user.country -eq "Gibraltar") or (user.country -eq "Hungary") or (user.country -eq "Isle of Man") or (user.country -eq "Malta")
I am trying to use
(user.country -eq "Gibraltar") or (user.country -eq "Hungary") or (user.country -eq "Isle of Man") or (user.country -eq "Malta") -and -not (user.accountEnabled -eq false) which is accepted but I am not seeing disabled users disappear from the list.
It's been around 30 minutes since I updated the Syntax in the rule, could I have it wrong?
Hi @Dean Hoile
You should correct this statement to:
((user.country -eq "Gibraltar") or (user.country -eq "Hungary") or (user.country -eq "Isle of Man") or (user.country -eq "Malta")) and (user.accountEnabled -eq false)
Then try the Validate Rules (preview)
-----------------------------------
If this is helpful please accept answer.
Thanks for the help!
I was attempting to use the rule validation tool (have used it in a previous job and worked) but I seem to be getting a permissions error in Azure AD when trying to validate a rule for a dynamic group.
The error is: insufficient privileges to update the membership rule for the group.
I have looked trough forums and posts but haven't seen any with this specific issue, I have GA access so there should be no issues with permissions as far as I can tell.
Also can't see the rule removing disabled users yet, still testing but any help will be very appreciated.
@Dean Hoile
Thank you for following up on this!
From your error message - insufficient privileges to update the membership rule for the group, can you double check your user's permission on the Overview tab of Azure AD? Please keep in mind that, assigning one of the required roles (Global Administrator, Groups Administrator, or Intune Administrator) via indirect group membership is not yet supported.
If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.
----------
Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(211.20000000000002, 98%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDF%3C/text%3E%3C/svg%3E)
If the goal is to exclude disabled accounts shouldn't the rule be:
((user.country -eq "Gibraltar") or (user.country -eq "Hungary") or (user.country -eq "Isle of Man") or (user.country -eq "Malta")) and (user.accountEnabled -eq true)
@Dean Hoile
Thank you for your post!
Adding onto what @Dillon Silzer mentioned, since you didn't see your Dynamic Security Group update after configuring the membership rules. You can definitely leverage the Validate a dynamic group membership rule (preview) feature to validate your dynamic rule, and confirm the rule is working as expected.
Please keep in mind that depending on the size of your Azure AD organization, the group may take up to 24 hours for populating for the first time or after a rule change. For more info - Troubleshooting dynamic memberships for groups.
(user.country -eq "Gibraltar") and (user.country -eq "Hungary") and (user.country -eq "Isle of Man") and (user.country -eq "Malta") and (user.accountEnabled -eq false)
I hope this helps!
If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.
----------
Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.
Thanks for the feedback and assistance.
So I tried to set this up in my 365 test environment and it works as expected (see image below) except that I used (user.country -eq "Gibraltar") or (user.country -eq "Hungary") or (user.country -eq "Isle of Man") or (user.country -eq "Malta") and (user.accountEnabled -eq true) and not (user.country -eq "Gibraltar") or (user.country -eq "Hungary") or (user.country -eq "Isle of Man") or (user.country -eq "Malta") and (user.accountEnabled -eq false)
So I believe it works but on my live 365 tenant it is not showing this behaviour. The users not in the group by the validation tool do not have a country set so did not get added to the group.
@Dean Hoile
Thank you for following up on this and for pointing out that you used Or, since I completely missed that!
When it comes to your 365 tenant not showing the same behavior as the Validate Rules page, can you share the details for one user where the behavior isn't working as expected?
If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.
@Dean Hoile
I just wanted to check in and see if you had any other questions or if you were able to resolve this issue?
If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.
----------
Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.
Sorry for the delay, I have a case open with Microsoft now as none of my colleagues can use this feature and we have the required permissions.
Essentially we can't run the validate rules feature agains't any persons at all in our AAD tenant.
You can mark this as solved.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(160, 64%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAA%3C/text%3E%3C/svg%3E)
@Dean Hoile , Did you ever resolve this with Microsoft? We are in the same boat!