Device Group not in specific groups

Question

Device Group not in specific groups

Pavel yannara Mirochnitchenko 13,331 MVP

I am trying to archive a dynamic group with all members which are not in few other dynamic groups (guids below)
I can't create the rule syntax right.

This works:

device.memberof -any (group.objectId -in ['2ea9fcc0-558a-417d-b3c2-5d120eec3344', '93f74880-de12-42c0-a030-48efcef869f2', 'f4ab0800-55a0-4608-9f80-c4dbf32ec1c7'])

But if I try to change -any or -in to -notIn or -not, validation will fail.

Harpreet Singh Matharoo 8,396 Reputation points Microsoft Employee Moderator

2022-09-30T11:34:11.29+00:00

Hello @Pavel yannara Mirochnitchenko

Thank you for reaching out. I would have this tested in our lab and get back to you with an answer soon.
Pavel yannara Mirochnitchenko 13,331 Reputation points MVP

2022-10-02T15:23:41.937+00:00

So is it so, that this one is impossible to archive today?
Harpreet Singh Matharoo 8,396 Reputation points Microsoft Employee Moderator

2022-10-03T08:10:39.253+00:00

Hello @Pavel yannara Mirochnitchenko

Thats correct as of today using "-notIn" is not a supported for -memberOf attribute.

I hope this helped you and would request you to please "Accept the answer" as this will help us and others in the community as well.
Harpreet Singh Matharoo 8,396 Reputation points Microsoft Employee Moderator

2022-10-04T10:19:09.517+00:00

Hello @Pavel yannara Mirochnitchenko

I just wanted to confirm if below information helped. Would request you to please "Accept the answer" if it helped you. This will help us and others in the community as well.
boonedoggle 0 Reputation points

2023-09-13T16:01:08.0733333+00:00

Any Update on this feature or a work around?
Marlon Braunbeck 0 Reputation points

2024-03-13T13:49:20.55+00:00

We just ran into the same situation: We would like to exclude devices which are already members of another group - is there any news on a workaround / fix for this?
Roger Truss 0 Reputation points

2025-06-11T20:21:29.2766667+00:00

I Have run into a situation where I need to have a dynamic group for office updates that include all devices NOTIN other update groups. Monthly is set as our default (out to all devices) but once a device is placed in another update group it flops back and forth. The excludes section is too slow to process and we still cannot create filters based of off group membership, which would be THE BEST way to process this.

At least now I can stop banging my head on my desk wondering why -notin fails in this design.

Is there a roadmap for this to 1) allow -notin and 2) work as an assignment filter?

1 answer

Your answer

Harpreet Singh Matharoo 8,396 Reputation points Microsoft Employee Moderator

2022-09-30T11:34:11.29+00:00

Hello @Pavel yannara Mirochnitchenko

Thank you for reaching out. I would have this tested in our lab and get back to you with an answer soon.
Pavel yannara Mirochnitchenko 13,331 Reputation points MVP

2022-10-02T15:23:41.937+00:00

So is it so, that this one is impossible to archive today?
Harpreet Singh Matharoo 8,396 Reputation points Microsoft Employee Moderator

2022-10-03T08:10:39.253+00:00

Hello @Pavel yannara Mirochnitchenko

Thats correct as of today using "-notIn" is not a supported for -memberOf attribute.

I hope this helped you and would request you to please "Accept the answer" as this will help us and others in the community as well.
Harpreet Singh Matharoo 8,396 Reputation points Microsoft Employee Moderator

2022-10-04T10:19:09.517+00:00

Hello @Pavel yannara Mirochnitchenko

I just wanted to confirm if below information helped. Would request you to please "Accept the answer" if it helped you. This will help us and others in the community as well.
boonedoggle 0 Reputation points

2023-09-13T16:01:08.0733333+00:00

Any Update on this feature or a work around?
Marlon Braunbeck 0 Reputation points

2024-03-13T13:49:20.55+00:00

We just ran into the same situation: We would like to exclude devices which are already members of another group - is there any news on a workaround / fix for this?
Roger Truss 0 Reputation points

2025-06-11T20:21:29.2766667+00:00

I Have run into a situation where I need to have a dynamic group for office updates that include all devices NOTIN other update groups. Monthly is set as our default (out to all devices) but once a device is placed in another update group it flops back and forth. The excludes section is too slow to process and we still cannot create filters based of off group membership, which would be THE BEST way to process this.

At least now I can stop banging my head on my desk wondering why -notin fails in this design.

Is there a roadmap for this to 1) allow -notin and 2) work as an assignment filter?

Answer 1

Hello @Pavel yannara Mirochnitchenko

Thank you for being patient while I was trying to reproduce this issue. I found that device.memberof or user.memberof is specifically designed to create dynamic groups that populate by adding members of other groups. As of today, rule editor does not support -notIn or -not for memberOf attribute. We validate this from AAD response when creating a rule with -notIn operator for memberOf attribute.

You can refer following screenshot which shows the error message when you try to validate or save the rule device.memberof -any (group.objectId -notIn ['2272dd76-71ee-465f-902f-cefa8f30c4a0'])

For more information you can refer following documentation links:

Group membership in a dynamic group (preview) in Azure Active Directory: https://learn.microsoft.com/en-us/azure/active-directory/enterprise-users/groups-dynamic-rule-member-of
Dynamic membership rules for groups in Azure Active Directory: https://learn.microsoft.com/en-us/azure/active-directory/enterprise-users/groups-dynamic-membership

I hope this helps and resolves your query.

----------

Please "Accept the answer" if it helped you. This will help us and others in the community as well.

Share via

Device Group not in specific groups

1 answer

Your answer