As of right now, the only supported properties that can be used with Dynamic membership rules can be found here:
For your scenario, you could use the following:
- user.dirSyncEnabled -eq false (to identify cloud-only identities)
- user.mail -eq null (to identify users with no mail assigned)
If you'd like this feature to be implemented to leverage MSExchangeOnline attributes, I'd recommend leveraging the User Voice forum and creating a feature request, so that engineering teams can look into implementing this. There is already a Community Idea on this for custom security attributes:
- If the reply was helpful please upvote and/or accept as answer as this helps others in the community with similar questions. Thanks!