Azure Dynamic Groups

Question

Azure Dynamic Groups

Brett Johnson 91

I am trying to use the "(user.memberof -any (group.objectId -in ['Value']) rule to dynamically add anyone from a static security group to this group. Reason for this is to minimize having to change any internal employees and allow a group to be manually changed for external users. I get the error "Dynamic membership rule validation error: Invalid object type. Invalid object type '(user' specified on property 'memberof'. This rule is listed in the documentation, any insight on how to fix this?

1 answer

Your answer

Answer 1

Harpreet Singh Matharoo 8,396 Microsoft Employee Moderator

Hello @Brett Johnson

Thank you for reaching out. I see you are using in correct syntax (user.memberof -any (group.objectId -in ['Value']). When using the syntax you have shared we are bound to get error which states as below:

I would request you to please remove bracket in the start of the rule. Correct syntax to use memberof property would be as follows:

user.memberof -any (group.objectId -in ['groupId', 'groupId'])

For more details, please review following document: Steps to create a memberOf dynamic group

I hope this helps.

----------

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Brett Johnson 91 Reputation points

2022-12-07T23:13:28.673+00:00

This worked! Follow up question, we are setting the main group as dynamic but have a separate security group for our external users. When adding the parameters, it is still not including the external user. What am I missing?
James Richardson 5 Reputation points

2023-02-21T16:29:14.92+00:00

Was the second issue ever sorted? Facing a similar problem, getting annoyed of seeing the little red crosses at this point.

Ignore me, the rule works fine, but for whatever reason the validation doesn't reflect this.
KatTer 6 Reputation points

2023-10-20T11:49:13.21+00:00

How can i combine condition for group membership with other one without brackets? For example:

(user.attrbute1 -eq "value1") -and (user.memberof -any (group.objectId -in ['groupId', 'groupId']) -or (user.attribute2 -eq value2))
Jesse Litton 16 Reputation points

2023-10-20T20:50:33.5733333+00:00

Parsing of user.memberof is definitely bugged. As pointed out above, you can't use parenthesis to separate expressions using it from additional expressions. And, if you just throw another "-and" clause at the end, the rule will be accepted by the parser but go to a 'failed' processing status - with nothing in the audit log to let you know why.

Say you want to create a dynamic group that contains only the employees (i.e. exclude contractors) of another group. It won't work, because you can't add the second clause to include only employees. Memberof doesn't seem fit for any purpose other than duplicating groups, as it is right now.

Either of those expressions above works alone, but will fail together (and it doesn't matter if you replace "and" with "-and").
Ken Sparks 10 Reputation points

2023-10-25T13:49:57.62+00:00

So, I have a similar issue the syntax "not device.memberof -any (group.objectId -in ['xxx-xxxxxx'])" is failing with the same message.

I am trying to exclude pc's without a TPM from a dynamic group. I have them in a static group already, but cannot get this to save.

I get the same error as above.

Share via

Azure Dynamic Groups

1 answer

Your answer