Share via

Dynamic Membership Rule

Glenn Maxwell 12,621 Reputation points
2023-08-13T07:00:21.07+00:00

Hi All

i want to convert an office365 unified group as dynamic. In Azure AD, Under Groups, i have selected the group-->dynamic membership rules i have added the below rule syntax and it is working fine.

(user.accountEnabled -eq true) -and (user.department -startsWith "1234")

Before converting unified group to dynamic, i want to validate the query i.e by exporting users list. I want to excecute something like the below in Azure AD and get the members list. Please guide me. In some cases the query can be wrong, i want to first execute the query by connecting to Azure AD and if it looks good then i can add to dynamic membership rule

$rule ="(user.accountEnabled -eq true) -and (user.department -startsWith "1234")"
Get-ADUser -Filter $rule -Properties DisplayName,SamAccountName,EmailAddress,Userprincipalname,title,Office,DepartmentNumber,employeeNumber,Manager|
Select DisplayName,SamAccountName,EmailAddress,Userprincipalname,title,Office,DepartmentNumber,employeeNumber,Manager| Export-csv C:\temp\output.csv -Notypeinformation
Microsoft Exchange Online
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,931 questions
Microsoft Exchange Online Management
Microsoft Exchange Online Management
Microsoft Exchange Online: A Microsoft email and calendaring hosted service.Management: The act or process of organizing, handling, directing or controlling something.
4,849 questions
Windows Server PowerShell
Windows Server PowerShell
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.PowerShell: A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
5,628 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
24,168 questions
Accepted answer
  1. Brian Zarb 1,670 Reputation points
    2023-08-13T09:05:15.85+00:00

    The approach you're suggesting is on the right track, but there are some nuances to take into consideration.

    Here's a guide to achieve this:

    Connect to Azure AD:
Connect-AzureAD

    Write and Execute the Query:

    The Get-ADUser cmdlet is specific to on-prem AD so you can't use this with Azure. Instead, you'll use Get-AzureADUser.

    unfortunately, this cmdlet doesn't directly support the complex filter like you've mentioned, so you'll fetch all users and filter them in PowerShell.

    $rule = {
    $_.AccountEnabled -eq $true -and $_.Department -like "1234*"
}
# Fetch all Azure AD users and filter based on the rule
$filteredUsers = Get-AzureADUser -All $true | Where-Object $rule
# Select the necessary properties and export to a CSV
$filteredUsers | Select-Object DisplayName,UserPrincipalName,Mail,Department,JobTitle,OfficeLocation | Export-Csv C:\temp\output.csv -NoTypeInformation

    Note: Ensure to adjust the attributes to match those available in Azure . The ones you've mentioned like SamAccountName, EmailAddress, etc. are not directly available as-is in Azure AD, but they have their counterparts. For example, UserPrincipalName is similar to SamAccountName in many use-cases, and Mail is the email address.

    Once you validate the users exported in the CSV match your expectations, you can confidently apply the rule to the dynamic group in Azure AD.

    If you found this helpful kindly mark it as the answer and consider following! Thank you

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.