Share via

Dynamic membership rules expressions

Flavia 240 Reputation points
2023-09-13T13:23:45.38+00:00

I have added an expression inside of a security group in Entra ID, to member only active users with attributes in exchange (others) equal to E or C but it is not working. IT matches correctly the E or C attribute but still members user who are disabled:

(user.accountEnabled -eq True) and (user.extensionAttribute1 -contains "E") or (user.extensionAttribute1 -contains "C") What would be the right expression so the dynamic groups don't take disabled users and take only accounts with certain attributes?

Exchange Online
Exchange Online
A Microsoft email and calendaring hosted service.
6,171 questions
Azure Cloud Services
Azure Cloud Services
An Azure platform as a service offer that is used to deploy web and cloud applications.
768 questions
Microsoft 365 and Office Install, redeem, activate For business Windows
Microsoft Security Microsoft Entra Microsoft Entra ID
0 comments
Accepted answer
  1. Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,526 Reputation points Moderator
    2023-09-14T04:47:49.1666667+00:00

    Hello @Flavia , in order to make your Azure AD Dynamic Group matches users whose account are enabled and one of other or expressions you need to enclose the or expressions in parentheses. Eg:

    (user.accountEnabled -eq True) and ((user.extensionAttribute1 -contains "E") or (user.extensionAttribute1 -contains "C"))

    Let us know if you need additional assistance. If the answer was helpful, please accept it and rate it so that others facing a similar issue can easily find a solution.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.