Dynamic membership rules expressions

Question

Dynamic membership rules expressions

Flavia 175

I have added an expression inside of a security group in Entra ID, to member only active users with attributes in exchange (others) equal to E or C but it is not working. IT matches correctly the E or C attribute but still members user who are disabled:

(user.accountEnabled -eq True) and (user.extensionAttribute1 -contains "E") or (user.extensionAttribute1 -contains "C") What would be the right expression so the dynamic groups don't take disabled users and take only accounts with certain attributes?

Answer 1

Alfredo Revilla (MSFT) 21,866 Microsoft Employee

Hello @Flavia , in order to make your Azure AD Dynamic Group matches users whose account are enabled and one of other or expressions you need to enclose the or expressions in parentheses. Eg:

(user.accountEnabled -eq True) and ((user.extensionAttribute1 -contains "E") or (user.extensionAttribute1 -contains "C"))

Let us know if you need additional assistance. If the answer was helpful, please accept it and rate it so that others facing a similar issue can easily find a solution.

Flavia 175 Reputation points

2023-09-14T16:44:08.87+00:00

I used it as you said but again another user who is disabled shows as a member to that dynamic group,
Flavia 175 Reputation points

2023-09-14T16:48:50.5366667+00:00
Flavia 175 Reputation points

2023-09-14T16:50:42.6966667+00:00

Nevermind It worked after 5 minutes. Thank you!

Dynamic membership rules expressions

0 additional answers

Activity