Dynamic membership rules expressions

Flavia 175 Reputation points

I have added an expression inside of a security group in Entra ID, to member only active users with attributes in exchange (others) equal to E or C but it is not working. IT matches correctly the E or C attribute but still members user who are disabled:

(user.accountEnabled -eq True) and (user.extensionAttribute1 -contains "E") or (user.extensionAttribute1 -contains "C") What would be the right expression so the dynamic groups don't take disabled users and take only accounts with certain attributes?

Microsoft 365
Microsoft 365
Formerly Office 365, is a line of subscription services offered by Microsoft which adds to and includes the Microsoft Office product line.
2,154 questions
Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
16,603 questions
Azure Cloud Services
Azure Cloud Services
An Azure platform as a service offer that is used to deploy web and cloud applications.
555 questions
Microsoft Exchange Online Management
Microsoft Exchange Online Management
Microsoft Exchange Online: A Microsoft email and calendaring hosted service.Management: The act or process of organizing, handling, directing or controlling something.
3,692 questions
0 comments No comments
{count} votes

Accepted answer
  1. Alfredo Revilla (MSFT) 21,866 Reputation points Microsoft Employee

    Hello @Flavia , in order to make your Azure AD Dynamic Group matches users whose account are enabled and one of other or expressions you need to enclose the or expressions in parentheses. Eg:

    (user.accountEnabled -eq True) and ((user.extensionAttribute1 -contains "E") or (user.extensionAttribute1 -contains "C"))

    Let us know if you need additional assistance. If the answer was helpful, please accept it and rate it so that others facing a similar issue can easily find a solution.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful