Dynamic Membership Rules, remove user

Josh Endicott 0 Reputation points
2023-09-26T19:18:14.8933333+00:00

I have a group in Entra with a dynamic membership rule.

I need to remove a user from this group, and although I added them to the Not in for the userPrincipalName the user was not removed.

Please advise.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,279 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Brian Zarb 1,650 Reputation points
    2023-09-26T19:52:26.7633333+00:00

    check for the following:

    1. Check Syntax: Make sure the syntax of your dynamic rule is correct. A small typo can disrupt the expected behavior.
    2. Attribute & force Update: Ensure that the userPrincipalName or any other attributes referenced in the rule are correctly updated for the user you wish to remove. also, sometimes, it takes a while for the changes to propagate. You can try to force a manual update of the group's membership by triggering a re-evaluation of the dynamic user or group membership.
    3. AAD id matched on-prem ID: This is something definitely worth checking, verify that the immutable of the object matches the one of their cloud identity.
    $user = Get-ADUser -Identity 'INSERTHERE' -Properties 'ObjectGUID'
    $immutableID = [System.Convert]::ToBase64String($user.ObjectGUID.ToByteArray())
    

    compare this with the immutable ID in the cloud


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.