![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(188.79999999999998, 10%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJE%3C/text%3E%3C/svg%3E)
Microsoft Security | Microsoft Entra | Microsoft Entra ID
A cloud-based identity and access management service for securing user authentication and resource access
check for the following:
- Check Syntax: Make sure the syntax of your dynamic rule is correct. A small typo can disrupt the expected behavior.
- Attribute & force Update: Ensure that the
userPrincipalNameor any other attributes referenced in the rule are correctly updated for the user you wish to remove. also, sometimes, it takes a while for the changes to propagate. You can try to force a manual update of the group's membership by triggering a re-evaluation of the dynamic user or group membership. - AAD id matched on-prem ID: This is something definitely worth checking, verify that the immutable of the object matches the one of their cloud identity.
$user = Get-ADUser -Identity 'INSERTHERE' -Properties 'ObjectGUID'
$immutableID = [System.Convert]::ToBase64String($user.ObjectGUID.ToByteArray())
compare this with the immutable ID in the cloud