How to exclude users from a dynamic group

Jon Feilding 20 Reputation points
2024-03-28T18:51:35.8966667+00:00

I created the following dynamic group that includes all my M365 licensed users using the following query:

user.assignedPlans -any (assignedPlan.servicePlanId -eq "094e7854-93fc-4d55-b2c0-3ab536xxxxx" -and assignedPlan.capabilityStatus -eq "Enabled")

I'd like to exclude some admin and resource accounts from the group. I tried the following, but it fails saving saying "Dynamic membership rule validation error: mixed use of properties from different types of objects"

user.assignedPlans -any (assignedPlan.servicePlanId -eq "094e7854-93fc-4d55-b2c0-3ab536xxxxx" -and assignedPlan.capabilityStatus -eq "Enabled") -and (user.userPrincipalName -notin ["user1@contoso.com","user2@contoso.com"])

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,823 questions
{count} votes

Accepted answer
  1. Vasil Michev 106.3K Reputation points MVP
    2024-03-29T09:11:41.57+00:00

    Just add some additional ():

    (user.assignedPlans -any (assignedPlan.servicePlanId -eq "094e7854-93fc-4d55-b2c0-3ab536xxxxx" -and assignedPlan.capabilityStatus -eq "Enabled")) -and (user.userPrincipalName -notin ["user1@contoso.com","user2@contoso.com"])

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.