Why would I get different lists of users when I use OR in a dynamic group rule versus using two separate rules?

Jon Pope X 25 Reputation points

I am trying to build a dynamic group based on the existence of an Office 365 Exchange Plan 1 or 2 associated with my users. I am using the following syntax in my rule.

(user.assignedPlans -any (assignedPlan.servicePlanId -eq "9aaf7827-d63c-4b61-89c3-182f06f82e5c" or assignedPlan.servicePlanId -eq "efb87545-963c-4e0d-99df-69c6916d9eb0" -and assignedPlan.capabilityStatus -eq "Enabled"))


This rule returns 363 users using the OR statement.

When i separate the Exchange Plan 1 and Plan 2 into their own queries I get a different total. My p1 query is thus:

(user.assignedPlans -any (assignedPlan.servicePlanId -eq "9aaf7827-d63c-4b61-89c3-182f06f82e5c" -and assignedPlan.capabilityStatus -eq "Enabled"))

it returns 113 users.

My p2 query is thus:

(user.assignedPlans -any (assignedPlan.servicePlanId -eq "efb87545-963c-4e0d-99df-69c6916d9eb0" -and assignedPlan.capabilityStatus -eq "Enabled"))

and returns 194. The math does not make sense to me. Where are the 56 extra records coming from?

Thank you for any help you can offer.

Jon Pope, IT Manager Tempo Inc.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,767 questions
0 comments No comments
{count} vote

Accepted answer
  1. Navya 4,395 Reputation points Microsoft Vendor

    Hi @Jon Pope X

    Thank you for posting this in Microsoft Q&A.

    I understand that you are got different lists of users when you use OR in a dynamic group rule versus using two separate rules.

    The OR operator is being used to determine if any plan assigned matches Plan 1 or Plan 2, and then filtering further based on the capability status. The AND operator only applies to the second part of the OR statement.

    Can you please try to use syntax like the following

    (user.assignedPlans -any (
        (assignedPlan.servicePlanId -eq "9aaf7827-d63c-4b61-89c3-182f06f82e5c" and assignedPlan.capabilityStatus -eq "Enabled") or 
        (assignedPlan.servicePlanId -eq "efb87545-963c-4e0d-99df-69c6916d9eb0" and assignedPlan.capabilityStatus -eq "Enabled")

    Please inform me in the comments section if you are experiencing the same results as before.



    If the answer is helpful, please click "Accept Answer" and kindly "upvote" it.

    1 person found this answer helpful.
    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. Deleted

    This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

    Comments have been turned off. Learn more