Share via

Exclude users from dynamic group via memberOf

Winter, Daniel 0 Reputation points
2024-07-24T12:49:11.8733333+00:00

Hi,

I want to create a Dynamic group that includes all active users except once that are within group X

Background:

I have a SaaS App where I'm using SCIM for provisioning. The whole Organization will get a "default" user role assigned. Users within group X will get Admin access.

Any new user account should automatically be provisioned without IT having to assign them into a group.

Now I have the case where user Joe is within the all Active users group as well as in group X. Now user Joe is provisioned only as a default user instead of an admin.

My goal was to exclude any user in group X from the all active user group.

Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments

4 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Sedat SALMAN 14,530 Reputation points MVP
    2024-07-25T15:06:57.9233333+00:00

    the following article and approach can work for you

    https://learn.microsoft.com/en-us/answers/questions/671361/patch-behaviour-when-provisioning-custom-roles-wit

    https://learn.microsoft.com/en-us/entra/identity/app-provisioning/expression-builder

    you can use the AppRoleAssignmentsComplex expression to manage multiple roles and determine the highest priority role. Here is a concise approach to achieve this

    maybe this expression can help you 

    AppRoleAssignmentsComplex(
    appRoleAssignments,
    {
        if (any(appRoleAssignments, role -> role.displayName == "Admin")) {
            return "Admin";
        } else if (any(appRoleAssignments, role -> role.displayName == "Staff")) {
            return "Staff";
        } else if (any(appRoleAssignments, role -> role.displayName == "Team-Lead")) {
            return "Team-Lead";
        } else {
            return "End-User";
        }
    }
)

    Was this answer helpful?

  2. Winter, Daniel 0 Reputation points
    2024-07-25T07:19:57.1033333+00:00

    Thanks for your feedback. Is there maybe another way during the scim attribute mapping with the expression builder a way to map the right role.

    As an example. The user Joe is in both groups which will assign them the role end-user and admin. During the scim attribute mapping there should be an expression that checks if the within appRoleAssignments the admin role exists and if so map this one instead the end-user role.

    One caveat thoug is that I simplifed the role use case. We have more than just end-user and admins. Meaning I would rather need to check if a user has another role assigned than end-user

    meaning I could have within the appRoleAssignments (end-user, admin), (end-user, staff), (end-user, team-lead)...

    Was this answer helpful?

    0 comments
  3. Sedat SALMAN 14,530 Reputation points MVP
    2024-07-24T20:45:19.4866667+00:00

    in addition to Vasili

    as he said there is no direct way but maybe you can use the following workaround

    Create one dynamic group (Group A) for all active users.

    Create another dynamic group (Group B) for users in group X.

    Use your provisioning tool to assign the "default" role to Group A and the "admin" role to Group B.

    Was this answer helpful?

  4. Vasil Michev 126.4K Reputation points MVP Volunteer Moderator
    2024-07-24T15:30:46.7466667+00:00

    Unfortunately, while we do have the memberOf attribute to leverage for dynamic membership scenarios, it cannot be used with the NOT operator to address the requirements of your scenario. Take a look at the list of current limitations here: https://learn.microsoft.com/en-us/entra/identity/users/groups-dynamic-rule-member-of#preview-limitations

    Was this answer helpful?

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.