Share via

Exclude users from dynamic group via memberOf

Winter, Daniel 0 Reputation points
2024-07-24T12:49:11.8733333+00:00

Hi,

I want to create a Dynamic group that includes all active users except once that are within group X

Background:

I have a SaaS App where I'm using SCIM for provisioning. The whole Organization will get a "default" user role assigned. Users within group X will get Admin access.

Any new user account should automatically be provisioned without IT having to assign them into a group.

Now I have the case where user Joe is within the all Active users group as well as in group X. Now user Joe is provisioned only as a default user instead of an admin.

My goal was to exclude any user in group X from the all active user group.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,072 questions
0 comments

4 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Vasil Michev 107.7K Reputation points MVP
    2024-07-24T15:30:46.7466667+00:00

    Unfortunately, while we do have the memberOf attribute to leverage for dynamic membership scenarios, it cannot be used with the NOT operator to address the requirements of your scenario. Take a look at the list of current limitations here: https://learn.microsoft.com/en-us/entra/identity/users/groups-dynamic-rule-member-of#preview-limitations

    0 comments
  2. Sedat SALMAN 13,985 Reputation points MVP
    2024-07-24T20:45:19.4866667+00:00

    in addition to Vasili

    as he said there is no direct way but maybe you can use the following workaround

    Create one dynamic group (Group A) for all active users.

    Create another dynamic group (Group B) for users in group X.

    Use your provisioning tool to assign the "default" role to Group A and the "admin" role to Group B.

  3. Winter, Daniel 0 Reputation points
    2024-07-25T07:19:57.1033333+00:00

    Thanks for your feedback. Is there maybe another way during the scim attribute mapping with the expression builder a way to map the right role.

    As an example. The user Joe is in both groups which will assign them the role end-user and admin. During the scim attribute mapping there should be an expression that checks if the within appRoleAssignments the admin role exists and if so map this one instead the end-user role.

    One caveat thoug is that I simplifed the role use case. We have more than just end-user and admins. Meaning I would rather need to check if a user has another role assigned than end-user

    meaning I could have within the appRoleAssignments (end-user, admin), (end-user, staff), (end-user, team-lead)...

    0 comments
  4. Sedat SALMAN 13,985 Reputation points MVP
    2024-07-25T15:06:57.9233333+00:00

    the following article and approach can work for you

    https://learn.microsoft.com/en-us/answers/questions/671361/patch-behaviour-when-provisioning-custom-roles-wit

    https://learn.microsoft.com/en-us/entra/identity/app-provisioning/expression-builder

    you can use the AppRoleAssignmentsComplex expression to manage multiple roles and determine the highest priority role. Here is a concise approach to achieve this

    maybe this expression can help you 

    AppRoleAssignmentsComplex(
    appRoleAssignments,
    {
        if (any(appRoleAssignments, role -> role.displayName == "Admin")) {
            return "Admin";
        } else if (any(appRoleAssignments, role -> role.displayName == "Staff")) {
            return "Staff";
        } else if (any(appRoleAssignments, role -> role.displayName == "Team-Lead")) {
            return "Team-Lead";
        } else {
            return "End-User";
        }
    }
)

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.