No 'Match' Operator in Dynamic Membership Rules

Question

Hello, I'm needing to add syntax to a dynamic group to pull in any UPN starting with a certain # followed by 4 additional #'s. I've found the syntax that will fit what I need; however, it includes a 'match' operator and I'm not seeing 'match' as an operator choice despite MS docs I've looked at saying it's an option. If that is no longer an option, what of the available operator choices would mimic a 'match'? I've tried several to no avail.

Answer 1

The match operator is supported, as mentioned in the official documentation: https://learn.microsoft.com/en-us/entra/identity/users/groups-dynamic-membership#supported-expression-operators

While the Expression builder UI does not expose the match operator (this is Microsoft's way of discouraging people from using it), you can still paste a rule containing it (use the Edit button on the far right), and save the changes. Alternatively, you can configure the rule via Graph API or PowerShell.

Answer 2

Hello @Singleton, Heather,

The match is supported in dynamic group membership rules but has limitations from UI front.

Unfortunately, dynamic rules can’t evaluate patterns or use regex hence -match operator may not work in the current scenario when you want to match for 5 certain characters.

You can try using -startsWith operator if the pattern you want to match for is consistent.

If you want to use -match operator, try utilizing PowerShell or Graph API to update the group membership based on regex, you will need to schedule the script for regular update to the group.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".