Share via

Creating a Dynamic Group for All Members Under a Senior VP

Niranjan T Pattana Shetty 291 Reputation points
2025-04-24T18:23:18.2066667+00:00

A dynamic group is needed that includes all members under a Senior VP in Azure Active Directory. The approach involves listing all managers under the SVP and using the user.manager attribute to construct the dynamic query. The resulting query script output appears as follows:

(user.manager -eq "managerobjectId") -or (user.manager -eq "managerobjectId") -or ...

Questions:

  1. Is this syntax and query valid for an Azure dynamic group?
  2. Is there an alternative approach that doesn't require custom attributes, especially considering that the query would need to be reconstructed if a manager under the SVP leaves the organization?

Below is the PowerShell script used for this process:

# Load Microsoft Graph
#Import-Module Microsoft.Graph
Connect-MgGraph -Scopes "User.Read.All", "Directory.Read.All"
# Set your SVP's UPN or Object ID
$svpIdOrUpn = "******@domain.com"
# Recursive function to get all users under a given manager
function Get-AllReportees {
    param (
        [string]$ManagerId
    )
    $allReportees = @()
    try {
        $directReports = Get-MgUserDirectReport -UserId $ManagerId -All
    } catch {
        Write-Warning "Failed to get direct reports for $ManagerId $_"
        return
    }
    foreach ($user in $directReports) {
        $allReportees += $user
        $allReportees += Get-AllReportees -ManagerId $user.Id
    }
    return $allReportees
}
# Step 1: Get SVP object
$svp = Get-MgUser -UserId $svpIdOrUpn
if (-not $svp) {
    Write-Host "❌ Could not find user with ID or UPN: $svpIdOrUpn" -ForegroundColor Red
    return
}
# Step 2: Recursively get all reportees
Write-Host "`n🔍 Fetching reportees under SVP: $($svp.DisplayName)`n"
$reportees = Get-AllReportees -ManagerId $svp.Id
Write-Host "✅ Found $($reportees.Count) users under SVP.`n"
# Step 3 & 4: Use all reportees as managers, plus the SVP
$managerIds = $reportees | Select-Object -ExpandProperty Id
$managerIds += $svp.Id
$managerIds = $managerIds | Sort-Object -Unique
# Step 5: Build the dynamic group rule
$ruleClauses = $managerIds | ForEach-Object { "(user.manager -eq `"$($_)`")" }
$dynamicRule = $ruleClauses -join " -or "
# Output result
Write-Host "`n📋 Generated Dynamic Group Rule:`n" -ForegroundColor Cyan
Write-Host $dynamicRule
# Optional: Save to file
$dynamicRule | Out-File -FilePath "c:\temp\SVP_DynamicRule_Final.txt" -Append -Encoding UTF8
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
24,584 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Venkata Jagadeep 1,250 Reputation points Microsoft External Staff Moderator
    2025-04-28T15:15:57.79+00:00

    Hello Niranjan T Pattana Shetty,

    As your query is about Users who has Sr.VP as manager needs to add to the dynamic group automatically.

    For user group, we can create a dynamic group based on user attributes which are pre-defined in the below document.

    https://learn.microsoft.com/en-us/entra/identity/users/groups-dynamic-membership#supported-properties

    I suggest you to use the below syntax instead of user.manager

    Direct Reports for "Object ID of Sr. VP"

    Reference:

    https://learn.microsoft.com/en-us/entra/identity/users/groups-dynamic-membership#create-a-direct-reports-rule

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.