This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(185.6, 6%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGP%3C/text%3E%3C/svg%3E)
I am trying to configure a entra group to include members of a specific group but exclude members of another group. I am running into problem creating the dynamic rules in order to pull the correct members. Any help here would be appreciated.
The memberOf rule cant be configured like that currently:
So here's exactly what i'm trying to do but trying to track it by group. I am trying to create a group that disables 1 specific group (MFA Exempt) from SSPR. From what I have seen the only way to do this is create a group that includes everyone but the members of the MFA Exempt group and enable it by a group instead of all.
Correct. the SSPR group can be dynamic but it will need to be built differently I think and only include the users you want if that is possible.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 65%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EEN%3C/text%3E%3C/svg%3E)
You can't automatically create a group in Entra that includes members of one group but removes those in another. This type of rule isn’t supported. To work around Entra’s limitations, use user attributes to define dynamic group membership. For example, filter by department or job title to include or exclude users:
(user.department -eq "Sales") -and (user.jobTitle -ne "Contractor")
If no useful attribute exists, manage exclusions manually by creating a separate group for users you want to exclude.
If this helped clarify the limitation and offered a useful workaround, please consider giving it a thumbs up or marking it as helpful—your feedback supports the community and helps others find clear answers faster!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(217.60000000000002, 51%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBS%3C/text%3E%3C/svg%3E)
Hi @Gregory Peterson
Following up to see if the above answer was helpful. If this answers your query, do click Accept Answer and Yes.
Hi @Gregory Peterson
Following up to see if the above answer was helpful. If this answers your query, do click Accept Answer and Yes.