Building a Dynamic Group for Users with a Manager in Entra

Question

How can a dynamic group be created in Entra that includes all users who have a manager? The current setup involves a hybrid on-prem AD, and there is a challenge with using the expression user.manager -eq "notnull" to filter these users. What steps can be taken to utilize the manager attribute that is being synced from on-prem AD to Entra?

Answer 1

Hello Carlos,

I would like to provide my findings on this,

Creating a dynamic group in Microsoft Entra ID that includes all users who have a manager using this rule user.manager -eq "notnull.

I tested with multiple rules and Whenever I am using the user.manager the rule fails-:

I tested on different attribute, and it worked user.objectId -ne null

May be (user.manager) it's a limitation because in the Document also its not stating the manger can be used directly, there are many limitations in Dynamic group maybe it is one of them.

As a workaround you can follow this -:
You can use the "direct reports" rule to include users to Dynamic group. This will add all the users who has manager attribute populate but you need to add managers id as well in the syntax.

Syntax-:Direct Reports for "{objectID_of_manager}"
Example-:Direct Reports for "{fd2b4a65-bd2c-4585-9224-e7a42d0dxxxx}"

Manage Rules for Dynamic Membership Groups in Microsoft Entra ID - Microsoft Entra ID | Microsoft Learn

Answer 2

Script and create a scheduled task that populates an attribute for all accounts on prem that have a manager.

in other words, pick one that is unused like a Custom Attribute:

https://learn.microsoft.com/en-us/entra/identity/users/groups-dynamic-membership#extension-attributes-and-custom-extension-properties

Example:

Update ExtensionAttribute15 on prem all accounts with a manager with the string "Manager"

then create a dynamic rule that adds group members based on that:

(user.extensionAttribute15 -eq "Manager")