Azure AD Dynamic Group Membership Rules

Keith 1 Reputation point
2020-07-31T20:44:21.79+00:00

I would like to include all users from multiple office locations except for a set of users based on user.jobTitle.
I would like to be able to use the -contains option as we have found that from time to time users get created and the exact syntax isn't followed. (example a space might be left out)
We have tried to use the -in option but it does not work with -contains or -notContains

User Profile Syntax:

  • user.physicalDeliveryOfficeName filled out with the following format: <####> - <State> - <CommonLocationName>
  • an example would be : 8154 - VT - Keene Facility
  • user.JobTitle filled out with the following format: <abbreviation if applicable> : <expanded job title>
  • an example woud be : RN : Registered Nurse

Example 1 syntax tried:
((user.physicalDeliveryOfficeName -contains "8154") and (user.jobTitle -notContains "RN")) or
((user.physicalDeliveryOfficeName -contains "8154") and (user.jobTitle -notContains "LPN"))
1st line: returns all users at location 8154 except for RN (note that this includes LPN in line below
2nd line: returns all users at location 8154 except for LPN(note that this includes RN in line above

Example 2 syntax tried:
(user.physicalDeliveryOfficeName -contains "8154" or user.physicalDeliveryOfficeName -contains "8154") and
(user.jobTitle -notContains "RN" or user.jobTitle -notContains "LPN")

Both examples generate the same user list. The actual rule contains multiple 4 digit location codes and more than these two job titles.

Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Shashi Shailaj 7,631 Reputation points Microsoft Employee Moderator
    2020-08-03T15:39:33.113+00:00

    Hello @Keith-9246 ,

    The second example and the first example are similar because the location value is not changing and is 8154 in both cases and they both evaluate same conditions so the resulting list of users is same. The second query is what you must use as far as I can think. The second query must solve your issues. Lets say we have the following 5 locations denoted by the below .

    • 1234
    • 2345
    • 3456
    • 4567
    • 5678

    So the five possible values of user.physicalDeliveryOfficeName would be the above and we require to include all users from all the locations. And then filter them as per the Job Title user.JobTitle and for this lets take LPN , RN , SE , SSE as example. So we have the following two conditions to find a pattern in the Users attributes.

    1. Inclusion criteria :- Users from all offices are included. (where values can be 1234 or 2345 or 3456 or 4567 or 5678 )
    2. Elimination criteria :- Users with some specific Job titles must be excluded. (where values can be LPN or RN or SE or SSE )

    The working query for the above would come to something as follows.

    (user.physicalDeliveryOfficeName -contains "1234" or user.physicalDeliveryOfficeName -contains "2345" or user.physicalDeliveryOfficeName -contains "3456" or user.physicalDeliveryOfficeName -contains "4567" or user.physicalDeliveryOfficeName -contains "5678") and (user.jobTitle -notContains "LPN" or user.jobTitle -notContains "RN" or user.jobTitle -notContains "SE" or user.jobTitle -notContains "SSE")

    Here we are evaluating the first criteria of including every office location and then excluding everyone with listed job titles exclusion list on all those locations . So this will list out all users from multiple office locations except for a set of users based on user.jobTitle .

    Hope the above explanation helps. In case I have not understood your query or your have any other condition to add, please do let us know and we will try to help you further. If the information in this post is helpful , please do accept this as answer so that it helps other members in the community.

    Thank you.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.