Share via

Dynamic Group rule: filter by domain in proxyAddresses not working

DmitryS 0 Reputation points
2026-03-27T10:46:52.75+00:00

Hello,

My goal is to create a Dynamic Membership Group that includes all users who have an email address (either primary or alias) containing the domain @needdomain.com.

The Issue: I am unable to filter users based on their email aliases (proxyAddresses), even though the official documentation states this property is supported for dynamic rules.

I used the documentation from the link https://learn.microsoft.com/en-us/entra/identity/users/groups-dynamic-membership

Steps I have taken:

  1. I started with a combined rule: (user.mail -endsWith "@needdomain.com") or (user.proxyAddresses -endsWith "@needdomain.com")
  2. I then split the conditions to test them separately. The rule for user.mail works as expected, but any rule targeting user.proxyAddresses returns zero results.
  3. I also experimented with the -contains operator, but it failed to populate the group for aliases.
  4. Finally, I tried various -match patterns with regular expressions (e.g., .*@needdomain\.com), which also resulted in no members being found.
    (user.proxyAddresses -match ".*@needdomain\.com") (user.proxyAddresses -match ".*@needdomain\.com$") (user.proxyAddresses -match ".*\@needdomain\.com") (user.proxyAddresses -match ".*\@needdomain\.com$") (user.proxyAddresses -match ".*needdomain\.com.*") (user.proxyAddresses -match ".*needdomain.*")

Reference: According to your documentation (learn.microsoft.com), the proxyAddresses property is a multi-value collection that should support these operators.

Request: How can I correctly implement a filter that captures all users with a specific domain in their proxyAddresses? If -endsWith or -match are not the correct way to query this collection, please provide the supported syntax to achieve this goal.

Thank you for your assistance.

Exchange Online
Exchange Online

A cloud-based service included in Microsoft 365, delivering scalable messaging and collaboration features with simplified management and automatic updates.

0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Marcin Policht 85,255 Reputation points MVP Volunteer Moderator
    2026-03-27T11:17:15.8266667+00:00

    As far as I can tell, what comes into play here is how Entra dynamic membership evaluates multi-valued attributes like proxyAddresses. This attribute is supported, but it’s treated as a collection of full strings (for example SMTP:******@needdomain.com or smtp:******@needdomain.com). The operators you're trying (-endsWith, -match, -contains) don't behave the same way on collections as they do on single-value strings. In practice, only specific operators are reliably supported for multi-valued attributes, and even then they should match the full element, not just a substring pattern in the way you're expecting.

    The key detail is that each value in proxyAddresses includes the protocol prefix (SMTP: or smtp:), so there is no element that literally ends with @needdomain.com unless the engine evaluates per-element suffixes correctly, which it currently does not for this attribute in dynamic group rules. That would explain why all your suffix and regex attempts return zero results even though the data clearly exists.

    The operator that consistently works with proxyAddresses in dynamic membership rules is -any with an exact or prefix-based comparison against each element in the collection. You should explicitly account for the prefix.

    The working pattern would look like this:

    (user.proxyAddresses -any (_ -contains "@needdomain.com"))

    or more explicitly accounting for the SMTP prefixes:

    (user.proxyAddresses -any (_ -startsWith "SMTP:" and _ -contains "@needdomain.com")) 
or 
(user.proxyAddresses -any (_ -startsWith "smtp:" and _ -contains "@needdomain.com"))

    In many tenants, the simpler form with just -contains inside -any should work fine:

    (user.proxyAddresses -any (_ -contains "@needdomain.com"))

    If that still returns zero results, the usual cause is that the rule engine in your tenant hasn't fully supported substring matching on this attribute despite the documentation. In that case, try matching the full value pattern more directly, for example:

    (user.proxyAddresses -any (_ -endsWith "@needdomain.com"))

    but wrapped inside -any:

    (user.proxyAddresses -any (_ -endsWith "@needdomain.com"))

    If that fails, then you might be hitting a limitation/inconsistency where suffix and regex operators are not honored for proxyAddresses in dynamic groups. At that point consider trying user.mail plus additional synchronized attributes, or stamping custom attribute (for example an extension attribute or otherMails) during provisioning and filter on that instead.

    If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

    hth

    Marcin

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.