Dynamic security group with all users with any plan (all licensed users)

Brase, Daniel 321 Reputation points
2021-11-24T08:37:40.987+00:00

Hi guys,

I'm trying to create a dynamic security group with only licensed users. I've already found this and some other examples to get this working. To test around I started with this filter:

(user.accountEnabled -eq True) and (user.assignedplans -any (assignedplan.serviceplanid -eq "3e26ee1f-8a5f-4d52-aee2-b81ce45c8f40"))  

152159-2021-11-24-08h57-21.png

This works generally, but I want a rule with any plan and not a specific one. So I tried this one:

(user.accountEnabled -eq True) and (user.assignedplans -all (assignedplan.serviceplanid -ne null))  

But that doesn't work in my case:

152119-2021-11-24-09h03-37.png
152201-2021-11-24-09h05-13.png
152211-2021-11-24-09h07-21.png

This is also working but I want it vice versa:

(user.accountEnabled -eq True) and (user.assignedplans -any (assignedplan.serviceplanid -eq null)  

152038-2021-11-24-09h35-29.png

Maybe someone has a hint.

Thanks, Daniel.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,808 questions
0 comments No comments
{count} vote

Accepted answer
  1. Brase, Daniel 321 Reputation points
    2021-11-24T08:43:04.46+00:00

    Ok, I was able to manage it on my own. I got it working with the not operator:

    (user.accountEnabled -eq True) and not (user.assignedplans -all (assignedplan.serviceplanid -eq null))  
    

    152177-2021-11-24-09h41-49.png

    I would have expected that if I use -eq operator and have a result, the the operator -ne switches the result. Anyway, maybe this helps someone else.

    4 people found this answer helpful.

1 additional answer

Sort by: Most helpful
  1. Jason E. Eaby 5 Reputation points
    2023-05-24T14:14:58.9433333+00:00

    So, I managed to get it working without a "not" by changing the "-all" operator to "-any" and using an "-ne".

    Like this:

    (user.accountEnabled -eq true) and (user.assignedPlans -any (assignedPlan.servicePlanID -ne null))

    Hope this helps someone.

    1 person found this answer helpful.