In Azure Active Directory (Azure AD), you can create complex attribute-based rules to enable dynamic memberships for groups. Dynamic group membership reduces the administrative overhead of adding and removing users. This article details the properties and syntax to create dynamic membership rules for users or devices. You can set up a rule for dynamic membership on security groups or Microsoft 365 groups.
When any attributes of a user or device change, the system evaluates all dynamic group rules in a directory to see if the change would trigger any group adds or removes. If a user or device satisfies a rule on a group, they are added as a member of that group. If they no longer satisfy the rule, they are removed. You can't manually add or remove a member of a dynamic group.
- You can create a dynamic group for devices or for users, but you can't create a rule that contains both users and devices.
- You can't create a device group based on the device owners' attributes. Device membership rules can only reference device attributes.
Note: This feature requires an Azure AD Premium P1 license for each unique user that is a member of one or more dynamic groups. You don't have to assign licenses to users for them to be members of dynamic groups, but you must have the minimum number of licenses in the Azure AD organization to cover all such users. For example, if you had a total of 1,000 unique users in all dynamic groups in your organization, you would need at least 1,000 licenses for Azure AD Premium P1 to meet the license requirement. No license is required for devices that are members of a dynamic device group.
Rule builder in the Azure portal
Azure AD provides a rule builder to create and update your important rules more quickly. The rule builder supports the construction of up to five expressions. The rule builder makes it easier to form a rule with a few simple expressions, however, it can't be used to reproduce every rule. If the rule builder doesn't support the rule you want to create, you can use the text box.
Here are some examples of advanced rules or syntax for which we recommend that you construct using the text box:
- Rule with more than five expressions
- The Direct reports rule
- Setting operator precedence
- Rules with complex expressions; for example
(user.proxyAddresses -any (_ -contains "contoso"))
Note: The rule builder might not be able to display some rules constructed in the text box. You might see a message when the rule builder is not able to display the rule. The rule builder doesn't change the supported syntax, validation, or processing of dynamic group rules in any way.
For more step-by-step instructions, see https://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/groups-create-rule
Rule syntax for a single expression
A single expression is the simplest form of a membership rule and only has the three parts mentioned above. A rule with a single expression looks similar to this: Property Operator Value, where the syntax for the property is the name of object.property.
The following is an example of a properly constructed membership rule with a single expression:
user.department -eq "Sales"
Parentheses are optional for a single expression. The total length of the body of your membership rule cannot exceed 3072 characters.
Constructing the body of a membership rule
A membership rule that automatically populates a group with users or devices is a binary expression that results in a true or false outcome. The three parts of a simple rule are:
- Property
- Operator
- Value
The order of the parts within an expression are important to avoid syntax errors.
Supported properties
There are three types of properties that can be used to construct a membership rule.
- Boolean
- String
- String collection
The following are the user properties that you can use to create a single expression.
Properties of type boolean
| Properties | Allowed values | Usage |
|---|---|---|
| accountEnabled | true false | user.accountEnabled -eq true |
| dirSyncEnabled | true false | user.dirSyncEnabled -eq true |
Properties of type string
| Properties | Allowed values | Usage |
|---|---|---|
| city | Any string value or null | (user.city -eq "value") |
| country | Any string value or null | (user.country -eq "value") |
| companyName | Any string value or null | (user.companyName -eq "value") |
| department | Any string value or null | (user.department -eq "value") |
| displayName | Any string value | (user.displayName -eq "value") |
| employeeId | Any string value | (user.employeeId -eq "value") (user.employeeId -ne null) |
| facsimileTelephoneNumber | Any string value or null | (user.facsimileTelephoneNumber -eq "value") |
| givenName | Any string value or null | (user.givenName -eq "value") |
| jobTitle | Any string value or null | (user.jobTitle -eq "value") |
| Any string value or null (SMTP address of the user) | (user.mail -eq "value") | |
| mailNickName | Any string value (mail alias of the user) | (user.mailNickName -eq "value") |
| mobile | Any string value or null | (user.mobile -eq "value") |
| objectId | GUID of the user object | (user.objectId -eq "11111111-1111-1111-1111-111111111111") |
| onPremisesSecurityIdentifier | On-premises security identifier (SID) for users who were synchronized from on-premises to the cloud. | (user.onPremisesSecurityIdentifier -eq "S-1-1-11-1111111111-1111111111-1111111111-1111111") |
| passwordPolicies | None DisableStrongPassword DisablePasswordExpiration DisablePasswordExpiration, DisableStrongPassword | (user.passwordPolicies -eq "DisableStrongPassword") |
| physicalDeliveryOfficeName | Any string value or null | (user.physicalDeliveryOfficeName -eq "value") |
| postalCode | Any string value or null | (user.postalCode -eq "value") |
| preferredLanguage | ISO 639-1 code | (user.preferredLanguage -eq "en-US") |
| sipProxyAddress | Any string value or null | (user.sipProxyAddress -eq "value") |
| state | Any string value or null | (user.state -eq "value") |
| streetAddress | Any string value or null | (user.streetAddress -eq "value") |
| surname | Any string value or null | (user.surname -eq "value") |
| telephoneNumber | Any string value or null | (user.telephoneNumber -eq "value") |
| usageLocation | Two lettered country/region code | (user.usageLocation -eq "US") |
| userPrincipalName | Any string value | (user.userPrincipalName -eq "alias@domain") |
| userType | member guest null | (user.userType -eq "Member") |
Properties of type string collection
| Properties | Allowed values | Usage |
|---|---|---|
| otherMails | Any string value | (user.otherMails -contains "alias@domain") |
| proxyAddresses | SMTP: alias@domain smtp: alias@domain | (user.proxyAddresses -contains "SMTP: alias@domain") |
For the properties used for device rules, see Rules for devices.
Supported expression operators
The following table lists all the supported operators and their syntax for a single expression. Operators can be used with or without the hyphen (-) prefix.
| Operator | Syntax |
|---|---|
| Not Equals | -ne |
| Equals | -eq |
| Not Starts With | -notStartsWith |
| Starts With | -startsWith |
| Not Contains | -notContains |
| Contains | -contains |
| Not Match | -notMatch |
| Match | -match |
| In | -in |
| Not In | -notIn |
For more details, refer to the below Microsoft article:
https://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/groups-dynamic-membership
Comments
0 comments
Please sign in to leave a comment.