Categories
Microsoft Azure

The Azure AD Dynamic Group syntax manual

Dynamic rules allow you to define automated rules using “if this then that”. This post will help you to understand and play around with Azure AD Dynamic Group membership rules.


Starting up

Before we begin with placing users in Azure AD Dynamic Security groups, is good to know on what we have to filter on. I always export the the most used properties that HR is using:

Get-AzureADUser -All $true | Where-Object {$_.Department -ne $null} | Select-Object DisplayName,UserPrincipalName,JobTitle,Department,Country,UsageLocation | Export-CSV -Path "C:\Temp\allusers.csv" -NoTypeInformation

Assuming that all users who are HR managed have a department value in AAD. The above command filters out empty departments. Through this way you will not get service accounts or other accounts with not a human identity in your export.

The use of And/Or statements:

And = when you want a rule that equals two departments like: IT or Legal, but the users in department Legal with the jobtitle Stagiair cannot be a member of the group, this can be done by writing the syntax as:

(user.department -eq "IT") or (user.department -eq "Legal" and user.jobTitle -ne "Stagiair")

Because we want to have all users in department Legal, but not with jobtitle stagiair. We concatenate the syntax with brackets together.

-eq and -ne are called expression operators, a full list of expression operators shown below, under ‘Supported expression operators

If you want all users of departments IT and Legal, but not with jobtitle stagiair, than you can write the syntax with the -In and -notIn operators as:

(user.department -In ["IT","Legal"]) and (user.jobTitle -notIn ["Stagiair"])

More details over the -in and -notIn operators see below, under ‘Using the -in and -notIn operators

When you use the expression operators -eq and -ne, than above rule should be much longer to have the same output:

(user.department -eq "IT") and (user.jobTitle -ne "Stagiair") or (user.department -eq "Legal") and (user.department -ne "Stagiair")

Or = when you want a rule that equals two departments like IT or Legal, without further filters. Than you can write the syntax as:

(user.department -eq "IT") or (user.department -eq "Legal")

Supported expression operators:

Operator         Syntax
Not Equals         -ne
Equals         -eq
Not Starts With         -notStartsWith
Starts With         -startsWith
Not Contains         -notContains
Contains         -contains
Not Match         -notMatch
Match         -match
In         -in
Not In         -notIn

The use of expression operators in different ways:

With the operators as listed above, you can determine expression to complete your syntax rule. Like you want a dynamic group that have all users with mail address: domain.com

When you use expression operators: Contains (-contains)

  • (user.mail -contains “domain.com”)
    • Outcome: all users with mail addresses that contains domain.com. Even, if exist in the tenant, users with subdomain: my.domain.com

When you use expression operators: Equals (-eq)

  • (user.mail -eq “domain.com”)
    • Outcome: all users with mail addresses that equals domain.com. So, if there exist a subdomain like: my.domain.com. This users will not be a member of the group.

Using the -in and -notIn expression operators

If you want to compare the value of a user attribute against a number of different values you can use the -in or -notIn operators. Use the bracket symbols “[” and “]” to begin and end the list of values.

(user.department -in ["50001","50002","50003","50005","50006","50007","50008"])

Supported properties for user objects and usage:

PropertiesUsage
city(user.city -eq “value”)
country(user.country -eq “value”)
companyName(user.companyName -eq “value”)
department(user.department -eq “value”)
displayName(user.displayName -eq “value”)
employeeId(user.employeeId -eq “value”)
(user.employeeId -ne null)
facsimileTelephoneNumber(user.facsimileTelephoneNumber -eq “value”)
givenName(user.givenName -eq “value”)
jobTitle(user.jobTitle -eq “value”)
mail(user.mail -eq “value”)
mailNickName(user.mailNickName -eq “value”)
memberOf(device.memberof -any (group.objectId -in [‘value’]))
mobile(user.mobile -eq “value”)
objectId(user.objectId -eq “11111111-1111-1111-1111-111111111111”)
onPremisesDistinguishedName (preview)(user.onPremisesDistinguishedName -eq “value”)
onPremisesSecurityIdentifier(user.onPremisesSecurityIdentifier -eq “S-1-1-11-1111111111-1111111111-1111111111-1111111”)
passwordPolicies(user.passwordPolicies -eq “DisableStrongPassword”)
physicalDeliveryOfficeName(user.physicalDeliveryOfficeName -eq “value”)
postalCode(user.postalCode -eq “value”)
preferredLanguage(user.preferredLanguage -eq “en-US”)
sipProxyAddress(user.sipProxyAddress -eq “value”)
state(user.state -eq “value”)
streetAddress(user.streetAddress -eq “value”)
surname(user.surname -eq “value”)
telephoneNumber(user.telephoneNumber -eq “value”)
usageLocation(user.usageLocation -eq “US”)
userPrincipalName(user.userPrincipalName -eq “alias@domain”)
userType(user.userType -eq “Member”)

This manual is based on user filter properties, if you want to use filter properties for devices please check out: https://docs.microsoft.com/en-us/mem/intune/fundamentals/filters-device-properties. Devices make a usage of device.property, for example:

PropertieUsage
displayName(device.displayName -eq “value”)

The use of filter properties in different ways:

When you want to list all users in a department and with usage location property

(user.department -eq "IT") and (user.usageLocation -eq "NL")

When you want to list all users in a department and with country location property

(user.department -eq "IT") and (user.country -eq "NL")

When you want to list a string of departments, or a department that startsWith something

(user.department -in ["IT","Legal"]) or (user.department -startsWith "Executive")

When you want to list a string of departments, with a jobtitle that is equal to a title from a specific usage location

(user.department -in ["Manufacturing","Operations"]) and (user.jobtitle -eq "Director" and user.country -eq "United States")

Filter in/Filter out

Filter in, when you want to obtain all users with userstype equals members and department equals (eq) empty (null)

(user.userType -eq "Member") and (user.department -eq null)

Outcome: A group with users type member, where department is empty

Filter out, when you want to obtain all users with userstype equals members and department not equals (ne) empty (null)

(user.userType -eq "Member") and (user.department -ne null)

Outcome: A group with users type member, where department is not empty

Ending up

This manual is created to learn to play around with the syntax rules of dynamic groups in Azure AD. The options are almost endless and I hope this is helping you to create the perfect dynamic groups for your needs.


Share this: