By: Chris Kunze – Sr. Product Manager | Microsoft Intune
If you're managing a lot of devices, you know how important it is to keep your Microsoft Entra ID dynamic group processing running smoothly and efficiently. To encourage performant dynamic group rules, the ‘contains’ and ‘not Contains’ operators were recently removed (MC705357) from the rule builder’s list of operators. While it’s still possible to use these operators if you edit the rule syntax manually, there is a reason why these operators were removed. Certain properties and operators, such as ‘contains’ and ‘match’, are significantly less efficient in group processing than others. This inefficiency can lead to significant delays in dynamic group processing. You can optimize these rules by using more performant alternatives such as ‘Equals’, ‘Not Equals’, ‘Starts With’, and ‘Not Starts With’.
Recently, all properties available for the creation of a dynamic group were indexed. Therefore, there is no reason to avoid certain attributes when creating a dynamic group.
Using this guidance, we saw significant improvement in group membership evaluation times in a large customer's production environment.
Here’s a quick example. An organization wants to group all devices that were enrolled with any of these 3 enrollment profiles:
- iOS devices – Teachers
- iOS devices – Students
- iOS devices – Admins
While “device.enrollmentProfileName -contains "iOS devices" works, the rule “device.enrollmentProfileName -startswith "iOS devices" yields the same results but is a much more efficient query.
Evaluating your dynamic group rules with PowerShell
The following is a sample script that you can use to output the displayName, id, and membershipRule for each of the dynamic groups in your organization to a CSV-based file. Using this output, you can quickly list and evaluate the membership rules for all of your Entra ID dynamic groups for inefficiencies and start improving them.
$csvPath = "C:\temp"
$csvFile = "dynGroups.csv"
if (!(Get-InstalledModule Microsoft.Graph -ErrorAction SilentlyContinue)) {
Write-Host "You need to install the Microsft.Graph module to run this script." -ForegroundColor Red
Write-Host "Run 'Install-Module Microsoft.Graph -Scope CurrentUser' as an administrator" -ForegroundColor Red
exit 1
}
if (!(Get-MgContext -ErrorAction SilentlyContinue)) {
Connect-MgGraph -Scopes "Directory.Read.All,Group.Read.All"
}
$results = Invoke-MgGraphRequest -Method GET -Uri "https://graph.microsoft.com/v1.0/groups?`$filter=groupTypes/any(c:c+eq+'dynamicMembership')"
$dynamicGroups = ($results).value
do {
if ($results.'@odata.nextlink') {
$results = Invoke-MgGraphRequest -Method GET -Uri $results.'@odata.nextlink'
$dynamicGroups += ($results).value
}
} while (
$results.'@odata.nextlink'
)
$dynamicGroups | Select-Object displayName,id,membershipRule | Export-Csv -Path $csvPath\$csvFile
Conclusion
We recommend evaluating your group membership rules to see how you can write them more efficiently. Use ‘Equals’ and ‘Starts With’ wherever possible and avoid using the non-indexed properties listed above if they don’t materially change the membership of the dynamic group. You can learn more about creating efficient rules by reading this documentation: Create simpler, more efficient rules for dynamic groups in Microsoft Entra ID.
We hope this helps to improve the processing of your dynamic group memberships! If you have any questions, leave a comment below or reach out to us on X @IntuneSuppTeam.
Post updates
05/29/24: Updated post to include that all properties available for the creation of a dynamic group were indexed, and there is no reason to avoid certain attributes when creating a dynamic group.
