Forum Discussion

fomar2130's avatar
fomar2130
Copper Contributor
Jul 01, 2022

filter for dynamic group that is intersection of two other groups

I have a problem: I would need a group in Azure AD that contains those users as members that are members of two other groups. That means I need an intersection of two groups.

 

I know for one group the following filter works:

user.memberof -any (group.objectid -in ['objectID_of_the_group'])

 

Is there a filter available that would give me the intersection of two groups?

The following filter is not accepted by Azure AD:

(user.memberof -any (group.objectid -in ['objectID_of_groupA']) -and (user.memberof -any (group.objectid -in ['objectID_of_groupB'])

Any help appreciated. Thanks a lot.

  • BilalelHadd's avatar
    BilalelHadd
    Iron Contributor
    Hi fomar2130,

    Please keep in mind that this feature has some limitations yet. Read more about the limitations on this official Microsoft docs page:
    https://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/groups-dynamic-rule-member-of

    Below you will find the needed query to create a Dynamic group with members of Group A and Group B as members for the newly created Dynamic group:
    user.memberof -any (group.objectId -in ['ObjectIDGroupA', 'ObjectIDGroupB'])

  • LainRobertson's avatar
    LainRobertson
    Silver Contributor

    fomar2130 

     

    I might be misunderstanding a crucial detail, but running a quick test shows it to be working for me using the AzureADPreview version of New- AzureADMSGroup.

     

    The command I used was simply this:

    New-AzureADMSGroup -DisplayName "Foo" -SecurityEnabled:$true -MailEnabled:$false -MailNickname "foo" -MembershipRule "user.memberOf -any (group.objectId -in ['258bdb38-7d05-46f7-b200-dbaeab520688']) -and user.memberOf -any (group.objectId -in ['384215de-1096-4d28-b6cb-f408574de2f5'])";

     

    With the following as confirmation, showing that the user is indeed listed as being a member of "Foo":

     

    Cheers,

    Lain

    • testseestssdad1405's avatar
      testseestssdad1405
      Copper Contributor

      LainRobertson  - realise this is going back a little, and the syntax has changed with the latest version of AzureADPreview, but I've tried creating this Dynamic rule both via PowerShell and the Azure Portal following your advice above, the Dynamic group is successfully created, though the "Dynamic rule processing status" states failed when it try's to run. the audit logs don't seem to have any further information, is this still working for you or is there an alternative that you have found? Thanks for any help.

Resources