Forum Discussion

Az_Iz's avatar
Az_Iz
Copper Contributor
Oct 14, 2025

Add members to a dynamic sec-grp excluding users with a specific "serviceplanid" assigned license

Hello, 

I am trying to populate dynamically a security group that shoud contain all members with a specific attribut value and trying to filter the groupe membership based on a serviceplanId assigned to members 

 

(user.extensionAttribute9 -startsWith "83") -and (user.accountEnabled -eq True) -and (user.mail -ne null) -and (User.AssignedPlans -any (assignedPlan.servicePlanId -ne "818523f5-016b-4355-9be8-ed6944946ea7" -and assignedPlan.capabilityStatus -eq "Enabled"))

 

How to exclude members with the ServicePlanId : "818523f5-016b-4355-9be8-ed6944946ea7" from the list of the groupe members ? 

Access Management
Administrator
Identity Management
microsoft entra
Microsoft Identity Manager

1 Reply

  • LainRobertson's avatar
    LainRobertson
    Silver Contributor
    Oct 16, 2025

    Hi Az_Iz​,

     

    The problem with your rule is it's going to almost always include all people, since their account will have more than a single enabled service.

     

    When it comes to matching a single entry in a list of entries for the purpose of exclusion, you need to perform a negative match rather than a positive match. You can do this two ways:

     

    • Use the "-any" operator in conjunction with the not() function;
    • Use the "-all" operator rather than the "-any" operator.

     

    Using -any plus not()

    New-MgBetaGroup -DisplayName "Forum Test" -MailEnabled:$false -SecurityEnabled:$true -MailNickname "ForumTest" -GroupTypes "DynamicMembership" -MembershipRule "(user.accountEnabled -eq true) -and (user.mail -ne null) -and not((user.assignedPlans -any ((assignedPlan.servicePlanId -eq `"43de0ff5-c92c-492b-9116-175376d08c38`") -and (assignedPlan.capabilityStatus -eq `"Enabled`"))))" -MembershipRuleProcessingState "On";

     

    Example output

     

    Using -all instead of -any

    New-MgBetaGroup -DisplayName "Forum Test 2" -MailEnabled:$false -SecurityEnabled:$true -MailNickname "ForumTest2" -GroupTypes "DynamicMembership" -MembershipRule "(user.accountEnabled -eq true) -and (user.mail -ne null) -and (user.assignedPlans -all ((assignedPlan.servicePlanId -ne `"43de0ff5-c92c-492b-9116-175376d08c38`") -or (assignedPlan.capabilityStatus -ne `"Enabled`")))" -MembershipRuleProcessingState "On";

     

    Example output

     

    Cheers,

    Lain

Resources