Forum Discussion
Azure Dynamic Group query not working correctly
Here is my query:
user.memberof -any (group.objectId -in ["GroupIdA", "GroupIdB"]) -and user.memberof -any (group.objectId -in ["GroupIdC"])
I would like to only allow members into the dynamic group if they are simultaneously a member of GroupC and any group in the collection of Group A and B
User 1 is a member of C and A. He is currently in the group. This is correct.
User 2 is a member of C, but not A or B. She is not currently in the group. This is correct.
User 3 is a member of B, but not C. She is currently in the group. This is incorrect.
Can anyone tell me why User 3 is in the dynamic group?
I have to say, the parsing is frighteningly untrustworthy and inconsistent for this kind of scenario. But while a couple of other iterations produced unexpected results, the following example worked.
Effectively, I brought the single group "and" criterion to the front and finished with the "or" criterion, which produces the correct resulting membership.
Cheers,
Lain
11 Replies
I have seen PowerShell botch the order of precedence before, meaning using parenthesis around the different sections sometimes helps, but I don't think that's what's going on here as this isn't really a PowerShell scenario - it's just the syntax looks similar.
I'm not a betting man, but if I were, I'd have no other option than to suggest that User 3 actually is a member of GroupIdC.
You can use something like the following to check the transitive membership of GrouIdC via the Microsoft.Graph.Groups module:
(Invoke-MgGraphRequest -Method GET -Uri 'https://graph.microsoft.com/beta/groups?$filter=displayName eq ''foo''&$select=TransitiveMembers&$expand=TransitiveMembers').value.TransitiveMembers | ForEach-Object { [PSCustomObject]$_ } | ft -AutoSize id, userPrincipalName, displayNameJust change the group displayName value within that command.
Cheers,
Lain
I ran your command for Group C and unfortunately User 3 is not a member of group C.
For further testing, I removed User 3 and added User 4 to Group C only. Lo and behold, User 4 is also part of the dynamic group.
There's something about Group C or the dynamic group query that is allowing all members of Group C into the dynamic group.
Your explanation makes perfect sense, I'm just not sure I can help you diagnose that as it'd really need eyes on the resources.
I wiped and reconstructed my existing example and I still get the expected outcome from the rule.
Here's the example in full (not that there's anything new to share - just everything in one place.)
Cheers,
Lain
