Forum Discussion
Azure Dynamic Group query not working correctly
I have to say, the parsing is frighteningly untrustworthy and inconsistent for this kind of scenario. But while a couple of other iterations produced unexpected results, the following example worked.
Effectively, I brought the single group "and" criterion to the front and finished with the "or" criterion, which produces the correct resulting membership.
Cheers,
Lain
I have seen PowerShell botch the order of precedence before, meaning using parenthesis around the different sections sometimes helps, but I don't think that's what's going on here as this isn't really a PowerShell scenario - it's just the syntax looks similar.
I'm not a betting man, but if I were, I'd have no other option than to suggest that User 3 actually is a member of GroupIdC.
You can use something like the following to check the transitive membership of GrouIdC via the Microsoft.Graph.Groups module:
(Invoke-MgGraphRequest -Method GET -Uri 'https://graph.microsoft.com/beta/groups?$filter=displayName eq ''foo''&$select=TransitiveMembers&$expand=TransitiveMembers').value.TransitiveMembers | ForEach-Object { [PSCustomObject]$_ } | ft -AutoSize id, userPrincipalName, displayName
Just change the group displayName value within that command.
Cheers,
Lain
I ran your command for Group C and unfortunately User 3 is not a member of group C.
For further testing, I removed User 3 and added User 4 to Group C only. Lo and behold, User 4 is also part of the dynamic group.
There's something about Group C or the dynamic group query that is allowing all members of Group C into the dynamic group.
Your explanation makes perfect sense, I'm just not sure I can help you diagnose that as it'd really need eyes on the resources.
I wiped and reconstructed my existing example and I still get the expected outcome from the rule.
Here's the example in full (not that there's anything new to share - just everything in one place.)
Cheers,
Lain
I see two groups in your example. Will you try something for me?
-Add a third group with one member that is only in Group003
-Give Candice membership to Group 003
-Update the dynamic group syntax to:
user.memberof -any (group.objectId -in ["8ade68a3-dfed-442e-b8b8-6cd97857f5d9", "Groupd003Id"]) -and user.memberof -any (group.objectId -in ["44490cdd-9c9a-4a8b-b727-ad364aeecbc3"])
I have to say, the parsing is frighteningly untrustworthy and inconsistent for this kind of scenario. But while a couple of other iterations produced unexpected results, the following example worked.
Effectively, I brought the single group "and" criterion to the front and finished with the "or" criterion, which produces the correct resulting membership.
Cheers,
Lain