Forum Discussion
Azure Dynamic Group query not working correctly
I have to say, the parsing is frighteningly untrustworthy and inconsistent for this kind of scenario. But while a couple of other iterations produced unexpected results, the following example worked.
Effectively, I brought the single group "and" criterion to the front and finished with the "or" criterion, which produces the correct resulting membership.
Cheers,
Lain
I ran your command for Group C and unfortunately User 3 is not a member of group C.
For further testing, I removed User 3 and added User 4 to Group C only. Lo and behold, User 4 is also part of the dynamic group.
There's something about Group C or the dynamic group query that is allowing all members of Group C into the dynamic group.
Your explanation makes perfect sense, I'm just not sure I can help you diagnose that as it'd really need eyes on the resources.
I wiped and reconstructed my existing example and I still get the expected outcome from the rule.
Here's the example in full (not that there's anything new to share - just everything in one place.)
Cheers,
Lain
I see two groups in your example. Will you try something for me?
-Add a third group with one member that is only in Group003
-Give Candice membership to Group 003
-Update the dynamic group syntax to:
user.memberof -any (group.objectId -in ["8ade68a3-dfed-442e-b8b8-6cd97857f5d9", "Groupd003Id"]) -and user.memberof -any (group.objectId -in ["44490cdd-9c9a-4a8b-b727-ad364aeecbc3"])
I have to say, the parsing is frighteningly untrustworthy and inconsistent for this kind of scenario. But while a couple of other iterations produced unexpected results, the following example worked.
Effectively, I brought the single group "and" criterion to the front and finished with the "or" criterion, which produces the correct resulting membership.
Cheers,
Lain
- is this saying "(A and B) or (C)", or is it saying "(A) and (B or C)"?
Yep, that replicates what you are seeing and is what I would call a bug.
Even so, Microsoft's unlikely to fix it even if they agree unless a major client reports it, so in that context, I might simply see if either using enclosing parenthesis or substituting the "-in" for the longer-form "-or" and see if it can be worked around.
In the image, the green underline is the third group you asked for, while the red underline represents the third user account that only exists in the new third group, meaning it should not be a member of the "Foo" dynamic group, yet clearly is.
Cheers,
Lain