Forum Discussion
How to exclude security group members using dynamic query
Hi,
I'm trying to build a dynamic query for a security group and want to exclude members of a certain group in this.
Example- Let's say there's a security group A and I'm building a new security group B and I want to exclude members of group A to be added to this group B. I'm struggling to find the right query for this. Any ideas?
2 Replies
- The memberOf attribute can't be used with other rules. For example, a rule that states dynamic group A should contain members of group B and also should contain only users located in Redmond will fail.
https://learn.microsoft.com/en-us/entra/identity/users/groups-dynamic-rule-member-of
Also bear in mind:
- Avoid the use of the https://learn.microsoft.com/en-us/entra/identity/users/groups-dynamic-rule-member-of operator if possible. It's currently in preview, and it comes with bugs and limitations. It can also introduce more complexity, particularly if a tenant has a large number of groups or frequent updates. The recommendation is to delete existing memberOf groups in your tenant.
From <https://learn.microsoft.com/en-us/entra/identity/users/manage-dynamic-group#optimizing-rule-efficiency>
Galaxy876try this query. (user.memberOf -any (group.objectId -eq "GroupA_ObjectId")) -eq false
