Home

Dynamic Group Membership - issue with rule

%3CLINGO-SUB%20id%3D%22lingo-sub-117239%22%20slang%3D%22en-US%22%3EDynamic%20Group%20Membership%20-%20issue%20with%20rule%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-117239%22%20slang%3D%22en-US%22%3E%3CP%3EI%20created%20a%20new%20Dynamic%20Group%20with%20the%20following%20rule%3A%3C%2FP%3E%3CP%3E(user.accountEnabled%20-eq%20true%20-and%20user.employeeID%20-ne%20%24null)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBut%20no%20members%20are%20being%20added.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECan%20anyone%20spot%20what%20may%20be%20the%20issue%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-117239%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EDynamic%20Group%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-118445%22%20slang%3D%22en-US%22%3ERe%3A%20Dynamic%20Group%20Membership%20-%20issue%20with%20rule%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-118445%22%20slang%3D%22en-US%22%3E%3CP%3EYou%20can%20always%20open%20a%20support%20case%20and%20get%20an%20official%20answer%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-118211%22%20slang%3D%22en-US%22%3ERe%3A%20Dynamic%20Group%20Membership%20-%20issue%20with%20rule%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-118211%22%20slang%3D%22en-US%22%3EOk%2C%20that%20may%20be%20the%20issue.%20The%20wording%20in%20the%20documentation%20was%20unclear%20with%20respect%20to%20this.%20At%20one%20point%20is%20said%20the%20tenant%20has%20to%20have%20Azure%20AD%20Premium%3B%20our%20tenant%20has%20P1.%3CBR%20%2F%3EI%20was%20actually%20trying%20to%20use%20this%20group%20to%20assign%20EMS%20licenses%2C%20therefore%20the%20users%20were%20not%20yet%20licensed.%3CBR%20%2F%3E%3CBR%20%2F%3EI%20just%20created%20a%20group%20on-premises%20and%20synced%20it%2C%20assigning%20the%20license%20to%20the%20synced%20group.%3CBR%20%2F%3E%3CBR%20%2F%3EHowever%2C%20after%20that%20my%20Dynamic%20group%20is%20still%20empty.%3CBR%20%2F%3EThis%20time%20when%20I%20edit%20the%20Dynamic%20membership%20rule%20I%20finally%20get%20an%20error%20that%20employeeID%20is%20an%20unsupported%20property.%20I%20modified%20the%20rule%20to%20use%20the%20customized%20synced%20property%2C%20but%20the%20group%20is%20still%20empty.%3CBR%20%2F%3E%3CBR%20%2F%3ESomehow%20my%20test%20group%2C%20with%20the%20simple%20rule%20of%20(user.accountEnabled%20-eq%20true)%20is%20populated%2C%20but%20with%20more%20that%201000%20users%20and%20we%20only%20have%20885%20EMS%20licenses.%3CBR%20%2F%3E%3CBR%20%2F%3EDynamic%20groups%20is%20not%20working%20consistently.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-117684%22%20slang%3D%22en-US%22%3ERe%3A%20Dynamic%20Group%20Membership%20-%20issue%20with%20rule%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-117684%22%20slang%3D%22en-US%22%3E%3CP%3EDo%20you%20have%20the%20necessary%20licenses%20applied%3F%20The%20feature%20requires%20Azure%20AD%20Premium%20for%20ALL%20users%20in%20the%20scope%20of%20the%20rule.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-117455%22%20slang%3D%22en-US%22%3ERe%3A%20Dynamic%20Group%20Membership%20-%20issue%20with%20rule%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-117455%22%20slang%3D%22en-US%22%3EI%20just%20did%20a%20new%20test%20group%20with%20a%20simple%20rule%20of%20(user.accountEnabled%20-eq%20true)%20and%20it%20still%20came%20up%20empty.%3CBR%20%2F%3E%3CBR%20%2F%3EI%20think%20there%20may%20be%20something%20broken%20or%20something%20fundamental%20that%20I%20am%20missing.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-117442%22%20slang%3D%22en-US%22%3ERe%3A%20Dynamic%20Group%20Membership%20-%20issue%20with%20rule%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-117442%22%20slang%3D%22en-US%22%3E%3CP%3ECant%20you%20use%20any%20other%20attribute%20from%20the%20supported%20list%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-117434%22%20slang%3D%22en-US%22%3ERe%3A%20Dynamic%20Group%20Membership%20-%20issue%20with%20rule%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-117434%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20for%20the%20reply.%20I%20just%20added%20the%20parenthesis%2C%20but%20it%20still%20says%200%20members.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20didn't%20see%20employeeID%20in%20the%20help%20document%2C%20as%20you%20are%20pointing%20out%2C%20however%20I%20did%20sync%20employeeID%20as%20a%20custom%20attribute%20and%20tried%20that%20custom%20attribute%20with%20varied%20results.%3C%2FP%3E%3CP%3EThere%20was%20also%20the%20recommendation%20in%20the%20help%20document%20to%20use%20the%20Graph%20Explorer%20to%20see%20the%20attributes%2C%20and%20when%20I%20did%20that%20I%20noticed%20that%20even%20though%20employeeID%20was%20not%20listed%20in%20the%20Dynamic%20Groups%20help%20page%2C%20it%20is%20there%20on%20the%20user%20object.%3C%2FP%3E%3CP%3EIf%20I%20intentionally%20do%20a%20typo%20in%20employeeID%20(employeeI%20for%20example)%20the%20Dynamic%20memberthip%20rule%20editor%20interface%20throws%20an%20error%2C%20so%20it%20is%20validating%20and%20accepting%20the%20input.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20stumpted.%3C%2FP%3E%3CP%3EIs%20there%20any%20way%20to%20troubleshoot%20this%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-117427%22%20slang%3D%22en-US%22%3ERe%3A%20Dynamic%20Group%20Membership%20-%20issue%20with%20rule%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-117427%22%20slang%3D%22en-US%22%3E%3CP%3EParanthesis%3F%20Try%20this%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E(user.accountEnabled%20-eq%20true)%20-and%20(user.employeeID%20-ne%20%24null)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWell%2C%20also%20the%20fact%20that%20employeeID%20is%20not%20supported.%20You%20can%20find%20the%20list%20of%20supported%20proeprties%20here%3A%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Factive-directory-accessmanagement-groups-with-advanced-rules%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Factive-directory-accessmanagement-groups-with-advanced-rules%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Richard Bailey
New Contributor

I created a new Dynamic Group with the following rule:

(user.accountEnabled -eq true -and user.employeeID -ne $null)

 

But no members are being added.

 

Can anyone spot what may be the issue?

7 Replies

Paranthesis? Try this:

 

(user.accountEnabled -eq true) -and (user.employeeID -ne $null)

 

Well, also the fact that employeeID is not supported. You can find the list of supported proeprties here: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-accessmanagement-groups-wit...

Thanks for the reply. I just added the parenthesis, but it still says 0 members.

 

I didn't see employeeID in the help document, as you are pointing out, however I did sync employeeID as a custom attribute and tried that custom attribute with varied results.

There was also the recommendation in the help document to use the Graph Explorer to see the attributes, and when I did that I noticed that even though employeeID was not listed in the Dynamic Groups help page, it is there on the user object.

If I intentionally do a typo in employeeID (employeeI for example) the Dynamic memberthip rule editor interface throws an error, so it is validating and accepting the input.

 

I am stumpted.

Is there any way to troubleshoot this?

Cant you use any other attribute from the supported list?

I just did a new test group with a simple rule of (user.accountEnabled -eq true) and it still came up empty.

I think there may be something broken or something fundamental that I am missing.

Do you have the necessary licenses applied? The feature requires Azure AD Premium for ALL users in the scope of the rule.

Ok, that may be the issue. The wording in the documentation was unclear with respect to this. At one point is said the tenant has to have Azure AD Premium; our tenant has P1.
I was actually trying to use this group to assign EMS licenses, therefore the users were not yet licensed.

I just created a group on-premises and synced it, assigning the license to the synced group.

However, after that my Dynamic group is still empty.
This time when I edit the Dynamic membership rule I finally get an error that employeeID is an unsupported property. I modified the rule to use the customized synced property, but the group is still empty.

Somehow my test group, with the simple rule of (user.accountEnabled -eq true) is populated, but with more that 1000 users and we only have 885 EMS licenses.

Dynamic groups is not working consistently.

You can always open a support case and get an official answer :)

Related Conversations
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
Tabs and Dark Mode
cjc2112 in Discussions on
30 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
7 Replies