Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Dynamic Group Membership - issue with rule

Copper Contributor

I created a new Dynamic Group with the following rule:

(user.accountEnabled -eq true -and user.employeeID -ne $null)

 

But no members are being added.

 

Can anyone spot what may be the issue?

8 Replies

Paranthesis? Try this:

 

(user.accountEnabled -eq true) -and (user.employeeID -ne $null)

 

Well, also the fact that employeeID is not supported. You can find the list of supported proeprties here: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-accessmanagement-groups-wit...

Thanks for the reply. I just added the parenthesis, but it still says 0 members.

 

I didn't see employeeID in the help document, as you are pointing out, however I did sync employeeID as a custom attribute and tried that custom attribute with varied results.

There was also the recommendation in the help document to use the Graph Explorer to see the attributes, and when I did that I noticed that even though employeeID was not listed in the Dynamic Groups help page, it is there on the user object.

If I intentionally do a typo in employeeID (employeeI for example) the Dynamic memberthip rule editor interface throws an error, so it is validating and accepting the input.

 

I am stumpted.

Is there any way to troubleshoot this?

Cant you use any other attribute from the supported list?

I just did a new test group with a simple rule of (user.accountEnabled -eq true) and it still came up empty.

I think there may be something broken or something fundamental that I am missing.

Do you have the necessary licenses applied? The feature requires Azure AD Premium for ALL users in the scope of the rule.

Ok, that may be the issue. The wording in the documentation was unclear with respect to this. At one point is said the tenant has to have Azure AD Premium; our tenant has P1.
I was actually trying to use this group to assign EMS licenses, therefore the users were not yet licensed.

I just created a group on-premises and synced it, assigning the license to the synced group.

However, after that my Dynamic group is still empty.
This time when I edit the Dynamic membership rule I finally get an error that employeeID is an unsupported property. I modified the rule to use the customized synced property, but the group is still empty.

Somehow my test group, with the simple rule of (user.accountEnabled -eq true) is populated, but with more that 1000 users and we only have 885 EMS licenses.

Dynamic groups is not working consistently.

You can always open a support case and get an official answer :)

@Vasil Michev Not really a solution. In our experience, the average time to closure on any case with Microsoft is 6 weeks or longer. The reality about support is that nobody at Microsoft really knows their products. Also, things should be wizard driven, but are not. So you are crestfallen when after 4 weeks of banging your head against the wall, someone finally tells you, "you don't have the right license".