Home

Dynamic Group Membership - issue with rule

%3CLINGO-SUB%20id%3D%22lingo-sub-117239%22%20slang%3D%22en-US%22%3EDynamic%20Group%20Membership%20-%20issue%20with%20rule%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-117239%22%20slang%3D%22en-US%22%3E%3CP%3EI%20created%20a%20new%20Dynamic%20Group%20with%20the%20following%20rule%3A%3C%2FP%3E%3CP%3E(user.accountEnabled%20-eq%20true%20-and%20user.employeeID%20-ne%20%24null)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBut%20no%20members%20are%20being%20added.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECan%20anyone%20spot%20what%20may%20be%20the%20issue%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-117239%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EDynamic%20Group%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-118445%22%20slang%3D%22en-US%22%3ERe%3A%20Dynamic%20Group%20Membership%20-%20issue%20with%20rule%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-118445%22%20slang%3D%22en-US%22%3E%3CP%3EYou%20can%20always%20open%20a%20support%20case%20and%20get%20an%20official%20answer%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-118211%22%20slang%3D%22en-US%22%3ERe%3A%20Dynamic%20Group%20Membership%20-%20issue%20with%20rule%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-118211%22%20slang%3D%22en-US%22%3EOk%2C%20that%20may%20be%20the%20issue.%20The%20wording%20in%20the%20documentation%20was%20unclear%20with%20respect%20to%20this.%20At%20one%20point%20is%20said%20the%20tenant%20has%20to%20have%20Azure%20AD%20Premium%3B%20our%20tenant%20has%20P1.%3CBR%20%2F%3EI%20was%20actually%20trying%20to%20use%20this%20group%20to%20assign%20EMS%20licenses%2C%20therefore%20the%20users%20were%20not%20yet%20licensed.%3CBR%20%2F%3E%3CBR%20%2F%3EI%20just%20created%20a%20group%20on-premises%20and%20synced%20it%2C%20assigning%20the%20license%20to%20the%20synced%20group.%3CBR%20%2F%3E%3CBR%20%2F%3EHowever%2C%20after%20that%20my%20Dynamic%20group%20is%20still%20empty.%3CBR%20%2F%3EThis%20time%20when%20I%20edit%20the%20Dynamic%20membership%20rule%20I%20finally%20get%20an%20error%20that%20employeeID%20is%20an%20unsupported%20property.%20I%20modified%20the%20rule%20to%20use%20the%20customized%20synced%20property%2C%20but%20the%20group%20is%20still%20empty.%3CBR%20%2F%3E%3CBR%20%2F%3ESomehow%20my%20test%20group%2C%20with%20the%20simple%20rule%20of%20(user.accountEnabled%20-eq%20true)%20is%20populated%2C%20but%20with%20more%20that%201000%20users%20and%20we%20only%20have%20885%20EMS%20licenses.%3CBR%20%2F%3E%3CBR%20%2F%3EDynamic%20groups%20is%20not%20working%20consistently.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-117684%22%20slang%3D%22en-US%22%3ERe%3A%20Dynamic%20Group%20Membership%20-%20issue%20with%20rule%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-117684%22%20slang%3D%22en-US%22%3E%3CP%3EDo%20you%20have%20the%20necessary%20licenses%20applied%3F%20The%20feature%20requires%20Azure%20AD%20Premium%20for%20ALL%20users%20in%20the%20scope%20of%20the%20rule.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-117455%22%20slang%3D%22en-US%22%3ERe%3A%20Dynamic%20Group%20Membership%20-%20issue%20with%20rule%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-117455%22%20slang%3D%22en-US%22%3EI%20just%20did%20a%20new%20test%20group%20with%20a%20simple%20rule%20of%20(user.accountEnabled%20-eq%20true)%20and%20it%20still%20came%20up%20empty.%3CBR%20%2F%3E%3CBR%20%2F%3EI%20think%20there%20may%20be%20something%20broken%20or%20something%20fundamental%20that%20I%20am%20missing.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-117442%22%20slang%3D%22en-US%22%3ERe%3A%20Dynamic%20Group%20Membership%20-%20issue%20with%20rule%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-117442%22%20slang%3D%22en-US%22%3E%3CP%3ECant%20you%20use%20any%20other%20attribute%20from%20the%20supported%20list%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-117434%22%20slang%3D%22en-US%22%3ERe%3A%20Dynamic%20Group%20Membership%20-%20issue%20with%20rule%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-117434%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20for%20the%20reply.%20I%20just%20added%20the%20parenthesis%2C%20but%20it%20still%20says%200%20members.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20didn't%20see%20employeeID%20in%20the%20help%20document%2C%20as%20you%20are%20pointing%20out%2C%20however%20I%20did%20sync%20employeeID%20as%20a%20custom%20attribute%20and%20tried%20that%20custom%20attribute%20with%20varied%20results.%3C%2FP%3E%3CP%3EThere%20was%20also%20the%20recommendation%20in%20the%20help%20document%20to%20use%20the%20Graph%20Explorer%20to%20see%20the%20attributes%2C%20and%20when%20I%20did%20that%20I%20noticed%20that%20even%20though%20employeeID%20was%20not%20listed%20in%20the%20Dynamic%20Groups%20help%20page%2C%20it%20is%20there%20on%20the%20user%20object.%3C%2FP%3E%3CP%3EIf%20I%20intentionally%20do%20a%20typo%20in%20employeeID%20(employeeI%20for%20example)%20the%20Dynamic%20memberthip%20rule%20editor%20interface%20throws%20an%20error%2C%20so%20it%20is%20validating%20and%20accepting%20the%20input.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20stumpted.%3C%2FP%3E%3CP%3EIs%20there%20any%20way%20to%20troubleshoot%20this%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-117427%22%20slang%3D%22en-US%22%3ERe%3A%20Dynamic%20Group%20Membership%20-%20issue%20with%20rule%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-117427%22%20slang%3D%22en-US%22%3E%3CP%3EParanthesis%3F%20Try%20this%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E(user.accountEnabled%20-eq%20true)%20-and%20(user.employeeID%20-ne%20%24null)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWell%2C%20also%20the%20fact%20that%20employeeID%20is%20not%20supported.%20You%20can%20find%20the%20list%20of%20supported%20proeprties%20here%3A%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Factive-directory-accessmanagement-groups-with-advanced-rules%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Factive-directory-accessmanagement-groups-with-advanced-rules%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Richard Bailey
New Contributor

I created a new Dynamic Group with the following rule:

(user.accountEnabled -eq true -and user.employeeID -ne $null)

 

But no members are being added.

 

Can anyone spot what may be the issue?

7 Replies
Highlighted

Paranthesis? Try this:

 

(user.accountEnabled -eq true) -and (user.employeeID -ne $null)

 

Well, also the fact that employeeID is not supported. You can find the list of supported proeprties here: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-accessmanagement-groups-wit...

Highlighted

Thanks for the reply. I just added the parenthesis, but it still says 0 members.

 

I didn't see employeeID in the help document, as you are pointing out, however I did sync employeeID as a custom attribute and tried that custom attribute with varied results.

There was also the recommendation in the help document to use the Graph Explorer to see the attributes, and when I did that I noticed that even though employeeID was not listed in the Dynamic Groups help page, it is there on the user object.

If I intentionally do a typo in employeeID (employeeI for example) the Dynamic memberthip rule editor interface throws an error, so it is validating and accepting the input.

 

I am stumpted.

Is there any way to troubleshoot this?

Highlighted

Cant you use any other attribute from the supported list?

Highlighted
I just did a new test group with a simple rule of (user.accountEnabled -eq true) and it still came up empty.

I think there may be something broken or something fundamental that I am missing.
Highlighted

Do you have the necessary licenses applied? The feature requires Azure AD Premium for ALL users in the scope of the rule.

Highlighted
Ok, that may be the issue. The wording in the documentation was unclear with respect to this. At one point is said the tenant has to have Azure AD Premium; our tenant has P1.
I was actually trying to use this group to assign EMS licenses, therefore the users were not yet licensed.

I just created a group on-premises and synced it, assigning the license to the synced group.

However, after that my Dynamic group is still empty.
This time when I edit the Dynamic membership rule I finally get an error that employeeID is an unsupported property. I modified the rule to use the customized synced property, but the group is still empty.

Somehow my test group, with the simple rule of (user.accountEnabled -eq true) is populated, but with more that 1000 users and we only have 885 EMS licenses.

Dynamic groups is not working consistently.
Highlighted

You can always open a support case and get an official answer :)