cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Microsoft Security Tech Accelerator
Dec 06 2023, 07:00 AM - 12:00 PM (PST)
Microsoft Tech Community
Find out more
SOLVED

Azure Dynamic Group query not working correctly

ChaseOfSpades
Copper Contributor

‎Oct 07 2022 01:15 PM

‎Oct 07 2022 01:15 PM

Azure Dynamic Group query not working correctly

Here is my query: 

user.memberof -any (group.objectId -in ["GroupIdA", "GroupIdB"]) -and user.memberof -any (group.objectId -in ["GroupIdC"])

 

I would like to only allow members into the dynamic group if they are simultaneously a member of GroupC and any group in the collection of Group A and B

 

User 1 is a member of C and A. He is currently in the group. This is correct.

User 2 is a member of C, but not A or B. She is not currently in the group. This is correct.

User 3 is a member of B, but not C. She is currently in the group. This is incorrect.

 

Can anyone tell me why User 3 is in the dynamic group?

Labels:
3,626 Views
0 Likes
11 Replies
Reply
11 Replies
LainRobertson

‎Oct 07 2022 07:15 PM

‎Oct 07 2022 07:15 PM

Re: Azure Dynamic Group query not working correctly

@ChaseOfSpades 

 

I have seen PowerShell botch the order of precedence before, meaning using parenthesis around the different sections sometimes helps, but I don't think that's what's going on here as this isn't really a PowerShell scenario - it's just the syntax looks similar.

 

I'm not a betting man, but if I were, I'd have no other option than to suggest that User 3 actually is a member of GroupIdC.

 

You can use something like the following to check the transitive membership of GrouIdC via the Microsoft.Graph.Groups module:

 

(Invoke-MgGraphRequest -Method GET -Uri 'https://graph.microsoft.com/beta/groups?$filter=displayName eq ''foo''&$select=TransitiveMembers&$expand=TransitiveMembers').value.TransitiveMembers | ForEach-Object { [PSCustomObject]$_ } | ft -AutoSize id, userPrincipalName, displayName

 

Just change the group displayName value within that command.

 

Cheers,

Lain

0 Likes
Reply
ChaseOfSpades

‎Oct 10 2022 07:15 AM

‎Oct 10 2022 07:15 AM

Re: Azure Dynamic Group query not working correctly

@LainRobertson 

 

I ran your command for Group C and unfortunately User 3 is not a member of group C.

 

For further testing, I removed User 3 and added User 4 to Group C only. Lo and behold, User 4 is also part of the dynamic group. 

 

There's something about Group C or the dynamic group query that is allowing all members of Group C into the dynamic group.

0 Likes
Reply
LainRobertson

‎Oct 10 2022 05:14 PM

‎Oct 10 2022 05:14 PM

Re: Azure Dynamic Group query not working correctly

@ChaseOfSpades 

 

Your explanation makes perfect sense, I'm just not sure I can help you diagnose that as it'd really need eyes on the resources.

 

I wiped and reconstructed my existing example and I still get the expected outcome from the rule.

 

Here's the example in full (not that there's anything new to share - just everything in one place.)

 

LainRobertson_0-1665447180748.png

 

Cheers,

Lain

0 Likes
Reply
ChaseOfSpades

‎Oct 11 2022 05:36 AM

‎Oct 11 2022 05:36 AM

Re: Azure Dynamic Group query not working correctly

@LainRobertson 

 

I see two groups in your example. Will you try something for me?

 

-Add a third group with one member that is only in Group003

-Give Candice membership to Group 003

-Update the dynamic group syntax to: 

user.memberof -any (group.objectId -in ["8ade68a3-dfed-442e-b8b8-6cd97857f5d9", "Groupd003Id"]) -and user.memberof -any (group.objectId -in ["44490cdd-9c9a-4a8b-b727-ad364aeecbc3"])

0 Likes
Reply
LainRobertson

‎Oct 11 2022 06:10 AM

‎Oct 11 2022 06:10 AM

Re: Azure Dynamic Group query not working correctly

@ChaseOfSpades 

 

Yep, that replicates what you are seeing and is what I would call a bug.

 

Even so, Microsoft's unlikely to fix it even if they agree unless a major client reports it, so in that context, I might simply see if either using enclosing parenthesis or substituting the "-in" for the longer-form "-or" and see if it can be worked around.

 

In the image, the green underline is the third group you asked for, while the red underline represents the third user account that only exists in the new third group, meaning it should not be a member of the "Foo" dynamic group, yet clearly is.

 

LainRobertson_0-1665493699057.png

 

Cheers,

Lain

0 Likes
Reply
best response confirmed by ChaseOfSpades (Copper Contributor)
LainRobertson

‎Oct 11 2022 06:30 AM

‎Oct 11 2022 06:30 AM

Solution

Re: Azure Dynamic Group query not working correctly

@ChaseOfSpades 

 

I have to say, the parsing is frighteningly untrustworthy and inconsistent for this kind of scenario. But while a couple of other iterations produced unexpected results, the following example worked.

 

Effectively, I brought the single group "and" criterion to the front and finished with the "or" criterion, which produces the correct resulting membership.

 

LainRobertson_0-1665495019303.png

 

Cheers,

Lain

0 Likes
Reply
ChaseOfSpades

‎Oct 11 2022 06:36 AM

‎Oct 11 2022 06:36 AM

Re: Azure Dynamic Group query not working correctly

is this saying "(A and B) or (C)", or is it saying "(A) and (B or C)"?
0 Likes
Reply
LainRobertson

‎Oct 11 2022 06:42 AM - edited ‎Oct 11 2022 06:45 AM

‎Oct 11 2022 06:42 AM - edited ‎Oct 11 2022 06:45 AM

Re: Azure Dynamic Group query not working correctly

@ChaseOfSpades 

 

The latter, which in my example is:

 

Group003 -and (Group001 -or Group002)

 

Basically, I've removed the "-in" statement that held both groups and expanded it out to the fuller "-or" equivalent.

 

Using your example groups, and in text form, this reads like:

 

user.memberOf any (group.objectId in ["GroupC"]) and
(user.memberOf any (group.objectId eq "GroupA") or user.memberOf any (group.objectId eq "GroupB"))

 

Cheers,

Lain

0 Likes
Reply
ChaseOfSpades

‎Oct 11 2022 07:49 AM

‎Oct 11 2022 07:49 AM

Re: Azure Dynamic Group query not working correctly

I have tried to replicate this logic in my own dynamic group, and it has resolved the initial issue. A GroupB-only members are not showing up in the dynamic group.

Unfortunately, I've noticed another issue. The dynamic group contains any members of Group C, whether they exist in Groups A/B or not.

Here is my query:
user.memberof any (group.objectId in ["GroupCId"]) and (user.memberof any (group.objectId eq ["GroupAId"]) or user.memberof any (group.objectId eq ["GroupBId"]))
0 Likes
Reply
LainRobertson

‎Oct 11 2022 05:19 PM

‎Oct 11 2022 05:19 PM

Re: Azure Dynamic Group query not working correctly

@ChaseOfSpades 

 

I can't reproduce that particular outcome.

 

I created another new user and added them to my Group003 (analogous to your GroupC) but they correctly don't feature in the "parent" group, Foo.

 

LainRobertson_0-1665533916003.png

 

Cheers,

Lain

0 Likes
Reply
ChaseOfSpades

‎Oct 12 2022 05:10 AM

‎Oct 12 2022 05:10 AM

Re: Azure Dynamic Group query not working correctly

Alright, I'll keep tinkering with it. Thank you Lain for all of your help on this.
1 Like
Reply