Microsoft Security Tech Accelerator
Dec 06 2023, 07:00 AM - 12:00 PM (PST)
Microsoft Tech Community

Azure Dynamic Group query not working correctly

Copper Contributor

Here is my query: 

user.memberof -any (group.objectId -in ["GroupIdA", "GroupIdB"]) -and user.memberof -any (group.objectId -in ["GroupIdC"])


I would like to only allow members into the dynamic group if they are simultaneously a member of GroupC and any group in the collection of Group A and B


User 1 is a member of C and A. He is currently in the group. This is correct.

User 2 is a member of C, but not A or B. She is not currently in the group. This is correct.

User 3 is a member of B, but not C. She is currently in the group. This is incorrect.


Can anyone tell me why User 3 is in the dynamic group?

11 Replies



I have seen PowerShell botch the order of precedence before, meaning using parenthesis around the different sections sometimes helps, but I don't think that's what's going on here as this isn't really a PowerShell scenario - it's just the syntax looks similar.


I'm not a betting man, but if I were, I'd have no other option than to suggest that User 3 actually is a member of GroupIdC.


You can use something like the following to check the transitive membership of GrouIdC via the Microsoft.Graph.Groups module:


(Invoke-MgGraphRequest -Method GET -Uri '$filter=displayName eq ''foo''&$select=TransitiveMembers&$expand=TransitiveMembers').value.TransitiveMembers | ForEach-Object { [PSCustomObject]$_ } | ft -AutoSize id, userPrincipalName, displayName


Just change the group displayName value within that command.






I ran your command for Group C and unfortunately User 3 is not a member of group C.


For further testing, I removed User 3 and added User 4 to Group C only. Lo and behold, User 4 is also part of the dynamic group. 


There's something about Group C or the dynamic group query that is allowing all members of Group C into the dynamic group.



Your explanation makes perfect sense, I'm just not sure I can help you diagnose that as it'd really need eyes on the resources.


I wiped and reconstructed my existing example and I still get the expected outcome from the rule.


Here's the example in full (not that there's anything new to share - just everything in one place.)








I see two groups in your example. Will you try something for me?


-Add a third group with one member that is only in Group003

-Give Candice membership to Group 003

-Update the dynamic group syntax to: 

user.memberof -any (group.objectId -in ["8ade68a3-dfed-442e-b8b8-6cd97857f5d9", "Groupd003Id"]) -and user.memberof -any (group.objectId -in ["44490cdd-9c9a-4a8b-b727-ad364aeecbc3"])



Yep, that replicates what you are seeing and is what I would call a bug.


Even so, Microsoft's unlikely to fix it even if they agree unless a major client reports it, so in that context, I might simply see if either using enclosing parenthesis or substituting the "-in" for the longer-form "-or" and see if it can be worked around.


In the image, the green underline is the third group you asked for, while the red underline represents the third user account that only exists in the new third group, meaning it should not be a member of the "Foo" dynamic group, yet clearly is.






best response confirmed by ChaseOfSpades (Copper Contributor)



I have to say, the parsing is frighteningly untrustworthy and inconsistent for this kind of scenario. But while a couple of other iterations produced unexpected results, the following example worked.


Effectively, I brought the single group "and" criterion to the front and finished with the "or" criterion, which produces the correct resulting membership.






is this saying "(A and B) or (C)", or is it saying "(A) and (B or C)"?



The latter, which in my example is:


Group003 -and (Group001 -or Group002)


Basically, I've removed the "-in" statement that held both groups and expanded it out to the fuller "-or" equivalent.


Using your example groups, and in text form, this reads like:


user.memberOf any (group.objectId in ["GroupC"]) and
(user.memberOf any (group.objectId eq "GroupA") or user.memberOf any (group.objectId eq "GroupB"))




I have tried to replicate this logic in my own dynamic group, and it has resolved the initial issue. A GroupB-only members are not showing up in the dynamic group.

Unfortunately, I've noticed another issue. The dynamic group contains any members of Group C, whether they exist in Groups A/B or not.

Here is my query:
user.memberof any (group.objectId in ["GroupCId"]) and (user.memberof any (group.objectId eq ["GroupAId"]) or user.memberof any (group.objectId eq ["GroupBId"]))



I can't reproduce that particular outcome.


I created another new user and added them to my Group003 (analogous to your GroupC) but they correctly don't feature in the "parent" group, Foo.






Alright, I'll keep tinkering with it. Thank you Lain for all of your help on this.