Tech Community Live: Endpoint Manager edition
Jul 21 2022, 08:00 AM - 12:00 PM (PDT)

Dynamic membership rules

%3CLINGO-SUB%20id%3D%22lingo-sub-3274993%22%20slang%3D%22en-US%22%3EDynamic%20membership%20rules%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3274993%22%20slang%3D%22en-US%22%3E%3CP%3EDear%20all%2C%3C%2FP%3E%3CP%3EMay%20I%20know%20how%20to%20add%20expression%20rules%20into%20our%20Dynamic%20group%20in%20order%20to%20remove%20those%20inactive%20users%3F%20The%20current%20workaround%20is%2C%20to%20change%20the%20group%20type%20to%20the%20assigned%20group%20type%2C%20remove%20the%20inactive%20user%2C%20and%20then%20change%20it%20back%20to%20a%20dynamic%20group.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWill%20be%20grateful%20for%20any%20help%20you%20can%20provide.%3C%2FP%3E%3CP%3EThanks.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-3274993%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Friday%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EConditional%20Access%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EGraph%20API%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMobile%20Application%20Management%20(MAM)%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMobile%20Device%20Management%20(MDM)%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESoftware%20Management%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3275063%22%20slang%3D%22en-US%22%3ERe%3A%20Dynamic%20membership%20rules%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3275063%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F620702%22%20target%3D%22_blank%22%3E%40Rudy_Ooms_MVP%3C%2FA%3E%26nbsp%3BThanks!%3C%2FP%3E%3CP%3EJust%20now%20I%20created%20a%20disaster%20%3Aface_with_tears_of_joy%3A%3CBR%20%2F%3ELuckily%20my%20Infra%20manager%20quickly%20finds%20out%20and%20change%20the%20rules%20for%20me.%3CBR%20%2F%3E%3CSTRONG%3EBefore%3C%2FSTRONG%3E%20was%20%3CSTRONG%3Euser.accountEnabled%20-eq%20false%3C%2FSTRONG%3E%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3Bfilter%20those%20enable%20user%3CBR%20%2F%3E%3CSTRONG%3ENow%3C%2FSTRONG%3E%20is%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%26nbsp%3B%3CSTRONG%3Euser.accountEnabled%20-eq%20true%3C%2FSTRONG%3E%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20filter%20those%20disabled%20users%3CBR%20%2F%3EAnyway%2C%20we%20have%20managed%20to%20set%20it%20up%20correctly%20now.%20Thank%20you%2C%20guys!%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3275057%22%20slang%3D%22en-US%22%3ERe%3A%20Dynamic%20membership%20rules%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3275057%22%20slang%3D%22en-US%22%3EYou%20could%20use%20the%20validate%20rule%20to%20determine%20if%20the%20user%20that%20was%20disabled%20(blocked%20sign%20in)%20shows%20up%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3275040%22%20slang%3D%22en-US%22%3ERe%3A%20Dynamic%20membership%20rules%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3275040%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1010507%22%20target%3D%22_blank%22%3E%40Mr_Helaas%3C%2FA%3E%26nbsp%3B%2C%3C%2FP%3E%3CP%3EThank%20you!%20Please%20see%20the%20below%20attached.%20Is%20it%20correct%3F%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Sk73_0-1649052189064.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F361016i34F059E9EA9AC60E%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22Sk73_0-1649052189064.png%22%20alt%3D%22Sk73_0-1649052189064.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3275034%22%20slang%3D%22en-US%22%3ERe%3A%20Dynamic%20membership%20rules%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3275034%22%20slang%3D%22en-US%22%3EHi%2C%3CBR%20%2F%3E%3CBR%20%2F%3EIf%20you%20click%20on%20block%20sign%20in%2C%20the%20user%20will%20be%20disabled%20in%20azure%20ad%20and%20you%20can%20use%20the%20expression%20that%20I%20have%20posted%20in%20precious%20comment%20to%20filter%20them%20out.%3CBR%20%2F%3E%3CBR%20%2F%3EKind%20regards%2C%3CBR%20%2F%3E%3CBR%20%2F%3ERen%C3%A9%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3275029%22%20slang%3D%22en-US%22%3ERe%3A%20Dynamic%20membership%20rules%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3275029%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1010507%22%20target%3D%22_blank%22%3E%40Mr_Helaas%3C%2FA%3E%26nbsp%3Bis%20it%20possible%20can%20filter%20those%20users%20who%20are%20already%20blocking%20sign%20in%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Block%20Sign%20in.png%22%20style%3D%22width%3A%20551px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F361013i6AEC00F0729EAA85%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Block%20Sign%20in.png%22%20alt%3D%22Block%20Sign%20in.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3275018%22%20slang%3D%22en-US%22%3ERe%3A%20Dynamic%20membership%20rules%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3275018%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1010507%22%20target%3D%22_blank%22%3E%40Mr_Helaas%3C%2FA%3E%26nbsp%3BThank%20you!%20I%20will%20try%20again%20and%20let%20you%20know.%20Cheers%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3275015%22%20slang%3D%22en-US%22%3ERe%3A%20Dynamic%20membership%20rules%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3275015%22%20slang%3D%22en-US%22%3EHi%2C%3CBR%20%2F%3E%3CBR%20%2F%3EIt%20depends%20on%20how%20you%20mark%20a%20user%20as%20inactive.%20I%20hope%20those%20users%20are%20disabled.%20So%20you%20can%20use%20the%20expression%3A%3CBR%20%2F%3E%3CBR%20%2F%3Euser.accountEnabled%20-eq%20false%3CBR%20%2F%3E%3CBR%20%2F%3EAll%20other%20available%20options%20are%20defined%20in%20the%20following%20Microsoft%20blog%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fenterprise-users%2Fgroups-dynamic-membership%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fenterprise-users%2Fgroups-dynamic-membership%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EPlease%20let%20me%20know%20if%20this%20fix%20your%20problem.%20Or%20please%20let%20us%20know%20how%20you%20mark%20users%20as%20inactive.%3CBR%20%2F%3E%3CBR%20%2F%3EKind%20regards%2C%3CBR%20%2F%3E%3CBR%20%2F%3ERen%C3%A9%3C%2FLINGO-BODY%3E
Frequent Contributor

Dear all,

May I know how to add expression rules into our Dynamic group in order to remove those inactive users? The current workaround is, to change the group type to the assigned group type, remove the inactive user, and then change it back to a dynamic group.

 

Will be grateful for any help you can provide.

Thanks.

 

7 Replies
Hi,

It depends on how you mark a user as inactive. I hope those users are disabled. So you can use the expression:

user.accountEnabled -eq false

All other available options are defined in the following Microsoft blog

https://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/groups-dynamic-membership

Please let me know if this fix your problem. Or please let us know how you mark users as inactive.

Kind regards,

René

Hi @Mr_Helaas Thank you! I will try again and let you know. Cheers

Hi @Mr_Helaas is it possible can filter those users who are already blocking sign in?

 

Block Sign in.png

 

Hi,

If you click on block sign in, the user will be disabled in azure ad and you can use the expression that I have posted in precious comment to filter them out.

Kind regards,

René

Hi @Mr_Helaas ,

Thank you! Please see the below attached. Is it correct?

Sk73_0-1649052189064.png

 

You could use the validate rule to determine if the user that was disabled (blocked sign in) shows up

Hi @Rudy_Ooms_MVP Thanks!

Just now I created a disaster :face_with_tears_of_joy:
Luckily my Infra manager quickly finds out and change the rules for me.
Before was user.accountEnabled -eq false     filter those enable user
Now is        user.accountEnabled -eq true      filter those disabled users
Anyway, we have managed to set it up correctly now. Thank you, guys!