Dynamic group membership rules with application assignment

Occasional Contributor

1. I have a dynamic user group (Microsoft365)  (CRM users)   --- originating from random AD OUs or departments. where group name should be  "CRM users.

2.  I have CRM application  name "CRM"

3. I want to populate the Dynamic group with all staff using this "CRM"


the first step i have done; 

- I  created a rule  based on department (user.department -contains "Medical") and (user.accountEnabled -eq True) this works, but only for that department

- Now I want to assign users this application, then add them to dynamic group.

So that all users of CRM, automatically belong to "CRM users group".

___>>> (user.objectId -ne NULL) and (user.accountEnabled -eq True) and (applications.applicationId -eq "38bb468d-88ef-46d4-ad2d-8d57c1903964")  ,,,, this is not working.



4 Replies

your assistance will be highly appreciated on this. 

Never seen the application attribute being used, are you sure it's supported? Afaik only the attributes listed in this article are supported: https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/groups-dynamic-membership

@Vasil Michev how can I construct rule that can allow application users to be members of the same group.   For example; accounting users, sales users, marketing users, IT users (not everyone in these departments use the app but some of them use the app), I want to create for them a dynamic group.

any guide?

It's not natively possible. You could write a script which does this through the graph api