Dynamic Security Groups based on the onpremisesDistinguishedName attribute

Iron Contributor

Hi to the community

Got an interesting question. I see that you can create dynamic security groups based on a large number of attributes including onpremisessecurityidentifier, I can see some use cases for that one :)

however it doesn't appear to be possible to create  dynamic group based on the onpremisesdistinguishedname :( Is this possible?


I did some reading about being able to consume custom attributes based on applicationID. Would this be a possible approach to investigate. If so does the AADConnect system even register an AppID and how would I go about locating it?

Thanks for any advice or pointers


4 Replies

The attribute itself is synced/exposed as "onPremisesDistinguishedName", however leveraging that for Dynamic group rules is not possible afaik.

Hi Vasil
I had this confirmed by another source.... It's annoying because that ability would have eased a particular issue in where the accuracy of data in AD is questionable but the org has dept/division based OU structure..
Hello Vasil,

I just wanted to clarify if the “onPremisesDistinguishedName” attribute is exposed for groups that are synced from on-premises to Azure AD?

Thanks in advance!