Blog

AAD Dynamic Group – example and formatting tips

If your company has at least an Azure AD premium P1 license, then you have access to a powerful feature – Dynamic group membership. Microsoft has a lot of information on how to construct those rules –  https://learn.microsoft.com/en-us/azure/active-directory/enterprise-users/groups-dynamic-membership

So in my post I would rather focus on some formatting tips:

  • When designing a rule, using a Windows PowerShell ISE or any coding software is helpful for proper spacing
  • Use CRLF (carriage return line feed) to separate blocks in your dynamic rule – AAD system interprets those as spaces without any issues 
  • If you keep formatting nice and tidy (rather than a blob of text), Graph API will preserve that formatting when pulling data for reports
  • Use a combination of -in, -NotIn, and arrays as much as possible – this approach is great to further scale your rule
  • Put OR condition to the very end of the rule

A rule below would be a great example to define an IT Team East Coast group.

(
    (user.jobTitle -in ["Senior IT Director","VP of IT"])
    OR (user.jobTitle -Contains "System Administrator")
)
AND (user.jobTitle -NotIn ["ADP System Administrator"])
AND (user.state -in ["Georgia","New York","Florida"])
AND (user.userType -eq "Member")
AND (user.assignedPlans -any (assignedPlan.capabilityStatus -eq "Enabled"))
AND (user.employeeId -ne Null)
AND (user.userPrincipalName -notContains "archive")
AND (
    (user.accountEnabled -eq True)
    OR (
        (user.accountEnabled -eq False)
        AND (user.displayName -contains "(On Leave)")
    )
)
AND (user.userPrincipalName -NotIn ["john.smith@contoso.com"])
OR (user.userPrincipalName -in ["david.brown@contoso.com","lisa.white@contoso.com "])

Let’s break down each block:

  • include all members whose job title contains “System Administrator” words, plus “Senior IT Director” and “VP of IT”
  • exclude those with “ADP System Administrator” job titles
  • include those in Georgia, New York, and Florida states
  • exclude Guest accounts
  • include only licensed accounts
  • include only those members that have a “Team Member ID” (typically excludes contractors)
  • exclude archived accounts (if that’s how you archive your accounts by adding “.archive” to their UPN
  • include enabled accounts and those who are on leave (their accounts are temporarily disabled)
  • explicitly exclude “John Smith”
  • explicitly include “David Brown” and “Lisa White”.
Tags: , , , ,

This Post Has One Comment

Leave a Reply