Rule Syntax for Azure user.memberof

Question

I'm trying to create a dynamic group with a dynamic membership rule that adds a user who are not part of a another group.

so based on documentation user.memberof -any (group.objectId -in ['my-group-id']) works but I'm trying to modify it. -not (user.memberof -any (group.objectId -in ['my-group-id']) Have tried this but will give an invalid property same goes if I modify (group.objectId -not ['my-group-id']) gives an invalid operand.

Answer 1

As mentioned in this MS Document, there is a limitation saying:

The memberOf attribute can't be used with other operators. For example, you can't create a rule that states “Members Of group A can't be in Dynamic group B.”

I have one group created with dynamic query user.department -eq "IT" having below users as members:

Now, I created new dynamic group by including same members of above group with this dynamic query:

user.memberof -any (group.objectId -in ['above-group-id'])

When I tried to modify the dynamic query to exclude the members present in another group, I too got same errors like this:

-not (user.memberof -any (group.objectId -in ['my-group-id']))

user.memberof -any (group.objectId -not ['my-group-id'])

So, it's not possible to exclude the members of specific group while creating dynamic group with memberOf attribute.

Alternatively, you can filter out users based on their properties like department, companyName, jobTitle, city, country etc....

When I modified the dynamic query to user.department -ne "IT" based on user property, it worked:

To confirm that, I checked the group members where users from DemoGrp01 excluded successfully like this:

Reference: Exclude user from a dynamic group based on group membership - Microsoft Q&A by Aaron Gill