How to Create Dynamic Membership Rules for Groups in Azure Active Directory

You can create attribute-based rules to enable dynamic membership for a group in Azure Active Directory (Azure AD), part of Microsoft Entra. Dynamic group membership adds and removes group members automatically using membership rules based on member attributes. This article details the properties and syntax to create dynamic membership rules for users or devices. You can set up a rule for dynamic membership on security groups or Microsoft 365 groups.

When the attributes of a user or a device change, the system evaluates all dynamic group rules in a directory to see if the change would trigger any group adds or removes. If a user or device satisfies a rule on a group, they’re added as a member of that group. If they no longer satisfy the rule, they’re removed. You can’t manually add or remove a member of a dynamic group.

  • You can create a dynamic group for devices or for users, but you can’t create a rule that contains both users and devices.
  • You can’t create a device group based on the user attributes of the device owner. Device membership rules can reference only device attributes.

 Note

This feature requires an Azure AD Premium P1 license or Intune for Education for each unique user that is a member of one or more dynamic groups. You don’t have to assign licenses to users for them to be members of dynamic groups, but you must have the minimum number of licenses in the Azure AD organization to cover all such users. For example, if you had a total of 1,000 unique users in all dynamic groups in your organization, you would need at least 1,000 licenses for Azure AD Premium P1 to meet the license requirement. No license is required for devices that are members of a dynamic device group.

Rule builder in the Azure portal

Azure AD provides a rule builder to create and update your important rules more quickly. The rule builder supports the construction of up to five expressions. The rule builder makes it easier to form a rule with a few simple expressions, however, it can’t be used to reproduce every rule. If the rule builder doesn’t support the rule you want to create, you can use the text box.

Here are some examples of advanced rules or syntax for which we recommend that you construct using the text box:

 Note

The rule builder might not be able to display some rules constructed in the text box. You might see a message when the rule builder is not able to display the rule. The rule builder doesn’t change the supported syntax, validation, or processing of dynamic group rules in any way.

For more step-by-step instructions, see Create or update a dynamic group.

Add membership rule for a dynamic group

Rule syntax for a single expression

A single expression is the simplest form of a membership rule and only has the three parts mentioned above. A rule with a single expression looks similar to this example: Property Operator Value, where the syntax for the property is the name of object.property.

The following example illustrates a properly constructed membership rule with a single expression:Copy

user.department -eq "Sales"

Parentheses are optional for a single expression. The total length of the body of your membership rule can’t exceed 3072 characters.

Constructing the body of a membership rule

A membership rule that automatically populates a group with users or devices is a binary expression that results in a true or false outcome. The three parts of a simple rule are:

  • Property
  • Operator
  • Value

The order of the parts within an expression is important to avoid syntax errors.

Supported properties

There are three types of properties that can be used to construct a membership rule.

  • Boolean
  • String
  • String collection

The following are the user properties that you can use to create a single expression.

Properties of type boolean

PropertiesAllowed valuesUsage
accountEnabledtrue falseuser.accountEnabled -eq true
dirSyncEnabledtrue falseuser.dirSyncEnabled -eq true

Properties of type string

PropertiesAllowed valuesUsage
cityAny string value or nulluser.city -eq “value”
countryAny string value or nulluser.country -eq “value”
companyNameAny string value or nulluser.companyName -eq “value”
departmentAny string value or nulluser.department -eq “value”
displayNameAny string valueuser.displayName -eq “value”
employeeIdAny string valueuser.employeeId -eq “value”
user.employeeId -ne null
facsimileTelephoneNumberAny string value or nulluser.facsimileTelephoneNumber -eq “value”
givenNameAny string value or nulluser.givenName -eq “value”
jobTitleAny string value or nulluser.jobTitle -eq “value”
mailAny string value or null (SMTP address of the user)user.mail -eq “value”
mailNickNameAny string value (mail alias of the user)user.mailNickName -eq “value”
memberOfAny string value (valid group object ID)user.memberof -any (group.objectId -in [‘value’])
mobileAny string value or nulluser.mobile -eq “value”
objectIdGUID of the user objectuser.objectId -eq “11111111-1111-1111-1111-111111111111”
onPremisesDistinguishedName (preview)Any string value or nulluser.onPremisesDistinguishedName -eq “value”
onPremisesSecurityIdentifierOn-premises security identifier (SID) for users who were synchronized from on-premises to the cloud.user.onPremisesSecurityIdentifier -eq “S-1-1-11-1111111111-1111111111-1111111111-1111111”
passwordPoliciesNone
DisableStrongPassword
DisablePasswordExpiration
DisablePasswordExpiration, DisableStrongPassword
user.passwordPolicies -eq “DisableStrongPassword”
physicalDeliveryOfficeNameAny string value or nulluser.physicalDeliveryOfficeName -eq “value”
postalCodeAny string value or nulluser.postalCode -eq “value”
preferredLanguageISO 639-1 codeuser.preferredLanguage -eq “en-US”
sipProxyAddressAny string value or nulluser.sipProxyAddress -eq “value”
stateAny string value or nulluser.state -eq “value”
streetAddressAny string value or nulluser.streetAddress -eq “value”
surnameAny string value or nulluser.surname -eq “value”
telephoneNumberAny string value or nulluser.telephoneNumber -eq “value”
usageLocationTwo letter country or region codeuser.usageLocation -eq “US”
userPrincipalNameAny string valueuser.userPrincipalName -eq “[email protected]
userTypemember guest nulluser.userType -eq “Member”

Properties of type string collection

PropertiesAllowed valuesExample
otherMailsAny string valueuser.otherMails -contains “[email protected]
proxyAddressesSMTP: [email protected] smtp: [email protected]user.proxyAddresses -contains “SMTP: [email protected]

For the properties used for device rules, see Rules for devices.

Supported expression operators

The following table lists all the supported operators and their syntax for a single expression. Operators can be used with or without the hyphen (-) prefix. The Contains operator does partial string matches but not item in a collection matches.

OperatorSyntax
Not Equals-ne
Equals-eq
Not Starts With-notStartsWith
Starts With-startsWith
Not Contains-notContains
Contains-contains
Not Match-notMatch
Match-match
In-in
Not In-notIn

Using the -in and -notIn operators

If you want to compare the value of a user attribute against multiple values, you can use the -in or -notIn operators. Use the bracket symbols “[” and “]” to begin and end the list of values.

In the following example, the expression evaluates to true if the value of user.department equals any of the values in the list:Copy

   user.department -in ["50001","50002","50003","50005","50006","50007","50008","50016","50020","50024","50038","50039","51100"]

Using the -match operator

The -match operator is used for matching any regular expression. Examples:Copy

user.displayName -match "Da.*"   

DaDavDavid evaluate to true, aDa evaluates to false.Copy

user.displayName -match ".*vid"

David evaluates to true, Da evaluates to false.

Supported values

The values used in an expression can consist of several types, including:

  • Strings
  • Boolean – true, false
  • Numbers
  • Arrays – number array, string array

When specifying a value within an expression, it’s important to use the correct syntax to avoid errors. Some syntax tips are:

  • Double quotes are optional unless the value is a string.
  • String and regex operations aren’t case sensitive.
  • When a string value contains double quotes, both quotes should be escaped using the ` character, for example, user.department -eq `”Sales`” is the proper syntax when “Sales” is the value. Single quotes should be escaped by using two single quotes instead of one each time.
  • You can also perform Null checks, using null as a value, for example, user.department -eq null.

Use of Null values

To specify a null value in a rule, you can use the null value.

  • Use -eq or -ne when comparing the null value in an expression.
  • Use quotes around the word null only if you want it to be interpreted as a literal string value.
  • The -not operator can’t be used as a comparative operator for null. If you use it, you get an error whether you use null or $null.

The correct way to reference the null value is as follows:Copy

   user.mail –ne null

Rules with multiple expressions

A group membership rule can consist of more than one single expression connected by the -and, -or, and -not logical operators. Logical operators can also be used in combination.

The following are examples of properly constructed membership rules with multiple expressions:Copy

(user.department -eq "Sales") -or (user.department -eq "Marketing")
(user.department -eq "Sales") -and -not (user.jobTitle -contains "SDE")

Operator precedence

All operators are listed below in order of precedence from highest to lowest. Operators on same line are of equal precedence:Copy

-eq -ne -startsWith -notStartsWith -contains -notContains -match –notMatch -in -notIn
-not
-and
-or
-any -all

The following example illustrates operator precedence where two expressions are being evaluated for the user:Copy

   user.department –eq "Marketing" –and user.country –eq "US"

Parentheses are needed only when precedence doesn’t meet your requirements. For example, if you want department to be evaluated first, the following shows how parentheses can be used to determine order:Copy

   user.country –eq "US" –and (user.department –eq "Marketing" –or user.department –eq "Sales")

Rules with complex expressions

A membership rule can consist of complex expressions where the properties, operators, and values take on more complex forms. Expressions are considered complex when any of the following are true:

  • The property consists of a collection of values; specifically, multi-valued properties
  • The expressions use the -any and -all operators
  • The value of the expression can itself be one or more expressions

Multi-value properties

Multi-value properties are collections of objects of the same type. They can be used to create membership rules using the -any and -all logical operators.

PropertiesValuesUsage
assignedPlansEach object in the collection exposes the following string properties: capabilityStatus, service, servicePlanIduser.assignedPlans -any (assignedPlan.servicePlanId -eq “efb87545-963c-4e0d-99df-69c6916d9eb0” -and assignedPlan.capabilityStatus -eq “Enabled”)
proxyAddressesSMTP: [email protected] smtp: [email protected](user.proxyAddresses -any (_ -contains “contoso”))

Using the -any and -all operators

You can use -any and -all operators to apply a condition to one or all of the items in the collection, respectively.

  • -any (satisfied when at least one item in the collection matches the condition)
  • -all (satisfied when all items in the collection match the condition)

Example 1

assignedPlans is a multi-value property that lists all service plans assigned to the user. The following expression selects users who have the Exchange Online (Plan 2) service plan (as a GUID value) that is also in Enabled state:Copy

user.assignedPlans -any (assignedPlan.servicePlanId -eq "efb87545-963c-4e0d-99df-69c6916d9eb0" -and assignedPlan.capabilityStatus -eq "Enabled")

A rule such as this one can be used to group all users for whom a Microsoft 365 or other Microsoft Online Service capability is enabled. You could then apply with a set of policies to the group.

Example 2

The following expression selects all users who have any service plan that is associated with the Intune service (identified by service name “SCO”):Copy

user.assignedPlans -any (assignedPlan.service -eq "SCO" -and assignedPlan.capabilityStatus -eq "Enabled")

Example 3

The following expression selects all users who have no assigned service plan:Copy

user.assignedPlans -all (assignedPlan.servicePlanId -eq "")

Using the underscore (_) syntax

The underscore (_) syntax matches occurrences of a specific value in one of the multivalued string collection properties to add users or devices to a dynamic group. It’s used with the -any or -all operators.

Here’s an example of using the underscore (_) in a rule to add members based on user.proxyAddress (it works the same for user.otherMails). This rule adds any user with proxy address that contains “contoso” to the group.Copy

(user.proxyAddresses -any (_ -contains "contoso"))

Other properties and common rules

Create a “Direct reports” rule

You can create a group containing all direct reports of a manager. When the manager’s direct reports change in the future, the group’s membership is adjusted automatically.

The direct reports rule is constructed using the following syntax:Copy

Direct Reports for "{objectID_of_manager}"

Here’s an example of a valid rule, where “62e19b97-8b3d-4d4a-a106-4ce66896a863” is the objectID of the manager:Copy

Direct Reports for "62e19b97-8b3d-4d4a-a106-4ce66896a863"

The following tips can help you use the rule properly.

  • The Manager ID is the object ID of the manager. It can be found in the manager’s Profile.
  • For the rule to work, make sure the Manager property is set correctly for users in your organization. You can check the current value in the user’s Profile.
  • This rule supports only the manager’s direct reports. In other words, you can’t create a group with the manager’s direct reports and their reports.
  • This rule can’t be combined with any other membership rules.

Create an “All users” rule

You can create a group containing all users within an organization using a membership rule. When users are added or removed from the organization in the future, the group’s membership is adjusted automatically.

The “All users” rule is constructed using single expression using the -ne operator and the null value. This rule adds B2B guest users and member users to the group.Copy

user.objectId -ne null

If you want your group to exclude guest users and include only members of your organization, you can use the following syntax:Copy

(user.objectId -ne null) -and (user.userType -eq "Member")

Create an “All devices” rule

You can create a group containing all devices within an organization using a membership rule. When devices are added or removed from the organization in the future, the group’s membership is adjusted automatically.

The “All Devices” rule is constructed using single expression using the -ne operator and the null value:Copy

device.objectId -ne null

Extension properties and custom extension properties

Extension attributes and custom extension properties are supported as string properties in dynamic membership rules. Extension attributes can be synced from on-premises Window Server Active Directory or updated using Microsoft Graph and take the format of “ExtensionAttributeX”, where X equals 1 – 15. Multi-value extension properties are not supported in dynamic membership rules. Here’s an example of a rule that uses an extension attribute as a property:Copy

(user.extensionAttribute15 -eq "Marketing")

Custom extension properties can be synced from on-premises Windows Server Active Directory, from a connected SaaS application, or created using Microsoft Graph, and are of the format of user.extension_[GUID]_[Attribute], where:

  • [GUID] is the stripped version of the unique identifier in Azure AD for the application that created the property. It contains only characters 0-9 and A-Z
  • [Attribute] is the name of the property as it was created

An example of a rule that uses a custom extension property is:Copy

user.extension_c272a57b722d4eb29bfe327874ae79cb_OfficeNumber -eq "123"

Custom extension properties are also called directory or Azure AD extension properties.

The custom property name can be found in the directory by querying a user’s property using Graph Explorer and searching for the property name. Also, you can now select Get custom extension properties link in the dynamic user group rule builder to enter a unique app ID and receive the full list of custom extension properties to use when creating a dynamic membership rule. This list can also be refreshed to get any new custom extension properties for that app. Extension attributes and custom extension properties must be from applications in your tenant.

For more information, see Use the attributes in dynamic groups in the article Azure AD Connect sync: Directory extensions.

Rules for devices

You can also create a rule that selects device objects for membership in a group. You can’t have both users and devices as group members.

 Note

The organizationalUnit attribute is no longer listed and should not be used. This string is set by Intune in specific cases but is not recognized by Azure AD, so no devices are added to groups based on this attribute.

 Note

systemlabels is a read-only attribute that cannot be set with Intune.

For Windows 10, the correct format of the deviceOSVersion attribute is as follows: (device.deviceOSVersion -startsWith “10.0.1”). The formatting can be validated with the Get-MsolDevice PowerShell cmdlet.

The following device attributes can be used.

Device attributeValuesExample
accountEnabledtrue falsedevice.accountEnabled -eq true
deviceCategorya valid device category namedevice.deviceCategory -eq “BYOD”
deviceIda valid Azure AD device IDdevice.deviceId -eq “d4fe7726-5966-431c-b3b8-cddc8fdb717d”
deviceManagementAppIda valid MDM application ID in Azure ADdevice.deviceManagementAppId -eq “0000000a-0000-0000-c000-000000000000” for Microsoft Intune managed or “54b943f8-d761-4f8d-951e-9cea1846db5a” for System Center Configuration Manager Co-managed devices
deviceManufacturerany string valuedevice.deviceManufacturer -eq “Samsung”
deviceModelany string valuedevice.deviceModel -eq “iPad Air”
displayNameany string valuedevice.displayName -eq “Rob iPhone”
deviceOSTypeany string value(device.deviceOSType -eq “iPad”) -or (device.deviceOSType -eq “iPhone”)
device.deviceOSType -contains “AndroidEnterprise”
device.deviceOSType -eq “AndroidForWork”
device.deviceOSType -eq “Windows”
deviceOSVersionany string valuedevice.deviceOSVersion -eq “9.1”
device.deviceOSVersion -startsWith “10.0.1”
deviceOwnershipPersonal, Company, Unknowndevice.deviceOwnership -eq “Company”
devicePhysicalIdsany string value used by Autopilot, such as all Autopilot devices, OrderID, or PurchaseOrderIDdevice.devicePhysicalIDs -any _ -contains “[ZTDId]”
(device.devicePhysicalIds -any _ -eq “[OrderID]:179887111881”
(device.devicePhysicalIds -any _ -eq “[PurchaseOrderId]:76222342342”
deviceTrustTypeAzureAD, ServerAD, Workplacedevice.deviceOwnership -eq “AzureAD”
enrollmentProfileNameApple Device Enrollment Profile name, Android Enterprise Corporate-owned dedicated device Enrollment Profile name, or Windows Autopilot profile namedevice.enrollmentProfileName -eq “DEP iPhones”
extensionAttribute1any string valuedevice.extensionAttribute1 -eq “some string value”
extensionAttribute2any string valuedevice.extensionAttribute2 -eq “some string value”
extensionAttribute3any string valuedevice.extensionAttribute3 -eq “some string value”
extensionAttribute4any string valuedevice.extensionAttribute4 -eq “some string value”
extensionAttribute5any string valuedevice.extensionAttribute5 -eq “some string value”
extensionAttribute6any string valuedevice.extensionAttribute6 -eq “some string value”
extensionAttribute7any string valuedevice.extensionAttribute7 -eq “some string value”
extensionAttribute8any string valuedevice.extensionAttribute8 -eq “some string value”
extensionAttribute9any string valuedevice.extensionAttribute9 -eq “some string value”
extensionAttribute10any string valuedevice.extensionAttribute10 -eq “some string value”
extensionAttribute11any string valuedevice.extensionAttribute11 -eq “some string value”
extensionAttribute12any string valuedevice.extensionAttribute12 -eq “some string value”
extensionAttribute13any string valuedevice.extensionAttribute13 -eq “some string value”
extensionAttribute14any string valuedevice.extensionAttribute14 -eq “some string value”
extensionAttribute15any string valuedevice.extensionAttribute15 -eq “some string value”
isRootedtrue falsedevice.isRooted -eq true
managementTypeMDM (for mobile devices)device.managementType -eq “MDM”
memberOfAny string value (valid group object ID)device.memberof -any (group.objectId -in [‘value’])
objectIda valid Azure AD object IDdevice.objectId -eq “76ad43c9-32c5-45e8-a272-7b58b58f596d”
profileTypea valid profile type in Azure ADdevice.profileType -eq “RegisteredDevice”
systemLabelsany string matching the Intune device property for tagging Modern Workplace devicesdevice.systemLabels -contains “M365Managed”

 Note

When using deviceOwnership to create Dynamic Groups for devices, you need to set the value equal to “Company.” On Intune the device ownership is represented instead as Corporate. For more information, see OwnerTypes for more details. When using deviceTrustType to create Dynamic Groups for devices, you need to set the value equal to “AzureAD” to represent Azure AD joined devices, “ServerAD” to represent Hybrid Azure AD joined devices or “Workplace” to represent Azure AD registered devices. When using extensionAttribute1-15 to create Dynamic Groups for devices you need to set the value for extensionAttribute1-15 on the device. Learn more on how to write extensionAttributes on an Azure AD device object

Ref: https://learn.microsoft.com/en-us/azure/active-directory/enterprise-users/groups-dynamic-membership#rules-for-devices