You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
# Bulk download a list of groups in Azure Active Directory
20
20
21
-
Using Azure Active Directory (Azure AD) portal, you can bulk download the list of all the groups in your organization to a comma-separated values (CSV) file. All admins and non-admin users can download group lists.
21
+
You can download a list of all the groups in your organization to a comma-separated values (CSV) file in the portal for Azure Active Directory (Azure AD), part of Microsoft Entra. All admins and non-admin users can download group lists.
# Bulk add group members in Azure Active Directory
19
19
20
-
Using Azure Active Directory (Azure AD) portal, you can add a large number of members to a group by using a comma-separated values (CSV) file to bulk import group members.
20
+
You can add multiple members to a group by using a comma-separated values (CSV) file to bulk import group members in the portal for Azure Active Directory (Azure AD), part of Microsoft Entra.
# Bulk remove group members in Azure Active Directory
19
19
20
-
Using Azure Active Directory (Azure AD) portal, you can remove a large number of members from a group by using a comma-separated values (CSV) file to bulk remove group members.
20
+
You can remove a large number of members from a group by using a comma-separated values (CSV) file to remove group members in bulk using the portal for Azure Active Directory (Azure AD), part of Microsoft Entra.
# Change static group membership to dynamic in Azure Active Directory
20
20
21
-
You can change a group's membership from static to dynamic (or vice-versa) In Azure Active Directory (Azure AD). Azure AD keeps the same group name and ID in the system, so all existing references to the group are still valid. If you create a new group instead, you would need to update those references. Dynamic group membership eliminates management overhead adding and removing users. This article tells you how to convert existing groups from static to dynamic membership using either Azure AD Admin center or PowerShell cmdlets.
21
+
You can change a group's membership from static to dynamic (or vice-versa) In Azure Active Directory (Azure AD), part of Microsoft Entra. Azure AD keeps the same group name and ID in the system, so all existing references to the group are still valid. If you create a new group instead, you would need to update those references. Dynamic group membership eliminates management overhead adding and removing users. This article tells you how to convert existing groups from static to dynamic membership using either Azure AD Admin center or PowerShell cmdlets.
22
22
23
23
> [!WARNING]
24
24
> When changing an existing static group to a dynamic group, all existing members are removed from the group, and then the membership rule is processed to add new members. If the group is used to control access to apps or resources, be aware that the original members might lose access until the membership rule is fully processed.
# Create or update a dynamic group in Azure Active Directory
21
21
22
-
In Azure Active Directory (Azure AD), you can use rules to determine group membership based on user or device properties. This article tells how to set up a rule for a dynamic group in the Azure portal. Dynamic membership is supported for security groups and Microsoft 365 Groups. When a group membership rule is applied, user and device attributes are evaluated for matches with the membership rule. When an attribute changes for a user or device, all dynamic group rules in the organization are processed for membership changes. Users and devices are added or removed if they meet the conditions for a group. Security groups can be used for either devices or users, but Microsoft 365 Groups can be only user groups. Using Dynamic groups requires Azure AD premium P1 license or Intune for Education license. See [Dynamic membership rules for groups](./groups-dynamic-membership.md) for more details.
22
+
You can use rules to determine group membership based on user or device properties In Azure Active Directory (Azure AD), part of Microsoft Entra. This article tells how to set up a rule for a dynamic group in the Azure portal. Dynamic membership is supported for security groups and Microsoft 365 Groups. When a group membership rule is applied, user and device attributes are evaluated for matches with the membership rule. When an attribute changes for a user or device, all dynamic group rules in the organization are processed for membership changes. Users and devices are added or removed if they meet the conditions for a group. Security groups can be used for either devices or users, but Microsoft 365 Groups can be only user groups. Using Dynamic groups requires Azure AD premium P1 license or Intune for Education license. See [Dynamic membership rules for groups](./groups-dynamic-membership.md) for more details.
# Dynamic membership rules for groups in Azure Active Directory
20
20
21
-
In Azure Active Directory (Azure AD), you can create attribute-based rules to enable dynamic membership for a group. Dynamic group membership adds and removes group members automatically using membership rules based on member attributes. This article details the properties and syntax to create dynamic membership rules for users or devices. You can set up a rule for dynamic membership on security groups or Microsoft 365 groups.
21
+
You can create attribute-based rules to enable dynamic membership for a group in Azure Active Directory (Azure AD), part of Microsoft Entra. Dynamic group membership adds and removes group members automatically using membership rules based on member attributes. This article details the properties and syntax to create dynamic membership rules for users or devices. You can set up a rule for dynamic membership on security groups or Microsoft 365 groups.
22
22
23
-
When any attributes of a user or device change, the system evaluates all dynamic group rules in a directory to see if the change would trigger any group adds or removes. If a user or device satisfies a rule on a group, they are added as a member of that group. If they no longer satisfy the rule, they are removed. You can't manually add or remove a member of a dynamic group.
23
+
When the attributes of a user or a device change, the system evaluates all dynamic group rules in a directory to see if the change would trigger any group adds or removes. If a user or device satisfies a rule on a group, they're added as a member of that group. If they no longer satisfy the rule, they're removed. You can't manually add or remove a member of a dynamic group.
24
24
25
25
- You can create a dynamic group for devices or for users, but you can't create a rule that contains both users and devices.
26
26
- You can't create a device group based on the user attributes of the device owner. Device membership rules can reference only device attributes.
@@ -38,7 +38,7 @@ Here are some examples of advanced rules or syntax for which we recommend that y
-[Rules with complex expressions](#rules-with-complex-expressions); for example `(user.proxyAddresses -any (_ -contains "contoso"))`
41
+
-[Rules with complex expressions](#rules-with-complex-expressions); for example,`(user.proxyAddresses -any (_ -contains "contoso"))`
42
42
43
43
> [!NOTE]
44
44
> The rule builder might not be able to display some rules constructed in the text box. You might see a message when the rule builder is not able to display the rule. The rule builder doesn't change the supported syntax, validation, or processing of dynamic group rules in any way.
@@ -49,15 +49,15 @@ For more step-by-step instructions, see [Create or update a dynamic group](group
49
49
50
50
### Rule syntax for a single expression
51
51
52
-
A single expression is the simplest form of a membership rule and only has the three parts mentioned above. A rule with a single expression looks similar to this: `Property Operator Value`, where the syntax for the property is the name of object.property.
52
+
A single expression is the simplest form of a membership rule and only has the three parts mentioned above. A rule with a single expression looks similar to this example: `Property Operator Value`, where the syntax for the property is the name of object.property.
53
53
54
-
The following is an example of a properly constructed membership rule with a single expression:
54
+
The following example illustrates a properly constructed membership rule with a single expression:
55
55
56
56
```
57
57
user.department -eq "Sales"
58
58
```
59
59
60
-
Parentheses are optional for a single expression. The total length of the body of your membership rule cannot exceed 3072 characters.
60
+
Parentheses are optional for a single expression. The total length of the body of your membership rule can't exceed 3072 characters.
@@ -147,7 +147,7 @@ The following table lists all the supported operators and their syntax for a sin
147
147
148
148
### Using the -in and -notIn operators
149
149
150
-
If you want to compare the value of a user attribute against a number of different values you can use the -in or -notIn operators. Use the bracket symbols "[" and "]" to begin and end the list of values.
150
+
If you want to compare the value of a user attribute against multiple values, you can use the -in or -notIn operators. Use the bracket symbols "[" and "]" to begin and end the list of values.
151
151
152
152
In the following example, the expression evaluates to true if the value of user.department equals any of the values in the list:
153
153
@@ -178,10 +178,10 @@ The values used in an expression can consist of several types, including:
178
178
- Numbers
179
179
- Arrays – number array, string array
180
180
181
-
When specifying a value within an expression it is important to use the correct syntax to avoid errors. Some syntax tips are:
181
+
When specifying a value within an expression, it's important to use the correct syntax to avoid errors. Some syntax tips are:
182
182
183
183
- Double quotes are optional unless the value is a string.
184
-
- String and regex operations are not case sensitive.
184
+
- String and regex operations aren't case sensitive.
185
185
- When a string value contains double quotes, both quotes should be escaped using the \` character, for example, user.department -eq \`"Sales\`" is the proper syntax when "Sales" is the value. Single quotes should be escaped by using two single quotes instead of one each time.
186
186
- You can also perform Null checks, using null as a value, for example, `user.department -eq null`.
187
187
@@ -222,13 +222,13 @@ All operators are listed below in order of precedence from highest to lowest. Op
222
222
-any -all
223
223
```
224
224
225
-
The following is an example of operator precedence where two expressions are being evaluated for the user:
225
+
The following example illustrates operator precedence where two expressions are being evaluated for the user:
Parentheses are needed only when precedence does not meet your requirements. For example, if you want department to be evaluated first, the following shows how parentheses can be used to determine order:
231
+
Parentheses are needed only when precedence doesn't meet your requirements. For example, if you want department to be evaluated first, the following shows how parentheses can be used to determine order:
The underscore (\_) syntax matches occurrences of a specific value in one of the multivalued string collection properties to add users or devices to a dynamic group. It is used with the -any or -all operators.
289
+
The underscore (\_) syntax matches occurrences of a specific value in one of the multivalued string collection properties to add users or devices to a dynamic group. It's used with the -any or -all operators.
290
290
291
291
Here's an example of using the underscore (\_) in a rule to add members based on user.proxyAddress (it works the same for user.otherMails). This rule adds any user with proxy address that contains "contoso" to the group.
292
292
@@ -306,7 +306,7 @@ The direct reports rule is constructed using the following syntax:
306
306
Direct Reports for "{objectID_of_manager}"
307
307
```
308
308
309
-
Here's an example of a valid rule where "62e19b97-8b3d-4d4a-a106-4ce66896a863" is the objectID of the manager:
309
+
Here's an example of a valid rule, where "62e19b97-8b3d-4d4a-a106-4ce66896a863" is the objectID of the manager:
310
310
311
311
```
312
312
Direct Reports for "62e19b97-8b3d-4d4a-a106-4ce66896a863"
@@ -323,7 +323,7 @@ The following tips can help you use the rule properly.
323
323
324
324
You can create a group containing all users within an organization using a membership rule. When users are added or removed from the organization in the future, the group's membership is adjusted automatically.
325
325
326
-
The "All users" rule is constructed using single expression using the -ne operator and the null value. This rule adds B2B guest users as well as member users to the group.
326
+
The "All users" rule is constructed using single expression using the -ne operator and the null value. This rule adds B2B guest users and member users to the group.
327
327
328
328
```
329
329
user.objectId -ne null
@@ -415,13 +415,13 @@ The following device attributes can be used.
415
415
managementType | MDM (for mobile devices) | device.managementType -eq "MDM"
416
416
memberOf | Any string value (valid group object ID) | device.memberof -any (group.objectId -in ['value'])
417
417
objectId | a valid Azure AD object ID | device.objectId -eq "76ad43c9-32c5-45e8-a272-7b58b58f596d"
418
-
profileType | a valid [profile type](https://docs.microsoft.com/graph/api/resources/device?view=graph-rest-1.0#properties) in Azure AD | device.profileType -eq "RegisteredDevice"
418
+
profileType | a valid [profile type](/graph/api/resources/device?view=graph-rest-1.0#properties&preserve-view=true) in Azure AD | device.profileType -eq "RegisteredDevice"
419
419
systemLabels | any string matching the Intune device property for tagging Modern Workplace devices | device.systemLabels -contains "M365Managed"
420
420
421
421
> [!NOTE]
422
-
> When using deviceOwnership to create Dynamic Groups for devices, you need to set the value equal to "Company". On Intune the device ownership is represented instead as Corporate. Refer to[OwnerTypes](/intune/reports-ref-devices#ownertypes) for more details.
422
+
> When using deviceOwnership to create Dynamic Groups for devices, you need to set the value equal to "Company." On Intune the device ownership is represented instead as Corporate. For more information, see[OwnerTypes](/intune/reports-ref-devices#ownertypes) for more details.
423
423
> When using deviceTrustType to create Dynamic Groups for devices, you need to set the value equal to "AzureAD" to represent Azure AD joined devices, "ServerAD" to represent Hybrid Azure AD joined devices or "Workplace" to represent Azure AD registered devices.
424
-
> When using extensionAttribute1-15 to create Dynamic Groups for devices you need to set the value for extensionAttribute1-15 on the device. Learn more on [how to write extensionAttributes on an Azure AD device object](https://docs.microsoft.com/graph/api/device-update?view=graph-rest-1.0&tabs=http#example-2--write-extensionattributes-on-a-device)
424
+
> When using extensionAttribute1-15 to create Dynamic Groups for devices you need to set the value for extensionAttribute1-15 on the device. Learn more on [how to write extensionAttributes on an Azure AD device object](/graph/api/device-update?view=graph-rest-1.0&tabs=http#example-2--write-extensionattributes-on-a-device&preserve-view=true)
# Group membership in a dynamic group (preview) in Azure Active Directory
20
20
21
-
This feature preview enables admins to create dynamic groups in Azure Active Directory (Azure AD) that populate by adding members of other groups using the memberOf attribute. Apps that couldn't read group-based membership previously in Azure AD can now read the entire membership of these new memberOf groups. Not only can these groups be used for apps, they can also be used for licensing assignment and role-based access control. The following diagram illustrates how you could create Dynamic-Group-A with members of Security-Group-X and Security-Group-Y. Members of the groups inside of Security-Group-X and Security-Group-Y don't become members of Dynamic-Group-A.
21
+
This feature preview in Azure Active Directory (Azure AD), part of Microsoft Entra, enables admins to create dynamic groups that populate by adding members of other groups using the memberOf attribute. Apps that couldn't read group-based membership previously in Azure AD can now read the entire membership of these new memberOf groups. Not only can these groups be used for apps, they can also be used for licensing assignment and role-based access control. The following diagram illustrates how you could create Dynamic-Group-A with members of Security-Group-X and Security-Group-Y. Members of the groups inside of Security-Group-X and Security-Group-Y don't become members of Dynamic-Group-A.
22
22
23
23
:::image type="content" source="./media/groups-dynamic-rule-member-of/member-of-diagram.png" alt-text="Diagram showing how the memberOf attribute works.":::
0 commit comments