Merge pull request #192967 from curtand/jordan0325

tamarakhader · web-flow · commit bf9dc53dd5d6 · 2022-04-13T11:50:36.000-04:00
[Azure AD groups] tips for more efficient rules
diff --git a/articles/active-directory/enterprise-users/TOC.yml b/articles/active-directory/enterprise-users/TOC.yml
@@ -34,9 +34,9 @@
   items:
   - name: Users
     items: 
-    - name: Create users 
+    - name: Create a user 
       href: ../fundamentals/add-users-azure-active-directory.md?context=%2fazure%2factive-directory%2fenterprise-users%2fcontext%2fugr-context
-    - name: Bulk create users
+    - name: Create users in bulk
       href: users-bulk-add.md    
     - name: Manage user profiles
       href: ../fundamentals/active-directory-users-profile-azure-portal.md?context=%2fazure%2factive-directory%2fenterprise-users%2fcontext%2fugr-context
@@ -50,11 +50,11 @@
       href: ../fundamentals/active-directory-users-assign-role-azure-portal.md?context=%2fazure%2factive-directory%2fenterprise-users%2fcontext%2fugr-context
     - name: User management enhancements
       href: users-search-enhanced.md
-    - name: Bulk delete users
+    - name: Delete users in bulk
       href: users-bulk-delete.md
     - name: Restore a deleted user    
       href: ../fundamentals/active-directory-users-restore.md?context=%2fazure%2factive-directory%2fenterprise-users%2fcontext%2fugr-context
-    - name: Bulk restore users
+    - name: Restore users in bulk
       href: users-bulk-restore.md
     - name: Revoke a user's access
       href: users-revoke-access.md
@@ -106,15 +106,17 @@
         href: groups-dynamic-membership.md
       - name: Validate a membership rule
         href: groups-dynamic-rule-validation.md
+      - name: Create more efficient rules
+        href: groups-dynamic-rule-more-efficient.md
       - name: Change group membership type  
         href: groups-change-type.md
-    - name: Bulk add members
+    - name: Add members in bulk
       href: groups-bulk-import-members.md
-    - name: Bulk remove members
+    - name: Remove members in bulk
       href: groups-bulk-remove-members.md
-    - name: Bulk download member list
+    - name: Download member list
       href: groups-bulk-download-members.md
-    - name: Bulk download groups list
+    - name: Download groups list
       href: groups-bulk-download.md
     - name: Restore deleted groups   
       href: groups-restore-deleted.md
diff --git a/articles/active-directory/enterprise-users/groups-dynamic-rule-more-efficient.md b/articles/active-directory/enterprise-users/groups-dynamic-rule-more-efficient.md
@@ -0,0 +1,80 @@
+---
+title: Create simpler and faster rules for dynamic groups - Azure AD | Microsoft Docs
+description: How to optimize your membership rules to automatically populate groups.
+services: active-directory
+documentationcenter: ''
+author: curtand
+manager: karenhoran
+ms.service: active-directory
+ms.subservice: enterprise-users
+ms.workload: identity
+ms.topic: overview
+ms.date: 03/29/2022
+ms.author: curtand
+ms.reviewer: jordandahl
+ms.custom: it-pro
+ms.collection: M365-identity-device-management
+---
+
+
+# Create simpler, more efficient rules for dynamic groups in Azure Active Directory
+
+The team for Azure Active Directory (Azure AD) sees numerous incidents related to dynamic groups and the processing time for their membership rules. This article contains the methods by which our engineering team helps customers to simplify their membership rules. Simpler and more efficient rules result in better dynamic group processing times. When writing membership rules for dynamic groups, these are steps you can take to ensure the rules are as efficient as possible. 
+
+
+## Minimize use of MATCH
+
+Minimize the usage of the 'match' operator in rules as much as possible. Instead, explore if it's possible to use the `contains`, `startswith`, or `-eq` operators. Considering using other properties that allow you to write rules to select the users you want to be in the group without using the `-match` operator. For example, if you want a rule for the group for all users whose city is Lagos, then instead of using rules like:
+
+- `user.city -match "ago"`
+- `user.city -match ".*?ago.*"`
+
+It's better to use rules like:
+
+- `user.city -contains "ago,"`
+- `user.city -startswith "Lag,"` 
+
+Or, best of all:
+
+- `user.city -eq "Lagos"`
+
+## Use fewer OR operators
+
+In your rule, identify when it uses various values for the same property linked together with `-or` operators. Instead, use the `-in` operator to group them into a single criterion to make the rule easier to evaluate. For example, instead of having a rule like this:
+
+```
+(user.department -eq "Accounts" -and user.city -eq "Lagos") -or 
+(user.department -eq "Accounts" -and user.city -eq "Ibadan") -or 
+(user.department -eq "Accounts" -and user.city -eq "Kaduna") -or 
+(user.department -eq "Accounts" -and user.city -eq "Abuja") -or 
+(user.department -eq "Accounts" -and user.city -eq "Port Harcourt")
+```
+
+It's better to have a rule like this:
+
+- `user.department -eq "Accounts" -and user.city -in ["Lagos", "Ibadan", "Kaduna", "Abuja", "Port Harcourt"]`
+
+
+Conversely, identify similar sub criteria with the same property not equal to various values, that are linked with `-and` operators. Then use the `-notin` operator to group them into a single criterion to make the rule easier to understand and evaluate. For example, instead of using a rule like this:
+
+- `(user.city -ne "Lagos") -and (user.city -ne "Ibadan") -and (user.city -ne "Kaduna") -and (user.city -ne "Abuja") -and (user.city -ne "Port Harcourt")`
+
+It's better to use a rule like this:
+
+- `user.city -notin ["Lagos", "Ibadan", "Kaduna", "Abuja", "Port Harcourt"]`
+
+## Avoid redundant criteria
+
+Ensure that you aren't using redundant criteria in your rule. For example, instead of using a rule like this:
+
+- `user.city -eq "Lagos" or user.city -startswith "Lag"`
+
+It's better to use a rule like this:
+
+- `user.city -startswith "Lag"`
+
+
+## Next steps
+
+- [Create a dynamic group](groups-dynamic-membership.md)
+
