You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
# Create simpler, more efficient rules for dynamic groups In Azure Active Directory
21
21
22
-
The team for Azure Active Directory (Azure AD) sees a lot of incidents related to dynamic groups and the processing time for their membership rules. This article contains the methods by which our engineering team helps customers to simplify their membership rule, which then improves processing time.
23
-
24
-
When writing membership rules to determine what users or devices get added to dynamic groups, there are steps you can take to ensure the rules are as efficient as possible. More efficient rules result in better dynamic group processing times.
22
+
The team for Azure Active Directory (Azure AD) sees numerous incidents related to dynamic groups and the processing time for their membership rules. This article contains the methods by which our engineering team helps customers to simplify their membership rules. Simpler and more efficient rules result in better dynamic group processing times. When writing membership rules for dynamic groups, these are steps you can take to ensure the rules are as efficient as possible.
25
23
26
24
27
25
## Minimize use of MATCH
28
26
29
-
Minimize the usage of the 'match' operator in rules as much as possible. Instead, explore if it is possible to use the 'contains,' 'startswith,' or ‘-eq’ operators. Considering using other properties that allow you to write rules to select the users you want to be in the group without using the -match operator. For example, if you want a rule for the group for all users whose city is Lagos, then instead of using rules like:
27
+
Minimize the usage of the 'match' operator in rules as much as possible. Instead, explore if it's possible to use the `contains`, `startswith`, or `-eq` operators. Considering using other properties that allow you to write rules to select the users you want to be in the group without using the `-match` operator. For example, if you want a rule for the group for all users whose city is Lagos, then instead of using rules like:
30
28
31
29
```powershell
32
30
user.city -match "ago" or user.city -match ".*?ago.*"
33
31
```
34
32
35
-
It is better to use rules like:
33
+
It's better to use rules like:
36
34
37
35
`user.city -contains "ago,"` or
38
36
`user.city -startswith "Lag,"` or
39
37
best of all, `user.city -eq "Lagos"`
40
38
41
39
## Use fewer OR operators
42
40
43
-
In your rule, identify similar sub criteria with the same property equaling various values being linked together with a lot of -or operators. Instead, use the -in operator to group them into a single criterion to make the rule easier to evaluate. For example, instead of having a rule like this:
41
+
In your rule, identify when it uses various values for the same property linked together with `-or` operators. Instead, use the `-in` operator to group them into a single criterion to make the rule easier to evaluate. For example, instead of having a rule like this:
Conversely, identify similar sub criteria with the same property not equaling various values, being linked with a lot of -and operators. Then use the -notin operator to group them into a single criterion to make the rule easier to understand and evaluate. For example, instead of using a rule like this:
57
+
Conversely, identify similar sub criteria with the same property not equal to various values, that are linked with `-and` operators. Then use the `-notin` operator to group them into a single criterion to make the rule easier to understand and evaluate. For example, instead of using a rule like this:
0 commit comments