Forum Discussion

ShawnMay's avatar
ShawnMay
Copper Contributor
Oct 20, 2023

Entra ID Dynamic User security group - Syntax rule

Attempting to create a Dynamic user group for Microsoft consumer accounts in my B2B tenant.  This should be very simple.

 

Background data: Collection or array object

- User.identities (Collection or array)

- User.identities.issuer (Collection or array only when B2B guest/member)

- User.identities.issuer (string when internal member)

- User.identities.IssuerassignedID (Collection or array only when B2B guest/member)

- User.identities.IssuerassignedID (string when internal member)

- User.identities.SignInType (Collection or array only when B2B guest/member)

- User.identities.SignInType (String when internal member)

 

There seems to be ongoing issuers querying or filtering for user.identities.issuer, along with use of various filter combinations.  Again, this should be very simple. 

 

I've tried multiple combinations of the below syntax rule.  Does anyone have something that has worked for you?

 

(user.identities -any (objectIdentity.issuer -eq "MicrosoftAccount")) -and (user.identities -any (objectIdentity.issuerAssignedId -eq null))

 

(user.identities -any (objectIdentity.issuer -any (_ -eq "MicrosoftAccount")) -and (user.identities -any (objectIdentity.issuerAssignedId (_ -eq null)))

 

(user.identities -any (issuer -any (_ -eq "MicrosoftAccount")) -and (user.identities -any (issuerAssignedId (_ -eq null)))

Azure AD B2B
configuration
microsoft 365

4 Replies

Sort By
  • LeonPavesic's avatar
    LeonPavesic
    Silver Contributor
    Oct 23, 2023

    Hi ShawnMay,

     

    Creating a dynamic user group in Azure AD B2B to include Microsoft consumer accounts (MicrosoftAccount issuer) when they are guests can sometimes be a bit tricky. You also want to filter for users with a null value in the issuerAssignedId attribute. The correct syntax for your dynamic group rule should be:

     

    (user.identities.issuer -any _ -eq "MicrosoftAccount") -and (not user.identities.issuerAssignedId)

     


    The parts of the rule are:

    1. (user.identities.issuer -any _ -eq "MicrosoftAccount"): This part checks if any of the user's identity objects has an issuer equal to "MicrosoftAccount."

    2. (not user.identities.issuerAssignedId): This part checks if the user doesn't have an issuerAssignedId. Essentially, it's checking for a null or empty issuerAssignedId.

    By combining these conditions, you should ensure that your dynamic group includes Microsoft consumer accounts with a null issuerAssignedId when they are guests.

    Please click Mark as Best Response & Like if my post helped you to solve your issue.
    This will help others to find the correct solution easily. It also closes the item.


    If the post was useful in other ways, please consider giving it Like.


    Kindest regards,


    Leon Pavesic
    (LinkedIn)

    • ShawnMay's avatar
      ShawnMay
      Copper Contributor
      Oct 23, 2023

      LeonPavesic Thank you for responding.  Let me ask, have you successfully gotten this syntax (query) to function querying these? (its malformatted nature seems it’ll fail).

      • ShawnMay's avatar
        ShawnMay
        Copper Contributor
        Jul 31, 2024
        LeonPavesic - gentle nudge. The query provided for this dynamic membership doesn't work and doesn't appears to be a supported attribute. Have you been able to get this working?

Resources