(user.otherMails -contains smtp: -contains "SMTP: the properties used for device rules, see Rules for devices. Properties of type string collection Properties (user.physicalDeliveryOfficeName -eq "value") (user.passwordPolicies -eq "DisableStrongPassword") None DisableStrongPassword DisablePasswordExpiration DisablePasswordExpiration, DisableStrongPassword On-premises security identifier (SID) for users who were synchronized from on-premises to the cloud. (user.facsimileTelephoneNumber -eq "value")Īny string value or null (SMTP address of the user)Īny string value (mail alias of the user) The following are the user properties that you can use to create a single expression. There are three types of properties that can be used to construct a membership rule. The order of the parts within an expression are important to avoid syntax errors. Constructing the body of a membership ruleĪ membership rule that automatically populates a group with users or devices is a binary expression that results in a true or false outcome. The total length of the body of your membership rule cannot exceed 3072 characters. Parentheses are optional for a single expression. The following is an example of a properly constructed membership rule with a single expression: partment -eq "Sales" A rule with a single expression looks similar to this: Property Operator Value, where the syntax for the property is the name of object.property.
The rule builder doesn't change the supported syntax, validation, or processing of dynamic group rules in any way.įor more step-by-step instructions, see Create or update a dynamic group.Ī single expression is the simplest form of a membership rule and only has the three parts mentioned above. You might see a message when the rule builder is not able to display the rule. The rule builder might not be able to display some rules constructed in the text box. Rules with complex expressions for example (user.proxyAddresses -any (_ -contains "contoso")).Here are some examples of advanced rules or syntax for which we recommend that you construct using the text box: If the rule builder doesn't support the rule you want to create, you can use the text box. The rule builder makes it easier to form a rule with a few simple expressions, however, it can't be used to reproduce every rule. The rule builder supports the construction of up to five expressions. Rule builder in the Azure portalĪzure AD provides a rule builder to create and update your important rules more quickly.
No license is required for devices that are members of a dynamic device group. For example, if you had a total of 1,000 unique users in all dynamic groups in your organization, you would need at least 1,000 licenses for Azure AD Premium P1 to meet the license requirement.
You don't have to assign licenses to users for them to be members of dynamic groups, but you must have the minimum number of licenses in the Azure AD organization to cover all such users. This feature requires an Azure AD Premium P1 license or Intune for Education for each unique user that is a member of one or more dynamic groups. Device membership rules can only reference device attributes.
In Azure Active Directory (Azure AD), you can create complex attribute-based rules to enable dynamic memberships for groups.