In Azure Active Directory (Azure AD), you can use rules to determine group membership based on user or device properties. This article tells how to set up a rule for a dynamic group in the Azure portal. Dynamic membership is supported by security groups or Office 365 groups. When a group membership rule is applied, user and device attributes are evaluated for matches with the membership rule. When an attribute changes for a user or device, all dynamic group rules in the organization are processed for membership changes. Users and devices are added or removed if they meet the conditions for a group. Security groups can be used for either devices or users, but Office 365 groups can be only user groups.
Azure AD provides a rule builder to create and update your important rules more quickly. The rule builder supports the construction of up to five expressions. The rule builder makes it easier to form a rule with a few simple expressions, however, it can’t be used to reproduce every rule. If the rule builder doesn’t support the rule you want to create, you can use the text box.
Here are some examples of advanced rules or syntax for which we recommend that you construct using the text box:
(user.proxyAddresses -any (_ -contains "contoso"))
Note
The rule builder might not be able to display some rules constructed in the text box. You might see a message when the rule builder is not able to display the rule. The rule builder doesn’t change the supported syntax, validation, or processing of dynamic group rules in any way.
For examples of syntax, supported properties, operators, and values for a membership rule, see Dynamic membership rules for groups in Azure Active Directory.
If the rule you entered isn’t valid, an explanation of why the rule couldn’t be processed is displayed in an Azure notification in the portal. Read it carefully to understand how to fix the rule.
When a new Office 365 group is created, a welcome email notification is sent to the users who are added to the group. Later, if any attributes of a user or device change, all dynamic group rules in the organization are processed for membership changes. Users who are added then also receive the welcome notification. You can turn off this behaviour in Exchange PowerShell.
You can see the membership processing status and the last updated date on the Overview page for the group.
The following status messages can be shown for Membership processing status:
The following status messages can be shown for Membership last updated status:
If an error occurs while processing the membership rule for a specific group, an alert is shown on the top of the Overview page for the group. If no pending dynamic membership updates can be processed for all the groups within the tenant for more than 24 hours, an alert is shown on the top of All groups.