I've hit a frustrating limitation with dynamic groups where there's no easy way to exclude freelancers or contractors. The `employeeType` attribute can't be used in the rule, so even though my directory is well-organized and the attribute is clean (distinguishing between Employee and Contractor), it's basically ineffective here. I'm left with using workarounds like domains or departments, which isn't ideal and definitely not scalable.
I'm wondering if I'm missing something obvious? Alternatively, I've heard that the extensionAttribute method could work, but that requires backfilling a lot of existing users with a script and ensuring new ones have it set from the start, which seems like too much overhead for something that should function out of the box. So, is `employeeType` simply unsupported as a dynamic group filter in Entra, or is there a better way to handle this?
3 Answers
What if you just create a security group that includes both employees and contractors, then add in additional groups as needed? It could help separate them for specific tasks without complicating your dynamic groups too much.
That’s the crux of my problem too! I can’t create dynamic groups based on `employeeType` at all. It forces me to manage it all manually, which is a nightmare with thousands of users in various groups already. The goal here was really to avoid that manual overhead!
We tackled this challenge by using the company attribute. All employees have our company name while contractors are labeled as external. It's a simple solution that has worked for us!
We’ve done something similar by using the company attribute too, which also helped for dynamic distribution lists. We then utilized another attribute to clarify whether someone is at a specific site or working remotely.