I'm trying to set up a new Dynamic Group in Microsoft 365 that includes all of my users with Microsoft Defender licenses but excludes users in the 'Business Premium Users' group and the 'External Staff' group. I have 10 Microsoft Business Premium licenses for some users and 100 Microsoft Defender licenses for others. I've already created the necessary groups, but I'm running into issues with the syntax for the exclusion in my Dynamic Group rules. I really want to automate the assignment of Microsoft Defender licenses since staff turnover can be quite regular. Any guidance or tips would be amazing!
3 Answers
Instead of excluding groups directly, consider using a rule based on the licensed property along with a property to identify external staff. The `memberOf` attribute can’t be used with other operators, so just check the licensing properties instead. It might simplify things for you.
Make sure to include the syntax you’re currently using for the Dynamic Group. A common mistake is trying to use group names instead of their Object IDs when referencing `memberOf`. That might be throwing things off for you! You’ll need to stick with the ObjectID.
Good catch! It definitely needs the group's ObjectID, not the name.
Correct, I'm already using the ObjectID... just added a reply with more details!
I should have shared my example in my original post! Right now, my Dynamic Rule Expression looks something like this: -not (user.objectId -in ["xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"]) for the Business Premium group, but it seems like those users are still popping up in the group. Any ideas why?
I did see a post about that, but I couldn't figure out the specific details needed...