Table of Contents
Dynamic Group Rule Builder Blocks Contains Operators
It was interesting to read message center notification MC705357 (January 9, 2024) and learn that Microsoft implemented a change to the dynamic group rule builder GUI in both the Entra ID and Intune admin centers to “encourage performant dynamic group rules.” In other words, Microsoft detected that some of the membership rules created for dynamic groups are not as efficient as they might be.
In this instance, Microsoft removed the ability to use the ‘contains’ and ‘notContains’ operators from the dynamic group rule builder. The logic is that these operators are “less performant.” Microsoft says that rules containing the contains or notContains operators “should only be used when absolutely necessary.” The change is effective now.
Membership Rule Processing
Entra ID processes membership rules by querying its database to compute the set of members for dynamic groups. This processing happens in the background. Membership changes due to updated rules or the addition of new objects to process usually happen reasonably quickly, but as the number of dynamic groups (including those used by dynamic teams) plus dynamic administrative units grow, the resources consumed to update group memberships must be noticeable, even in an infrastructure like Microsoft 365.
If the unavailability of system resources slow the processing updates, inaccuracies grow in group memberships. Those inaccuracies might or might not affect users. For instance, administrators change the properties of an account to bring it within the scope of a membership rule for a Microsoft 365 group. The user can’t access group resources like documents in its SharePoint Online site or channel conversations until Entra ID processes the membership change.
No Effect on Existing Dynamic Groups
An important point to realize is that the change does not affect dynamic groups that have rules that use the “less performant” operators. Entra ID will continue to use these rules to process membership updates. The change only kicks in if you want to update the membership rule. At that point, you’ll discover that the admin center displays an error to say that some items could not be displayed in the rule builder. This is because of the presence of either the contains or notContains operator in the rule (Figure 1).
Use the Dynamic Group Rule Builder to Change Rules
It’s good that the change has no impact on existing groups, but what happens when you create new dynamic groups or need to change the membership rule for an existing group? Two options are available:
Edit the membership rule without using the rule builder. Click the Edit icon and compose the rule. Often this is the quickest and simplest way to proceed. As shown in Figure 1, the contains and notContains operators can be included in the rule. In this case, the rule finds any member or guest account that has the string “United” in the country property, so it finds accounts with a country property like “United States” and “United Kingdom.”
Remove the membership rule and replace it with another rule. To do this, edit the rule to remove it. When you exit the editor, the rule builder recognizes that the contains operators are not present and allows you to compose a new rule. In Figure 2, I’ve updated the rule to do an equals comparison against the expected strings. Another way of doing the same thing is to use the in operator to compare against a set of values. For example, (user.country -in [“United Status”,”United Kingdom”])
It’s not always possible to change a rule that uses the contains operator to gain the same effect. In these situations, the only alternative is to edit the rule manually.
An Innocuous Change
Some might ask why Microsoft removed the ability to create a type of rule that still works. It’s clear that something provoked the decision, probably telemetry that identified a performance issue caused by these rules. It would have been much worse if Microsoft had stopped rules working and forced customers to update rules to a supported configuration. This change shouldn’t have much impact, once you understand the options.
Make sure that you’re not surprised about changes that appear inside Entra ID and Microsoft 365 applications by subscribing to the Office 365 for IT Pros eBook. Our monthly updates make sure that our subscribers stay informed.
Just two days ago I tried to do (user.proxyAddresses -any (_ -notMatch “*@domain.com”)) and that results in “Failed to save dynamic group” (and “Unable to complete due to service connection error.” in the Validate Rules section)
Using -notContains instead works fine, so how should I build this rule if they remove the contains operator?
You can always use PowerShell… In https://office365itpros.com/2023/10/10/dynamic-microsoft-365-groups/ I show how to create a new dynamic group with PowerShell. Compose the rule to use and update the group with Update-MgGroup.
Can you use: (user.country -in (“United Kingdom”, “United States”))
Yes, that would work too. I just tested with this rule: (user.department -eq “IT”) and (user.country -in [“United States”, “United Kingdom”])
Also strange they provide a “Starts with” but no “Ends with” operator. No problem I can just use Match and do it with a regexp but still would have expected such a commonly used operator.
In regard to the big Azure security fail which is the current hot topic I must say that Microsoft did a lot of bad decisions in the last 2-3 years while their products and services becoming worse. Lots of issues with the new Teams client, taking out features/fewer options in modern apps, cloud services costing more and more with worse performance and stability, … This company needs some good managers who are not just interested in short-term profits and making their shareholders happy but going back to focus on your customer’s needs.