Have a Question?

Dynamic Membership Rules

PostedMarch 28, 2026

UpdatedMarch 28, 2026

Bydregier

This is for defining the criteria for dynamically adding membership to groups.

Basic format:

(user | device).attribute operator "value"

Examples:

Add all users in the “Marketing” department:

(user.department -eq "Marketing")

Add all users with job title containing “Manager”:

(user.jobTitle -contains "Manager")

Combine conditions (AND / OR):

(user.department -eq "Sales") -and (user.accountEnabled -eq true)

Exclude certain users:

(user.department -eq "HR") -and (user.userPrincipalName -ne "ceo@contoso.com")

Common Operators

Operator	Meaning
`-eq`	Equals
`-ne`	Not equals
`-contains`	Contains substring
`-notContains`	Does not contain substring
`-startsWith`	Starts with
`-endsWith`	Ends with
`-in`	Value is in a list
`-notIn`	Value is not in a list

Context within PowerShell

# Create the group
$group = New-AzureADMSGroup

-DisplayName “Marketing Users” `
-MailEnabled $false `
-SecurityEnabled $true `
-MailNickname “MarketingUsers” `
-GroupTypes “DynamicMembership”

# Define the rule
$rule = ‘(user.department -eq “Marketing”)’

# Set the membership rule
Set-AzureADMSGroup -Id $group.Id `
-MembershipRule $rule `
-MembershipRuleProcessingState “On”

Table of Contents

► Necessary Cookies Always Active

Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.

► Functional Cookies Remark

Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.

► Analytical Cookies Remark

Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.

► Advertisement Cookies Remark

Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.