How can we improve Azure Active Directory?

← Azure Active Directory

Ability to trigger a dynamic group update

It would be wonderful if there was a way to trigger a re-sync of dynamic groups after changes are made. Right now some changes take over 24 hours to show and when experimenting with new dynamic rules it makes it difficult to see results. The trigger could be something like the Reset and Resync box in Enterprise Apps provisioning or just a Powershell applet that can be run.

143 votes
Sign in
(thinking…)
Sign in with: Microsoft
Forgot password?
Create a password
Signed in as (Sign out)
Close
Close

We’ll send you updates on this idea

Bill Kaage shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →
under review  ·  AdminAzure AD Team (Product Manager, Microsoft Azure) responded  · 

Our feature team is looking into options for addressing this scenario, but we do not yet have any timelines to share. For now as a workaround, you can manually trigger the reprocessing by updating the membership rule to add a whitespace at the end. We’ve also added the ability to check the membership processing status, to keep track of the status and know if processing is complete.

27 comments

Attach a File
Sign in
(thinking…)
Sign in with: Microsoft
Forgot password?
Create a password
Signed in as (Sign out)
Close
Close
Submitting...
An error occurred while saving the comment
  • Charbel commented  ·   ·  Flag as inappropriate

    One workaround I've successfully used is to change the MembershipRuleProcessingState to 'Paused' and then back to 'On'.

    Run the following to obtain Group ID
    Get-AzureADMSGroup -SearchString "GROUPABC"

    Then run:
    Set-AzureADMSGroup -Id xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx -MembershipRuleProcessingState "Paused"

    To re-enable processing, update "paused" to "on"

    Wait a few minutes for the evaluation to take place.

  • Sebastian commented  ·   ·  Flag as inappropriate

    I think we are not talking about an improvement here, but a clear bug. Because even the workaround sometimes does not work. In my case, editing the membership rule is impossible (although the page states that it was saved, if you go back in, nothing is changed) - hence, new processing does not get triggered. So dynamic groups are useless, as they are most of the time not dynamic!

  • Anonymous commented  ·   ·  Flag as inappropriate

    Whitespace "hack" works but for first assignment, changing the group will not force update in decent time. Will also not force to remove app that is not in new group or it is excluded.

  • JT commented  ·   ·  Flag as inappropriate

    I just got off the line with a Microsoft Premier Engineer who suggested I wait 24-48 hours for an Autopilot device delete to occur, the device was associated with a dynamic group. Honestly, waiting 1 hour is far too long for a product as critical as this. When will a faster and more reliable solution be made available?

  • Graham commented  ·   ·  Flag as inappropriate

    Same here. Even if it were a powershell trigger or some way to get the groups to update more frequently.

  • AdminAzure AD Team (Product Owner, Microsoft Azure) commented  ·   ·  Flag as inappropriate

    Our feature team is looking into options for addressing this scenario, but we do not yet have any timelines to share. For now as a workaround, you can manually trigger the reprocessing by updating the membership rule to add a whitespace at the end. We've also added the ability to check the membership processing status, to keep track of the status and know if processing is complete.

  • Anonymous commented  ·   ·  Flag as inappropriate

    I'm not even sure where you can test your queries before relying on the dynamic group to update (which it doesn't appear to be). I've looked for Device.DevicePhysicalID in Graph API, and the PowerBI Data Warehouse - neither of them seem to reveal this value. In addition, graph API shows my single system in the tenant while power BI (yes, I refreshed data) shows the old record. Seems there's plenty of schedules for datasets that aren't jiving. At least in SCCM, you can query the DB and WMI to see if your collection query is valid...so you know you have a collection update issue. Would be nice to have a bit more of this back-end shared with the rest of us.

  • Stephen commented  ·   ·  Flag as inappropriate

    Yes please add an Update Dynamic Group Now button or show us how to do this in powershell. I'm rolling out Intune and Dynamic groups are a godsend but are also infuriatingly slow when testing new automatic configuration.

  • Pratik Dave commented  ·   ·  Flag as inappropriate

    This option is quite crucial from Intune, devices are unable to get profiles due to delay in Dynamic membership rule update.

  • Mike D. commented  ·   ·  Flag as inappropriate

    Bump... Any updates on when forcing a manual Dynamic group update might be available? Still nothing in the Device Management portal nor a way to do it in powershell (at least nothing I could find on the ol' Interwebs)
    Even adding a "space" at the end of rule doesn't seem to be working either. The Audit log says Update Group - Success, but the device I am trying to add never shows up... even though the device does in fact match everything set membership rule filter.
    Switched the stupid group to manual assignment, I don't have time for this ****.

  • Kristina Bain Smith (Azure AD) commented  ·   ·  Flag as inappropriate

    Thank you for your feedback! Our feature team is looking into options for addressing this scenario, but we do not yet have any timelines to share. For now as a workaround, you can manually trigger the reprocessing by updating the membership rule to add a whitespace at the end. We've also added the ability to check the membership processing status, to keep track of the status and know if processing is complete.

← Previous 1

Azure Active Directory: Groups/Dynamic groups

Feedback and Knowledge Base

(thinking…)
Hosted by UserVoice