Ability to trigger a dynamic group update
It would be wonderful if there was a way to trigger a re-sync of dynamic groups after changes are made. Right now some changes take over 24 hours to show and when experimenting with new dynamic rules it makes it difficult to see results. The trigger could be something like the Reset and Resync box in Enterprise Apps provisioning or just a Powershell applet that can be run.
Bill Kaage
shared this idea
Our feature team is looking into options for addressing this scenario, but we do not yet have any timelines to share. For now as a workaround, you can manually trigger the reprocessing by updating the membership rule to add a whitespace at the end. We’ve also added the ability to check the membership processing status, to keep track of the status and know if processing is complete.
34 comments
-
Anonymous
commented
This is critical for Intune devices.
-
Midtbø, Atle
commented
+1
-
Mathieu Beaugrand
commented
+1
-
Andy J. Bigford
commented
Adding the 'What If" tool/option to the Dynamic membership rule page would be helpful for testing.
This might also reduce the need to trigger the update. -
Adam Demeter
commented
This message is directed at Adam Fowler. My dynamic membership rules were working OK last week, and even tried creating a new one to move students who need particular licenses set on their account. This week, at least two of my groups, have the "failed to load" error in the membership rules. Did you do anything to fix your issue?
-
Adam Fowler
commented
Tried the whitespace trick, but instead it just broke the dynamic rules page and kept saying 'failed to load' ? Didn't seem to reprocess the group either.
Also can't find that MembershipRuleProcessingState paramater, it's supposed to exist according to this https://docs.microsoft.com/en-us/powershell/module/azuread/set-azureadmsgroup?view=azureadps-2.0 but even after only having the latest AzureAD module installed, it's not there. Doco doesn't seem complete at this stage, maybe it existed in Azure AD v1?
-
Anonymous
commented
I tried running the Powershell command that Charbel suggested, but I keep getting "parameter cannot be found the matches MembershipRuleProcessingState"
We are at the beginning of a new school year and are trying to issue iPhones to administrators. We can't wait 24 hours after a phone enrolls in Intune for it to pick up its group memberships.
I've been doing mobile device management for our organization (a large school district) for six years. I've worked with 3 MDM systems and tested half a dozen others, and Intune is BY FAR the most difficult and frustrating to work with. Customers should not have to beg for features that are standard in other MDMs.
I find it telling that Microsoft doesn't even use their own MDM to manage their in-house Apple devices...
-
Charbel
commented
One workaround I've successfully used is to change the MembershipRuleProcessingState to 'Paused' and then back to 'On'.
Run the following to obtain Group ID
Get-AzureADMSGroup -SearchString "GROUPABC"Then run:
Set-AzureADMSGroup -Id xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx -MembershipRuleProcessingState "Paused"To re-enable processing, update "paused" to "on"
Wait a few minutes for the evaluation to take place.
-
Sebastian
commented
I think we are not talking about an improvement here, but a clear bug. Because even the workaround sometimes does not work. In my case, editing the membership rule is impossible (although the page states that it was saved, if you go back in, nothing is changed) - hence, new processing does not get triggered. So dynamic groups are useless, as they are most of the time not dynamic!
-
Anonymous
commented
Whitespace "hack" works but for first assignment, changing the group will not force update in decent time. Will also not force to remove app that is not in new group or it is excluded.
-
wd
commented
Hello, please give us an update on this.
-
JT
commented
I just got off the line with a Microsoft Premier Engineer who suggested I wait 24-48 hours for an Autopilot device delete to occur, the device was associated with a dynamic group. Honestly, waiting 1 hour is far too long for a product as critical as this. When will a faster and more reliable solution be made available?
-
Graham
commented
Same here. Even if it were a powershell trigger or some way to get the groups to update more frequently.
-
Anonymous
commented
Yes please,
Need the option Asap -
Anonymous
commented
same
-
SG
commented
Would also like a manual update ability, please.
-
Our feature team is looking into options for addressing this scenario, but we do not yet have any timelines to share. For now as a workaround, you can manually trigger the reprocessing by updating the membership rule to add a whitespace at the end. We've also added the ability to check the membership processing status, to keep track of the status and know if processing is complete.
-
Ronnie Jorgensen
commented
+1 from me. please do so we can trigger a group update.
-
Anonymous
commented
I'm not even sure where you can test your queries before relying on the dynamic group to update (which it doesn't appear to be). I've looked for Device.DevicePhysicalID in Graph API, and the PowerBI Data Warehouse - neither of them seem to reveal this value. In addition, graph API shows my single system in the tenant while power BI (yes, I refreshed data) shows the old record. Seems there's plenty of schedules for datasets that aren't jiving. At least in SCCM, you can query the DB and WMI to see if your collection query is valid...so you know you have a collection update issue. Would be nice to have a bit more of this back-end shared with the rest of us.
-
Stephen
commented
Yes please add an Update Dynamic Group Now button or show us how to do this in powershell. I'm rolling out Intune and Dynamic groups are a godsend but are also infuriatingly slow when testing new automatic configuration.
