How can we improve Azure Active Directory?

← Azure Active Directory

Ability to trigger a dynamic group update

It would be wonderful if there was a way to trigger a re-sync of dynamic groups after changes are made. Right now some changes take over 24 hours to show and when experimenting with new dynamic rules it makes it difficult to see results. The trigger could be something like the Reset and Resync box in Enterprise Apps provisioning or just a Powershell applet that can be run.

462 votes
Sign in
(thinking…)
Sign in with: Microsoft
Forgot password?
Create a password
Signed in as (Sign out)
Close
Close

We’ll send you updates on this idea

Bill Kaage shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →
under review  ·  Azure AD Team responded  · 

Our feature team is looking into options for addressing this scenario, but we do not yet have any timelines to share. For now as a workaround, you can manually trigger the reprocessing by updating the membership rule to add a whitespace at the end. We’ve also added the ability to check the membership processing status, to keep track of the status and know if processing is complete.

55 comments

Sign in
(thinking…)
Sign in with: Microsoft
Forgot password?
Create a password
Signed in as (Sign out)
Close
Close
Submitting...
An error occurred while saving the comment
  • Anonymous commented  ·   ·  Flag as inappropriate

    The white space trick does not work for me. I add a keyword to a user's account that the rules in my dynamic group are looking for. I add the white space to the end of my membership rule, the processing says complete, but it still can take hours for my user to show in the group. I am ready to switch this to a static group just so I can get my project rolled out.

  • Anonymous commented  ·   ·  Flag as inappropriate

    I would like to be able to force a dynamic M365 group to sync using powershell or via the GUI.

  • Anonymous commented  ·   ·  Flag as inappropriate

    What a brutal group. Put yourself in their shoes and then add 10k tasks to your todo list. Its not like Intune and AAD have been around as long as AD. If you are old enough to remember AD in 2000, you would no there no instant gratification with it either.

  • Leroy Simon commented  ·   ·  Flag as inappropriate

    connect-azuread
    import-module azureadpreview -force
    set-azureadmsgroup -id <group objectid> -membershipruleprocessingstate "paused"
    set-azureadmsgroup -id <group objectid> -membershipruleprocessingstate "on"

    This will force a group membership enumeration.

  • Imre commented  ·   ·  Flag as inappropriate

    In our case the dynamic group was paused and we were not able to make it continue again.

    For me the solution was not adding a white space but to copy the dynamic rule to a notepad first. Then change the properties from dynamic to assigned (this will retain all members). Then change it back to dynamic and add the rule back from the notepad.

  • [Deleted User] commented  ·   ·  Flag as inappropriate

    In our case the dynamic group was paused and we were not able to make it continue again.

    For me the solution was not adding a white space but to copy the dynamic rule to a notepad first. Then change the properties from dynamic to assigned (this will retain all members). Then change it back to dynamic and add the rule back from the notepad.

  • AdminAzure AD Team (Product Owner, Microsoft Azure) commented  ·   ·  Flag as inappropriate

    We are still recommending the workaround to trigger reprocessing by updating membership rule to add a whitespace at the end and save the group. The feature team is also working on improving Dynamic group performance which will help address this issue as well.

  • Anonymous commented  ·   ·  Flag as inappropriate

    Dynamic groups are 100% useless right now, the lack of update controls is fatal and they can't be used in production in any meaningful way. This is espicially troubling since support advises using them but you can have no control over them at all. If I worked at Microsoft this would be my priority. Product manager should be fired.

  • Cooper, Damian commented  ·   ·  Flag as inappropriate

    Requesting an update on this as we are trying to use (device.devicePhysicalIds -any _ -eq "[OrderID]:***") to allow machines to use a different Hybrid join profile to our 3 domains. The only way I've been able to get this to work is to delete the group and recreate it every time. Please update this function.

  • Raja Sekhar commented  ·   ·  Flag as inappropriate

    We have requirement to create new dynamic group, By automatically to add the existing members of old “Mail enabled security” group to the new dynamic group and whenever we add the member in old “Mail enabled security” those members need to automatically update on the new dynamic group.

  • Sujithkumar commented  ·   ·  Flag as inappropriate

    The Dynamic device group which i am playing around is with the below query to fetch autopilot devices based on (devicePhysicalIDs and OrderID), when I created this group with the dymanic query rule, it picked up the existing devices based on the below query but then it didnt work for the new entry ( I would say partially worked). For example, I have assigned the same group for several services like Apps, Device Configuration and AutoPilot deployment profile. it works fine with AutoPilot deployment profile but not for the Apps and Device Configuration. therefore, it would be great to have this dynamic group working, unfortunately for now it is not fit for production.
    (device.devicePhysicalIDs -any _ -contains "[ZTDId]") -and (device.devicePhysicalIds -any _ -eq "[OrderID]:EU-Devices")

  • Sujithkumar commented  ·   ·  Flag as inappropriate

    The Dynamic device group which i am playing around is with the below query to fetch autopilot devices based on (devicePhysicalIDs and OrderID), when I created this group with the dymanic query rule, it picked up the existing devices based on the below query but then it didnt work for the new entry ( I would say partially worked). For example, I have assigned the same group for several services like Apps, Device Configuration and AutoPilot deployment profile. it works fine with AutoPilot deployment profile but not for the Apps and Device Configuration. therefore, it would be great to have this dynamic group working, unfortunately for now it is not fit for production.
    (device.devicePhysicalIDs -any _ -contains "[ZTDId]") -and (device.devicePhysicalIds -any _ -eq "[OrderID]:Devices")

  • Trond Stien commented  ·   ·  Flag as inappropriate

    This is essential for dynamic group memberships.

    Currently having issues with removal/joining of group members due to no total-refresh of members.

  • Morten Trab commented  ·   ·  Flag as inappropriate

    Intune is pretty useless with dynamic device groups as these are WAY too slow to update.
    We have around 2000 mobile devices which we need to target on device level, and as it is now the users are able to mess around in several settings, before policies and apps are forced.

  • Anonymously Frustrated commented  ·   ·  Flag as inappropriate

    A Re-Process option exists on the licenses tab for dynamic groups, so you must have thought about this. +1 on providing a PS command to do this.

← Previous 1 3

Azure Active Directory: Groups/Dynamic groups

Categories

Feedback and Knowledge Base

(thinking…)
Hosted by UserVoice