How can we improve Azure Active Directory?

← Azure Active Directory

Ability to trigger a dynamic group update

It would be wonderful if there was a way to trigger a re-sync of dynamic groups after changes are made. Right now some changes take over 24 hours to show and when experimenting with new dynamic rules it makes it difficult to see results. The trigger could be something like the Reset and Resync box in Enterprise Apps provisioning or just a Powershell applet that can be run.

383 votes
Sign in
(thinking…)
Sign in with: Microsoft
Forgot password?
Create a password
Signed in as (Sign out)
Close
Close

We’ll send you updates on this idea

Bill Kaage shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →
under review  ·  Azure AD Team responded  · 

Our feature team is looking into options for addressing this scenario, but we do not yet have any timelines to share. For now as a workaround, you can manually trigger the reprocessing by updating the membership rule to add a whitespace at the end. We’ve also added the ability to check the membership processing status, to keep track of the status and know if processing is complete.

45 comments

Sign in
(thinking…)
Sign in with: Microsoft
Forgot password?
Create a password
Signed in as (Sign out)
Close
Close
Submitting...
An error occurred while saving the comment
  • Cooper, Damian commented  ·   ·  Flag as inappropriate

    Requesting an update on this as we are trying to use (device.devicePhysicalIds -any _ -eq "[OrderID]:***") to allow machines to use a different Hybrid join profile to our 3 domains. The only way I've been able to get this to work is to delete the group and recreate it every time. Please update this function.

  • Raja Sekhar commented  ·   ·  Flag as inappropriate

    We have requirement to create new dynamic group, By automatically to add the existing members of old “Mail enabled security” group to the new dynamic group and whenever we add the member in old “Mail enabled security” those members need to automatically update on the new dynamic group.

  • Sujithkumar commented  ·   ·  Flag as inappropriate

    The Dynamic device group which i am playing around is with the below query to fetch autopilot devices based on (devicePhysicalIDs and OrderID), when I created this group with the dymanic query rule, it picked up the existing devices based on the below query but then it didnt work for the new entry ( I would say partially worked). For example, I have assigned the same group for several services like Apps, Device Configuration and AutoPilot deployment profile. it works fine with AutoPilot deployment profile but not for the Apps and Device Configuration. therefore, it would be great to have this dynamic group working, unfortunately for now it is not fit for production.
    (device.devicePhysicalIDs -any _ -contains "[ZTDId]") -and (device.devicePhysicalIds -any _ -eq "[OrderID]:EU-Devices")

  • Sujithkumar commented  ·   ·  Flag as inappropriate

    The Dynamic device group which i am playing around is with the below query to fetch autopilot devices based on (devicePhysicalIDs and OrderID), when I created this group with the dymanic query rule, it picked up the existing devices based on the below query but then it didnt work for the new entry ( I would say partially worked). For example, I have assigned the same group for several services like Apps, Device Configuration and AutoPilot deployment profile. it works fine with AutoPilot deployment profile but not for the Apps and Device Configuration. therefore, it would be great to have this dynamic group working, unfortunately for now it is not fit for production.
    (device.devicePhysicalIDs -any _ -contains "[ZTDId]") -and (device.devicePhysicalIds -any _ -eq "[OrderID]:Devices")

  • Trond Stien commented  ·   ·  Flag as inappropriate

    This is essential for dynamic group memberships.

    Currently having issues with removal/joining of group members due to no total-refresh of members.

  • Morten Trab commented  ·   ·  Flag as inappropriate

    Intune is pretty useless with dynamic device groups as these are WAY too slow to update.
    We have around 2000 mobile devices which we need to target on device level, and as it is now the users are able to mess around in several settings, before policies and apps are forced.

  • Anonymously Frustrated commented  ·   ·  Flag as inappropriate

    A Re-Process option exists on the licenses tab for dynamic groups, so you must have thought about this. +1 on providing a PS command to do this.

  • Anonymous commented  ·   ·  Flag as inappropriate

    we need to have the ability to update dynamic group, without the ability to update on demand, this is useless.

  • Andy J. Bigford commented  ·   ·  Flag as inappropriate

    Adding the 'What If" tool/option to the Dynamic membership rule page would be helpful for testing.
    This might also reduce the need to trigger the update.

  • Adam Demeter commented  ·   ·  Flag as inappropriate

    This message is directed at Adam Fowler. My dynamic membership rules were working OK last week, and even tried creating a new one to move students who need particular licenses set on their account. This week, at least two of my groups, have the "failed to load" error in the membership rules. Did you do anything to fix your issue?

  • Adam Fowler commented  ·   ·  Flag as inappropriate

    Tried the whitespace trick, but instead it just broke the dynamic rules page and kept saying 'failed to load' ? Didn't seem to reprocess the group either.

    Also can't find that MembershipRuleProcessingState paramater, it's supposed to exist according to this https://docs.microsoft.com/en-us/powershell/module/azuread/set-azureadmsgroup?view=azureadps-2.0 but even after only having the latest AzureAD module installed, it's not there. Doco doesn't seem complete at this stage, maybe it existed in Azure AD v1?

  • Anonymous commented  ·   ·  Flag as inappropriate

    I tried running the Powershell command that Charbel suggested, but I keep getting "parameter cannot be found the matches MembershipRuleProcessingState"

    We are at the beginning of a new school year and are trying to issue iPhones to administrators. We can't wait 24 hours after a phone enrolls in Intune for it to pick up its group memberships.

    I've been doing mobile device management for our organization (a large school district) for six years. I've worked with 3 MDM systems and tested half a dozen others, and Intune is BY FAR the most difficult and frustrating to work with. Customers should not have to beg for features that are standard in other MDMs.

    I find it telling that Microsoft doesn't even use their own MDM to manage their in-house Apple devices...

  • Charbel commented  ·   ·  Flag as inappropriate

    One workaround I've successfully used is to change the MembershipRuleProcessingState to 'Paused' and then back to 'On'.

    Run the following to obtain Group ID
    Get-AzureADMSGroup -SearchString "GROUPABC"

    Then run:
    Set-AzureADMSGroup -Id xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx -MembershipRuleProcessingState "Paused"

    To re-enable processing, update "paused" to "on"

    Wait a few minutes for the evaluation to take place.

← Previous 1 3

Azure Active Directory: Groups/Dynamic groups

Categories

Feedback and Knowledge Base

(thinking…)
Hosted by UserVoice