Azure Active Directory has the ability to create Security Groups with Dynamic membership. This is great if you can apply logic to a group, as members will fall in and out of scope without any work required.
Microsoft have a great writeup on how it all works and how to create rules, however I’ve run into a scenario not covered in the documentation.
Using null in a Dynamic membership ruleIf you create a Dynamic membership rule and want to include only attributes that have no value, the term ‘null’ works fine. You can create your group or modify the rule without issue.
However, if your binary operator (the equals part in the example above) is set to ‘not’, it won’t work.
The use case I had for ‘not null’ was to have a group of users which only had employee numbers, which was an easy way of filtering out test accounts, service accounts and so on.
‘Not null’ won’t be accepted as a valid rule when you saveYou’ll get this error:
Use $null rather than just nullNote that you can’t do this from the simple rule view, changing ‘null’ to ‘$null’ there results in the code looking like this:
(user.extensionAttribute1 -eq “$null”)
Where it should look like this, without the quotes:
(user.extensionAttribute1 -eq $null)
A simple fix, but something that’s not documented on the support page. Hope this helps anyone who runs into the same problem.
Thank you! This resolved my issue. I was trying to do something similar… only grabbing accounts where the JobTitle was not blank. I had been using (user.jobTitle -ne “”). It was accepted but ignored. (user.jobTitle -ne $null) did the trick!
Awesome, glad it helped :)
Awesome, glad to hear it :)
Thank you very much! This is exactly what I needed. I don’t understand why there is not “notempty” operator or why they didn’t document this.
For me, it didn’t work with -not $null but it worked with -ne $null
Thanks, this solved my issue. And Agreed, there should be a ‘nonempty’ operator. ;-)
Hey people, I just tried the above example and it didn’t like it. Perhaps MS has changed the rules.
This is the example MS provided to base a query on NOT NULL.
-not (user.extensionAttribute1 -eq null)
My Example was to get “All Contractors” that “Have a TelephoneNumber”:
(user.extensionAttribute4 -eq “Contractor”) -and -not (user.TelephoneNumber -eq null)
Worked a treat :)
Thanks for sharing this content :)
5 years later and they still have not addressed this bug.
Looks like Microsoft did update the documentation around -not and null
https://learn.microsoft.com/en-us/azure/active-directory/enterprise-users/groups-dynamic-membership?WT.mc_id=M365-MVP-5002381#use-of-null-values
They don’t consider it a bug per:
https://github.com/MicrosoftDocs/azure-docs/issues/6123