Rule description
This rule queries the selected Microsoft 365 device scope and for each returned device, adds it to the selected Azure AD Administrative Unit, either directly or dynamically via text file mapping.
When to use this rule
Use this rule to add Microsoft 365 devices to Azure AD Admin Units. You can add devices to Azure AD Admin Units that are specified directly in the rule or to Azure AD Admin Units dynamically based on the attribute mapping in the CSV file.
Query Section
Setting name | Description |
---|---|
Limit scope to this Azure AD Administrative Unit |
This setting defines the search query scope. To improve query performance, limit the scope to a specific Azure Admin Unit. Important: To test rule configuration, limit the rule scope to an Azure Admin Unit that contains test accounts or objects.
|
Query criteria
|
Query criteria are sent with the query and may improve query performance. Tip: For different samples on the criteria builder, see KB20180410-1.
|
Post-query filter
|
To hide unwanted data based on criteria, not supported by the Microsoft 365 query criteria above, set the filtering conditions here. Tip: For optimal performance, use the Query criteria above to filter objects whenever possible.
|
Properties to display |
Each object property defined in this setting matches the column that will be displayed in the Cayosoft Web portal for this web query. To display additional columns, add the required properties to the Properties to display list. Tip: To add extension attribute 1 that is synchronized from AD you need to use a value like "OnPremisesExtensionAttributes/extensionAttribute1~Extension Attribute 1".
|
Device State |
|
Account state |
Specify account state:
|
Account sync status |
Specify account sync status:
|
Device management |
Specify which devices should be included in the rule scope:
|
Device compliance | Specify which devices should be included in the rule scope: |
Last sign-in (days ago) | Set a minimum number of days past since last sign-in. |
Device Properties |
|
DisplayName starts with | Specify DisplayName for the search. |
Operating system | Specify the Operating system. |
Operating system version | Specify the operating system version. |
Extension Attributes |
|
Extension attribute1 - Extension attrbute15 |
If you use Microsoft 365 extension attributes to store additional information for device accounts, you could select these attributes and map them to Other Attributes. |
Map to text file |
|
Select data source |
Specifies the text file to be imported. The […] button allows the user to browse for the file and the Create/Edit button allows the creation or editing of the existing file in the built-in Data Source editor. CSV file should contain values for one of these device attributes:
|
Separator used in file |
Specify the separator that is used in the CSV file. |
Data source anchor attribute |
Select a column in the data source that contains the attribute value for identifying and mapping a device. |
System anchor attribute |
Specify device anchor attribute. |
Other Query Settings |
|
System properties |
List of properties required for this rule to be executed correctly. |
Sort by |
Sort result objects list. |
Limit result set |
The maximum number of devices returned from Microsoft 365 by default is 2000. Tip: It is possible to change the default value in Microsoft 365 extension settings.
|
MS Graph query condition (OData) |
By default, Query criteria are used. But when the MS Graph query condition is specified, it overrides the Query criteria setting. See this article for examples: How to use Query Builder dialog for Query Criteria and Filter rule settings – Cayosoft Help Center. |
MS Graph advanced queries |
Enables consistency level eventually which uses an index that might not be up-to-date with recent changes to the object. |
Initialization script |
|
Script |
Usually, rules use query criteria to limit the query search scope. It improves the performance of the executed rule. Due to PowerShell limitations, it is not possible to use calculated expressions in query criteria. That is the point where the initialization script can help. You can initialize a global variable in this setting and then use it in query criteria. Important: To use a variable, declared in the initialization script, in the query scope, it must be global: $global:<variable name>.
Example: Update AD users, created in the last ten days.
{$global:DatePeriod = (Get-Date).AddDays(-10)}
|
Action
Setting name | Description |
---|---|
Target AU selection mode |
|
Action |
|
Azure AD Administrative Unit |
Select the 'Azure AD Administrative Unit' if using the 'Select a single Azure AD Administrative Unit' mode above. Alternatively, select the CSV file column containing the Azure AD administrative Unit name if using a dynamic mapping file. |
Dynamic mapping from file settings |
|
Data source |
Specify the text file for import. Press the […] button to browse for the file, or the Create button to create or edit the file in the Cayosoft Administrator data source editor. DeviceAnchor can be one of these device's attributes:
|
Separator used in file |
Specify the separator that is used in the CSV file. |
Azure AD anchor attribute |
Specify cloud device attribute. For each object returned by the query, the selected attribute value will be used to map the object with the selected data source anchor. |
CSV anchor match column |
Select the CSV file column that contains the values that will be matched to the Azure AD anchor attribute values. |
Azure AD Administratie Unit column |
Select the CSV file column containing the Azure AD Administrative Unit name if using a dynamic mapping file. |
Output Section
This section defines the output format of this rule.
To get more information about this section, please see the Output section article.
Enforce/Schedule section
This section defines the schedule for how often to run the rule.
To get more information about this section, please see the Enforce/Schedule section article.
Change History
Version | Notes |
---|---|
10.3.0 | The rule has been added to the product. |
Comments
0 comments
Please sign in to leave a comment.