Skip to main content

Articles in this section

See more
Print

Hybrid Users rule

  • Updated

Overview

This is a generic rule to query hybrid user accounts that satisfy the specified criteria. You can limit the user scope to a specific Entra ID administrative unit and OU, and set the query criteria to return only the required users.

Rule settings

Query settings

Setting name Description
Limit AD scope to this domain or OU

This setting defines the search query scope. To improve query performance, limit the scope to a specific OU.

IMPORTANT: To test rule configuration, limit the rule scope to an OU that contains test accounts or objects.
AD query criteria

Use the setting to filter out objects by the property values. Query criteria are sent with the query to the target system; the target system filters data before it returns the resulting set.

The default value for this setting is specified in the Web query default filter field in Active Directory extension settings, set to include all objects by default.

TIP: See How to use Query Builder dialog for Query Criteria and Filter rule settings for use cases.
AD post-query filter Set additional conditions to filter returned data, if some criteria are not supported by the AD query criteria setting.
AD properties to display

Specify the AD properties to display for each returned object.
Exclude users with empty UPN Filter out users with no assigned userPrincipalName value.
Limit scope to this Entra ID administrative unit

This setting defines the search query scope.

To improve query performance, limit the scope to a specific Entra ID admin unit.

IMPORTANT: To test rule configuration, limit the rule scope to an Entra ID admin unit that contains test accounts or objects.
MS365 query criteria Filter out the initial Microsoft 365 query.
MS365 post-query filter Set additional filtering conditions to hide returned Microsoft 365 data, if some criteria are not supported by the MS365 query criteria setting.
MS365 properties to display

Specify the MS365 properties to display for each returned object.
Show hybrid users only Define the output to include all users or be limited to hybrid users only.
Show synced users only Filter out unsynced or synced users.
AD user account state and properties

Define the target AD account state:

  • Enabled

  • Disabled
AD account state
AD user expired account status

Define the expiration status in the target AD accounts:

  • Any

  • Yes (expired)

  • No (active)
MS365 user account type and properties

Define the target MS365 user type:

  • Any

  • Member

  • Guest
MS365 user type
MS365 administrator role Define the target role of the MS365 user.
Security configuration

Specify the modern MFA status for the queried users:

  • Any

  • Configured

  • Not configured
Modern MFA status
Date-time properties Filter users by the number of hours since the last AD logon.
Last AD logon (hours ago)
Last MS365 sign-in (hours ago)

Filter users by the number of hours since the last MS365 sign-in. To disable the check, specify 0.

NOTE: Using this parameter requires an Entra ID Premium P1/P2 license in the tenant.
Last MS365 service access (days ago) Filter users by the last Microsoft 365 service access instance. The activity dates are exported from the Active users report in Microsoft 365. Learn more about the report in Assess the Microsoft 365 Active Users report | Microsoft Learn.
Minimum AD account age (hours) Filter users by the minimum AD account age.
Maximum AD account age (hours) Filter users by the maximum AD account age.
Minimum MS365 account age (hours) Filter users by the minimum M365 account age.
Maximum MS365 account age (hours) Filter users by the maximum M365 account age.
Last AD password change (hours ago) Filter users by the number of hours since the last AD password change.
Last sync time (hours ago) Filter users by the number of hours since the last sync.
Mailbox and licensing filters

Filter users by the mailbox type:

  • Any mailbox

  • No mailbox

  • User

  • Shared

  • Room

  • Equipment
Mailbox type
Minimum license assignment age (days) Filter users by the minimum number of days since the license assignment to avoid counting new users as inactive.
Licensed users status

Filter users by the MS365 license status:

  • All users

  • Licensed users only

  • Unlicensed users only
Filter by licenses

Filter users by assigned licenses and apps/services. License filter conditions are split into two groups, filter by licenses and filter by apps/services. Licenses can be filtered by ALL, ANY, and NOT:

  • ALL—the user must have all listed licenses assigned.

  • ANY—the user must have at least one of the listed license assigned.

  • NOT—the user must not have any of the listed licenses assigned.

Apps/services can be filtered by ENABLED (all specified) and DISABLED (all specified):

  • ENABLED (all specified)—the user must have all listed apps/services.

  • DISABLED (all specified)—the user must not have all listed apps/services.

You can also filter by inheritance of assigned applications and services:

  • Filter by direct or inherited (GBL) assignments.

  • Filter by direct assignments only.

  • Filter by inherited assignments (GBL).
Other query settings Sort the resulting list of objects by AD properties.
Sort by AD properties
Sort by MS365 properties Sort the resulting list of objects by Microsoft 365 properties.
Limit result set

Define the maximum number of users returned from Microsoft 365.

TIP: It is possible to change the default value in Microsoft 365 extension settings.
AD LDAP query condition

Set the filtering conditions to only return objects or data that need to be processed by the rule.

This filter overrides the Query criteria setting.
MS Graph query condition (OData)

By default, the query criteria values are used. If the MS Graph query condition is specified, it overrides the Query criteria setting.

See the following article for examples: How to use Query Builder dialog for Query Criteria and Filter rule settings.
MS Graph advanced queries

Set the ConsistencyLevel header to eventual. When enabled, the query uses an index might not reflect the most recent changes to the object. Available values:

  • Default

  • Enabled

  • Disabled for custom queries
Initialization script

Usually, rules use query criteria to limit the query search scope. It improves the performance of the executed rule.

Due to the PowerShell limitations, it is not possible to use calculated expressions in query criteria. That is the point where the initialization script can help. You can initialize a global variable in this setting and then use it in query criteria.

IMPORTANT: To use a variable, declared in the initialization script, in the query scope, it must be global: $global:<variable name>.

Example: Update AD users, created in the last ten days.

  1. Add this initialization script

    Copy 
    {$global:DatePeriod = (Get-Date).AddDays(-10)}

  2. Use the $DatePeriod variable in the query criteria builder:

Change history

Version Notes
12.2.0 The rule has been introduced to the product.

© Copyright 2013-2025 Cayosoft Inc. All rights reserved.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request
Return to top

Related articles

Comments

0 comments

Article is closed for comments.