Skip to main content

Articles in this section

See more
Print

Hybrid Users rule

  • Updated

Hybrid Users rule

Overview

This is a generic rule to query hybrid user accounts that satisfy the specified criteria. You can limit the user scope to a specific Entra ID administrative unit and OU, and set the query criteria to return only the required users.

Rule settings

Query settings

Setting name Description
Limit AD scope to this domain or OU

This setting defines the search query scope. To improve query performance, limit the scope to a specific OU.

IMPORTANT: To test the rule configuration, limit the rule scope to an OU that contains test accounts or objects and use the Preview feature.
AD query criteria

Use the setting to filter out objects by the property values. Query criteria are sent with the query to the target system; the target system filters data before it returns the resulting set.
AD post-query filter Set additional conditions to filter returned data, if some criteria are not supported by the AD query criteria setting.
AD properties to display

Specify the AD properties to display for each returned object.
Exclude users with empty UPN Filter out users with no assigned userPrincipalName value.
Limit scope to this Entra ID administrative unit

This setting defines the search query scope.

To improve query performance, limit the scope to a specific Entra ID admin unit.

IMPORTANT: To test rule configuration, limit the rule scope to an Entra ID admin unit that contains test accounts or objects.
MS365 query criteria Filter out the initial Microsoft 365 query.
MS365 post-query filter Set additional filtering conditions to hide returned Microsoft 365 data, if some criteria are not supported by the MS365 query criteria setting.
MS365 properties to display

Specify the MS365 properties to display for each returned object.
Show hybrid users only Define the output to include all users or be limited to hybrid users only.
Show synced users only Filter out unsynced or synced users.
AD user account state and properties
AD account state

Define the target AD account state:

  • Enabled

  • Disabled
AD user expired account status

Define the expiration status in the target AD accounts:

  • Any

  • Yes (expired)

  • No (active)
MS365 user account type and properties
MS365 user type

Define the target MS365 user type:

  • Any

  • Member

  • Guest
MS365 administrator role Define the target role of the MS365 user.
Security configuration
Modern MFA status

Specify the modern MFA status for the queried users:

  • Any

  • Configured

  • Not configured
Date-time properties
Last AD logon (hours ago) Filter users by the number of hours since the last AD logon.
MS365 sign-in activity filter

Display users based on their sign-in activity:

  • Select All sign-ins to display users with any sign-in activity.

  • Select Interactive sign-ins only to display users with only interactive sign-ins.

  • Select Non-interactive sign-ins to display users with only non-interactive sign-ins.
Hide users that never signed in Filter users by the sign-in activity in their accounts. Select Yes to hide users without any sign-in activity in Microsoft 365.
Last MS365 sign-in (hours ago)

Set a minimum number of hours since the last user sign-in to Microsoft 365. Cayosoft Administrator queries the SignInActivity user property to get the last sign-in timestamp. Refer to the following Microsoft article for additional information: signInActivity resource type | Microsoft Learn.

NOTE: Using this parameter requires an Azure AD Premium P1/P2 license in the tenant.
Last MS365 service access (days ago)

Set a number of days since the last Microsoft 365 service access. Cayosoft Administrator references data collected in Microsoft 365 reports. Refer to the following Microsoft article for additional information: Microsoft 365 Reports in the admin center | Microsoft Learn.
Minimum AD account age (hours) Filter users by the minimum AD account age.
Maximum AD account age (hours) Filter users by the maximum AD account age.
Minimum MS365 account age (hours) Filter users by the minimum MS365 account age.
Maximum MS365 account age (hours) Filter users by the maximum MS365 account age.
Last AD password change (hours ago) Filter users by the number of hours since the last AD password change.
Last sync time (hours ago) Filter users by the number of hours since the last sync.
Mailbox and licensing filters
Mailbox type

Filter users by the mailbox type:

  • Any mailbox

  • No mailbox

  • User

  • Shared

  • Room

  • Equipment
Minimum license assignment age (days)

Set a minimum number of days past since the license assignment to avoid counting new users as inactive. Use 0 to ignore the license assignment date. Cayosoft Administrator queries the AssignedPlan user property to calculate the assignment age. Refer to the following Microsoft article for additional information: assignedPlan resource type | Microsoft Learn.
Licensed users status

Filter users by the MS365 license status:

  • All users

  • Licensed users only

  • Unlicensed users only
Filter by licenses

You can filter users by assigned licenses and apps/services:

License filter conditions are split into two groups: filter by licenses and filter by apps/services.

Licenses can be filtered by ALL, ANY, and NOT:

  • ALL - user must have all listed licenses assigned

  • ANY - user must have at least one listed license assigned

  • NOT - user must not have any listed licenses assigned.

Apps/services filter conditions:

  • ENABLED (all specified) and DISABLED (all specified):

  • ENABLED (all specified) - user must have all listed apps/services

  • DISABLED (all specified) - user must not have all listed apps/services.

Also, you can add filtering by inheritance of assigned applications and services:

  • Filter by direct or inherited (GBL) assignments

  • Filter by direct assignments only

  • Filter by inherited assignments (GBL).
Other query settings
Sort by AD properties Sort the resulting list of objects by AD properties.
Sort by MS365 properties Sort the resulting list of objects by Microsoft 365 properties.
Limit result set

Define the maximum number of users returned from Microsoft 365.

TIP: It is possible to change the default value in Microsoft 365 extension settings.
AD LDAP query condition

Set the filtering conditions to only return objects or data that need to be processed by the rule.

This filter overrides the Query criteria setting.
MS Graph query condition (OData)

By default, the query criteria values are used. If the MS Graph query condition is specified, it overrides the Query criteria setting.

See the following article for examples: How to use Query Builder dialog for Query Criteria and Filter rule settings.

MS Graph advanced queries

Set the ConsistencyLevel header to eventual. When enabled, the query uses an index might not reflect the most recent changes to the object. Available values:

  • Default

  • Enabled

  • Disabled for custom queries
Initialization script
Initialization script

Usually, rules use query criteria to limit the query search scope. It improves the performance of the executed rule.

Due to the PowerShell limitations, it is not possible to use calculated expressions in query criteria. That is the point where the initialization script can help. You can initialize a global variable in this setting and then use it in query criteria.

IMPORTANT: To use a variable, declared in the initialization script, in the query scope, it must be global: $global:<variable name>.

Example: Update AD users, created in the last ten days.

  1. Add this initialization script

    Copy
    {$global:DatePeriod = (Get-Date).AddDays(-10)}

  2. Use the $DatePeriod variable in the query criteria builder:

Change history

Version Notes
12.5.0 The Hide users that never signed in and MS365 sign-in activity filter settings have been added.
12.2.0 The rule has been introduced to the product.

© Copyright 2013-2026 Cayosoft Inc. All rights reserved.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request
Return to top

Related articles

Comments

0 comments

Article is closed for comments.