Skip to main content

Articles in this section

See more
Print

Restricted Groups rule

  • Updated

Restricted Groups rule

Overview

Using the Restricted Groups rule in Cayosoft Administrator, you can manage Active Directory and cloud-based groups (e.g., Entra ID security groups, Teams membership). Define if approval is required for membership changes, and enforce expiration for any new member added. Review the use cases and setup process in the following article: Configuration of Restricted Groups rule.

Rule settings

Groups and Members

Setting name Description
Group scope

The Group scope is a set of groups calculated by the rules defined in the settings below whenever Restricted Group runs. When you click Add Scope Rule, you can add more than one group scope rule.

Depending on the selected type of Restricted Group, the group scope can have Active Directory or Microsoft 365 groups and Teams.

Note: MS 365 groups synced from Active Directory are excluded from the Restricted Group scope.
Name Specify the name of the Group scope.
Membership type

Specify the membership type rule:

  1. Include query
  2. Exclude query
  3. Include objects
  4. Exclude objects
Member queries

Active Directory restricted group:

  1. AD Groups Membership Rule Command

Microsoft 365 restricted group:

  1. Microsoft 365 Groups Membership Rule Command Description.
  2. Microsoft 365 Distribution Groups (with Exchange Properties) Rule Command.
Allowed members criteria

Create and manage a set of membership rules to define the allowed members.

When you click Add Membership Rule, you can define a list of allowed members for the groups in the Groups scope. This list is calculated when the rule runs.

  1. If Allowed members criteria are specified for the published group, the users not on the list cannot join. This will trigger an error in the Web Portal.
  2. If using the , non-eligible objects will trigger an error.
  3. The objects not matching the criteria and added using third-party applications will appear in the not-eligible list in the output report of the Restricted Group. Alternatively, they will be removed from the group upon the Restricted Group rule run if Membership Restrictions are set to Report and Remove.
Name Specify the name of the membership rule.
Membership type

Specify the membership type rule:

  1. Include query
  2. Exclude query
  3. Include objects
  4. Exclude objects
Member queries You can add the The list of membership rule commands for Active Directory and Microsoft 365 Dynamic Groups to define the scope of allowed members.

Settings

Setting name Description

Membership Restrictions

Action for users not matching the Allowed members criteria

Specify the actions for cases when current group members do not match the criteria:

  1. Report only—the rule is configured, and only members that satisfy this rule can be added to the groups in the Restricted Group scope. When the Restricted Group rule runs, it checks group membership and adds the current status to the report.
  2. Report and remove—the rule is configured, and only members that satisfy this rule can be added to the groups in the Restricted Group scope. When the Restricted Group rule runs, it checks group membership, removes members not matching the criteria and adds the status to the report.
  3. Ignore—the rule is not configured. You can set membership Start/End time for any member added.
Maximum number of members

Specify the maximum number of group members.

If the number of members exceeds the specified number, you will see a validation message with a counter in the Restricted Group output report.

Approval

Publish group for self-service join requests Specify if the groups in the restricted group scope should be published for self-service join requests.
Require approval to become a group member Specify if approval is required to become a member of the groups in the restricted group scope.

NOTE: If the approval request initiator and approver are the same Active Directory user, even with indirect ownership, approval is bypassed. The approval is also bypassed if the initiator is the Global Admin.

Approvers with both Active Directory and MS 365 accounts logged in via Active Directory will manage approval tasks for membership changes in Active Directory or MS 365 groups.

Allow group owners to approve requests

Specify if group owners are allowed to approve requests.

  • In AD, group owners are users or groups specified in managedBy (primary owner) or msExchCoManagedByLink (secondary owners). Secondary owners are typically set only for distribution lists or mail-enabled security groups. Cayosoft Administrator allows secondary owners for all AD groups if you set Show secondary owners to 'For all groups' in the Groups web query web action.
  • In Azure, group owners are users or groups specified in Owners.
  • If the group owner is a group, it must have an email address for sending emails and displaying approval tasks.
Allow these accounts to approve requests You can add users or groups that will be able to approve requests for group membership changes.
Approval work item title You can set a custom approval work item title using Expression Builder.
Approval request expires in (days) Specify the number of days until the approval request expires.

Time-limited Membership

Membership expiration

Specify membership expiration:

  1. Do not enforce - start and end time for group membership can be set and cleared on membership web actions in Web Portal.
  2. Enforce on new members joining or added in Web Portal - membership end date/time must be set when adding a new member to the restricted group. If the Expiration period is set, then membership time is limited to the maximum value specified in the Expiration period setting.
  3. Enforce on all members - membership end date/time must be set for all members of the restricted groups. When the Restricted Group runs, it ensures that all current group members have a membership end date/time and creates a new work item for each member if it does not have one, with expiration time Now + Expiration period.
Expiration period (hours)

Specify the expiration period in hours.

If you set No time limit, you can add members to the groups in the Restricted Group scope without setting an expiration date/time.

Notification

Temporal Membership

You can configure the notification to be sent to group members when the Temporal Group Membership work item is:

  1. Created,

  2. Completed,

  3. Canceled.

Thus, group members will know the start\end date of their membership. If a recipient is a group, and it is mail-enabled, all members will get a notification. If the group is not mail-enabled, group members will not receive a notification.

Approval

You can configure the notification to be sent when the Approval Task is:

  1. Created,

  2. Approved,

  3. Rejected,

  4. Expired,

  5. Canceled.

Notification can be sent to the following recipients: Assignee, Initiator, or Target object.

If a recipient is a group, and it is mail-enabled, all members will get a notification. If the group is not mail-enabled, group members will not receive a notification.

Output section

This section defines the output format of this rule.

To get more information about this section, please see the Rule Output section article.

Enforce/Schedule section

This section defines the schedule for how often to run the rule.

To get more information about this section, please see the Rule Enforce/Schedule section article.

Change History

Version Notes
12.2.0 The labels have been updated to improve clarity.
8.2.0
  1. The Restricted Groups feature has been improved to include a broader Privileged Management solution for MS 365 groups.
  2. Approval notification is added.
8.0.1 The Restricted Groups feature has been improved to include a broader Privileged Management solution for Active Directory groups.
7.4.0 The rule is introduced in the product.

© Copyright 2013-2026 Cayosoft Inc. All rights reserved.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request
Return to top

Related articles

Comments

0 comments

Article is closed for comments.