This setting defines the search query scope. To improve query performance, limit the scope to a specific OU.

IMPORTANT: To test the rule configuration, limit the rule scope to an OU that contains test accounts or objects and use the Preview feature.

Query criteria are sent with the query and may improve query performance.

TIP: For additional information on the criteria builder, see the How to use Query Builder dialog for Query Criteria and Filter rule settings.

Set the filtering conditions to hide unwanted data based on criteria not supported in the Query criteria setting.

Example: filter by the found object Distinguished Name.

TIP: For optimal performance, use the Query criteria setting above to filter objects whenever possible.

This setting allows to exclude Microsoft 365 disabled users from the rule scope or to include them.

This setting allows to exclude AD-disabled users from the rule scope or to include them.

This setting allows to exclude shared mailboxes from the rule scope or to include them.

This setting allows to include only licensed or unlicensed users or all users.

You can filter users by assigned licenses and apps/services:

License filter conditions are split into two groups: filter by licenses and filter by apps/services.

Licenses can be filtered by ALL, ANY, and NOT:

• ALL - user must have all listed licenses assigned

• ANY - user must have at least one listed license assigned

• NOT - user must not have any listed licenses assigned.

Apps/services filter conditions:

• ENABLED (all specified) and DISABLED (all specified):

• ENABLED (all specified) - user must have all listed apps/services

• DISABLED (all specified) - user must not have all listed apps/services.

Also, you can add filtering by inheritance of assigned applications and services:

• Filter by direct or inherited (GBL) assignments

• Filter by direct assignments only

• Filter by inherited assignments (GBL).

If set to Yes the output report will include the license assignment paths: direct or inherited (GBL-assigned).

If set to Yes the output report will include the names of all apps assigned to the user instead aggregate account.

If set to Yes the output report will include the names and statuses of all apps assigned to the user.

The separator is used when displaying multiple licenses or apps names in a single output column. Possible separators are:

• Newline 

• Semicolon

• Comma 

If set to Yes the output report will only list those assigned licenses that were explicitly included in the filter above. 

Other Query Settings

Each object property defined in this setting matches the column that will be displayed in the Web Portal for this web query.

To display additional columns, add the required properties to the Properties to display list.

To add extension attribute 1 that is synchronized from AD, you need to use a value like:

"OnPremisesExtensionAttributes/extensionAttribute1~Extension Attribute 1"

List of properties required for this rule to be executed correctly.

Sort result objects list.

By default, all objects that you have provisioned in Microsoft Office 365 are returned.

TIP: It is possible to change the default value in the extension settings.

By default, Query criteria are used. But when the MS Graph query condition is specified, it overrides the Query criteria setting.

See this article for examples: How to use Query Builder dialog for Query Criteria and Filter rule settings.

Initialization script