Skip to main content

Articles in this section

Print

Microsoft 365 Groups and Members

  • Updated

Microsoft 365 Groups and Members

Rule description

This is a general-purpose rule that queries Microsoft 365 groups and members based on the specified filters and query criteria. You can:

  • Limit the group scope to a specific Azure AD Administrative Unit.

  • Customize query parameters to return only the required groups and members.

Where to use this rule

Use this rule to retrieve a specific set of Microsoft 365 groups and members. Other rules can use it as a foundation for various automation scenarios.

To explore all available rule templates related to Microsoft 365 groups, search for "Microsoft 365 groups" in the Add Rule wizard.

This rule is particularly useful in the following scenarios:

  • Retrieving a list of Microsoft 365 groups and their members.

  • Filtering Microsoft 365 groups and members using a CSV file.

  • Gaining full control over query parameters to refine results.

This rule provides flexibility for managing Microsoft 365 group queries and serves as a building block for further automation.

Rule settings

Query section

Setting name Description
General Settings

Limit scope to this Azure AD Administrative Unit

This setting defines the search query scope. To improve query performance, limit the scope to a specific Entra ID administrative unit.

IMPORTANT: To test the rule configuration, limit the rule scope to an administrative unit that contains test accounts or objects.

Query criteria

 

Query criteria are sent with the query and may improve query performance.

TIP: For additional information on the criteria builder, see the How to use Query Builder dialog for Query Criteria and Filter rule settings.

Post-query filter

 

To hide unwanted data based on criteria, not supported by the Microsoft 365 query criteria above, set the filtering conditions here.

TIP: For optimal performance, use the Query criteria above to filter objects whenever possible.

Group type

Specify the Microsoft 365 group type:

  • All Microsoft 365 groups (Unified)

  • Teams

  • Distribution lists

  • Mail-enabled security groups

  • Security groups

  • All Mail-enabled

  • Microsoft 365 groups without Teams

  • Microsoft 365 groups with security enabled

Properties to display

To display additional properties for each object found by the query, add those properties to the list. Loading certain additional properties such as member count will decrease rule performance.

Members settings 

Properties to display (members)

To display additional properties for each object found by the query, add those properties to the list.

Loading certain additional properties such as member count will decrease rule performance.

Members type

Specify members type:

  • Direct members 

  • Transitive members

  • Owners

Member sync status

Specify user sync status:

  • Any

  • Cloud-only

  • Synced 

Member type

Specify user type:

  • Any 

  • Member users

  • Guest users

  • All users

  • Groups

  • Devices

  • Service principals 

Members query criteria

 Query criteria are sent to the target platform with other query parameters to reduce the number of objects returned.

Post-query filter

 (missing or bad snippet)

Group type filters

Membership type

Specify membership type:

  • Dynamic 

  • Directly assigned
Group sync status

Specify group sync status:

  • Synced

  • Cloud-only
Privacy (missing or bad snippet)

Group search filters

  • DisplayName starts with

  • Description starts with

  • Mail starts with

 Specify group properties for search.

Classification equals

Specify group classification. 

NOTE: Classification is searched by classic Entra ID classification values.

Number of members less than or equal to

 Filtering by the number of members requires loading per group properties and will decrease rule performance if used.

Number of owners less than or equal to

 Filtering by the number of owners requires loading per group user properties and will decrease rule performance if used.
Date time filters
Minimum group age (hours)

Specify the minimum age in hours for the Microsoft 365 groups.

Will return groups older than specified hours.

0 returns all groups.

Uses a post filter which will affect the rule performance. 
Maximum group age (hours)

Specify the maximum age in hours for the Microsoft 365 groups.

Will return groups older than specified hours.

Uses a post filter which will affect the rule performance. 
Expiration date (days until) Will return groups set to expire within specified days.
Last renew date (days ago) Will return groups whose last expiration renewal date happened the specified (or more) days ago. Uses a post filter which will affect the rule performance. 
Last sync time (days ago)

Will return groups last synced the specified (or more) days ago.

Cloud-only groups that were never synced are excluded.

Uses a post filter which will affect the rule performance. 
Licensing Filters
Licensed groups

Will return groups that have assigned licenses and are used for Group-based licensing.

Uses a post filter which will affect the rule performance. 
Map to text file
Select data source

Specify the text file to be imported.

The […] (three dots) button allows the user to browse for the file and the Create/Edit button allows the creation or editing of the existing file in the built-in Data Source editor.
Separator used in file

Specify the separator used in the source CSV file.
Data source anchor attribute Select a column in the data source that contains the attribute value for identifying and mapping a group.
System anchor attribute Specify group anchor attribute.
Other Query Settings
System properties List of properties required for this rule to be executed correctly.
Sort by Sort result objects list.
Limit result set

This setting is used to optimize performance by limiting the number of objects returned by the Microsoft Graph API.

Unlike query criteria, any post-filters on the returned objects are applied after they are returned, which means that the final set of returned objects could be less than the number configured here despite these objects existing in the source system. 
MS Graph query condition (OData)

By default, Query criteria are used. But when the MS Graph query condition is specified, it overrides the Query criteria setting.

See this article for examples: How to use Query Builder dialog for Query Criteria and Filter rule settings.
MS Graph advanced queries Enables consistency level eventually which uses an index that might not be up-to-date with recent changes to the object.
Initialization script
Script

Usually, rules use query criteria to limit the query search scope. It improves the performance of the executed rule.

Due to the PowerShell limitations, it is not possible to use calculated expressions in query criteria. That is the point where the initialization script can help. You can initialize a global variable in this setting and then use it in query criteria.

IMPORTANT: To use a variable, declared in the initialization script, in the query scope, it must be global: $global:<variable name>.

Example: Update AD users, created in the last ten days.

  1. Add this initialization script

    Copy
    {$global:DatePeriod = (Get-Date).AddDays(-10)}

  2. Use the $DatePeriod variable in the query criteria builder:

Output Section

This section defines the output format of this rule.

To get more information about this section, please see the Rule Output section article.

Enforce/Schedule Section

This section defines the schedule for how often to run the rule.

To get more information about this section, please see the Rule Enforce/Schedule section article.

© Copyright 2013-2026 Cayosoft Inc. All rights reserved.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request
Return to top

Related articles

Comments

0 comments

Please sign in to leave a comment.