General Settings

This setting defines the search query scope. To improve query performance, limit the scope to a specific Entra ID administrative unit.

IMPORTANT: To test the rule configuration, limit the rule scope to an administrative unit that contains test accounts or objects.

It is possible to select whether to run the rule for all users or only for those who don't have a license. 

This setting allows to exclude Office 365 disabled users from the rule scope or to include them.

Specify with which profiles users should be included in the query scope:

• Any profile. 

• Profile not set.

• Profile that is selected from the list of configured profiles.

More options

Each object property defined in this setting matches the column that will be displayed in the Web Portal for this web query.

To display additional columns, add the required properties to the Properties to display list.

To add extension attribute 1 that is synchronized from AD, you need to use a value like:

"OnPremisesExtensionAttributes/extensionAttribute1~Extension Attribute 1"

List of properties required for this rule to be executed correctly.

To hide unwanted data based on criteria, not supported by the Microsoft 365 query criteria above, set the filtering conditions here.

TIP: For optimal performance, use the Query criteria above to filter objects whenever possible.

Sort result objects list.

By default, Query criteria are used. But when the MS Graph query condition is specified, it overrides the Query criteria setting.

See this article for examples: How to use Query Builder dialog for Query Criteria and Filter rule settings.

Usually, rules use query criteria to limit the query search scope. It improves the performance of the executed rule.

Due to the PowerShell limitations, it is not possible to use calculated expressions in query criteria. That is the point where the initialization script can help. You can initialize a global variable in this setting and then use it in query criteria.

IMPORTANT: To use a variable, declared in the initialization script, in the query scope, it must be global: $global:<variable name>.

Example: Update AD users, created in the last ten days.

1. Add this initialization script

   Copy

   {$global:DatePeriod = (Get-Date).AddDays(-10)}

2. Use the $DatePeriod variable in the query criteria builder:

This setting is used to optimize performance by limiting the number of objects returned by the Microsoft Graph API.

Unlike query criteria, any post-filters on the returned objects are applied after they are returned, which means that the final set of returned objects could be less than the number configured here despite these objects existing in the source system. 

Enables consistency level eventually which uses an index that might not be up-to-date with recent changes to the object.

More Options

Too many errors may indicate rule misconfiguration or problems with connectivity.

Set this value to some integer value, indicating the number of occurred errors, when the rule execution should stop. 

Two options are possible:

• Report only - get the report about profiles that are currently assigned to users in the rule scope.

• Enforce and report - enforce the profile defined in the rule and report about the results.

Select one of the configured license profiles or specify if:

• Reapply currently assigned profile.

• Clear profile and keep existing licenses.

• Clear profile and revoke existing licenses.

Specify what should be done if the license profile should be reapplied but this profile was deleted:

• Skip and report.

• Clear profile and keep existing licenses.

• Clear profile and revoke all licenses.

Specify if the license with the Free selection enforcement option should be assigned to a user: 

• Default - assign licenses marked as Free selection (selected) inside the profile but only for users without existing license assignments. 

• Always ignore - don't assign licenses with Free selection (selected).

• Always assign - assign licenses with Free selection (selected).