This setting defines the search query scope. To improve query performance, limit the scope to a specific Entra ID administrative unit.

IMPORTANT: To test the rule configuration, limit the rule scope to an administrative unit that contains test accounts or objects.

Query criteria are sent with the query and may improve query performance.

TIP: For additional information on the criteria builder, see the How to use Query Builder dialog for Query Criteria and Filter rule settings.

To hide unwanted data based on criteria, not supported by the Microsoft 365 query criteria above, set the filtering conditions here.

TIP: For optimal performance, use the Query criteria above to filter objects whenever possible.

Each object property defined in this setting matches the column that will be displayed in the Web Portal for this web query.

To display additional columns, add the required properties to the Properties to display list.

To add extension attribute 1 that is synchronized from AD, you need to use a value like:

"OnPremisesExtensionAttributes/extensionAttribute1~Extension Attribute 1"

User account properties

Specify account state:

• Any

• Enabled

• Disabled

Specify user type:

• Any 

• Member

• Guest

Specify account sync status:

• Any

• Synced

• Cloud-only

Specify modern MFA status:

• Any

• Configured - a user has at least one authentication method configured.

• Not configured - a user doesn't have any authentication methods configured.

IMPORTANT: Due to the current nature of the Microsoft API that returns this information, users will be processed one by one by this MFA status post-filter. Expect 10 minutes of processing per every 300 returned users if this filter is enabled. Reduce the number of users by using query criteria to reduce the rule execution time.

Specify administrator role:

• Any

• Global Administrator

Or

• Select a specific Administrator role from the picker dialog.

Date time properties

Set a minimum number of days past since a user signs in to Microsoft 365. Use 0 to disable this check.

NOTE: Using this parameter requires an Azure AD Premium P1/P2 license in the tenant.

Extension Attributes 

If you use Microsoft 365 extension attributes to store additional information for user accounts, you could select these attributes and map them to Other Attributes.

Learn more in: How to add custom attributes to New Object and Object Properties wizards in Web Portal.

Mailbox and Licensing filters

Specify mailbox type:

• Do not filter

• Any mailbox

• No mailbox

• User

• Shared

• Room

• Equipment

Specify which users should be included:

• All users

• Licensed users only

• Unlicensed users only

You can filter users by assigned licenses and apps/services:

License filter conditions are split into two groups: filter by licenses and filter by apps/services.

Licenses can be filtered by ALL, ANY, and NOT:

• ALL - user must have all listed licenses assigned

• ANY - user must have at least one listed license assigned

• NOT - user must not have any listed licenses assigned.

Apps/services filter conditions:

• ENABLED (all specified) and DISABLED (all specified):

• ENABLED (all specified) - user must have all listed apps/services

• DISABLED (all specified) - user must not have all listed apps/services.

Also, you can add filtering by inheritance of assigned applications and services:

• Filter by direct or inherited (GBL) assignments

• Filter by direct assignments only

• Filter by inherited assignments (GBL).

Organization Properties

Map to text file

Specify the text file to be imported.

The […] (three dots) button allows the user to browse for the file and the Create/Edit button allows the creation or editing of the existing file in the built-in Data Source editor.

Specify the separator used in the source CSV file.

Select a column in the data source that contains the attribute value for identifying and mapping a computer.

Other Query Settings

List of properties required for this rule to be executed correctly.

Sort result objects list.

This setting is used to optimize performance by limiting the number of objects returned by the Microsoft Graph API.

Unlike query criteria, any post-filters on the returned objects are applied after they are returned, which means that the final set of returned objects could be less than the number configured here despite these objects existing in the source system. 

By default, Query criteria are used. But when the MS Graph query condition is specified, it overrides the Query criteria setting.

See this article for examples: How to use Query Builder dialog for Query Criteria and Filter rule settings.

Enables consistency level eventually which uses an index that might not be up-to-date with recent changes to the object.

Initialization script

Select one of the following:

• Select groups directly from setting

• Select groups dynamically based on attribute mapping in a CSV file.

Select one of the following:

• Add to Admin Unit (preserve existing membership)

• Move to Admin Unit (remove existing memberships in other Admin Units)

• Remove from Admin Unit (preserve existing memberships)

• Set according to Azure AD AU container configuration in Microsoft 365 extension. If the specified Admin Unit is treated as a container then users will be added to it and removed from other Admin Units. If the specified Admin Unit is not a container then users will be just added to it.

Specify the text file to be imported.

The […] (three dots) button allows the user to browse for the file and the Create/Edit button allows the creation or editing of the existing file in the built-in Data Source editor.

Specify the separator used in the source CSV file.

Specify cloud user attribute. For each object returned by the query, the selected attribute value will be used to map the object with the selected data source anchor.