Microsoft 365 Devices | Add to Azure AD Administrative Units
Rule description
This rule queries the selected Microsoft 365 device scope and for each returned device, adds it to the selected Azure AD Administrative Unit, either directly or dynamically via text file mapping.
NOTE: Privileged Role Administrator is required to add devices to Azure AD Admin Units if a Microsoft 365 connection account doesn't have a Global Admin role.
When to use this rule
Use this rule to add Microsoft 365 devices to Azure AD Admin Units. You can add devices to Azure AD Admin Units that are specified directly in the rule or to Azure AD Admin Units dynamically based on the attribute mapping in the CSV file.
Rule settings
Query section
| Setting name | Description |
|---|---|
Limit scope to this Azure AD Administrative Unit |
This setting defines the search query scope. To improve query performance, limit the scope to a specific Entra ID administrative unit. IMPORTANT: To test the rule configuration, limit the rule scope to an administrative unit that contains test accounts or objects. |
|
Query criteria
|
Use the setting to filter out objects by the property values. Query criteria are sent with the query to the target system; the target system filters data before it returns the resulting set. |
|
Post-query filter
|
To hide unwanted data based on criteria, not supported by the Microsoft 365 query criteria above, set the filtering conditions here. TIP: For optimal performance, use the Query criteria above to filter objects whenever possible. |
Properties to display |
Each object property defined in this setting matches the column that will be displayed in the Web Portal for this web query. |
Device State | |
| Account state |
Specify account state:
|
| Account sync status |
Specify account sync status:
|
| Device management |
Specify which devices should be included in the rule scope:
|
| Device compliance | Specify which devices should be included in the rule scope: |
| Last sign-in (days ago) | Set a minimum number of days past since last sign-in. |
Device Properties | |
| DisplayName starts with | Specify DisplayName for the search. |
| Operating system | Specify the Operating system. |
| Operating system version | Specify the operating system version. |
Extension Attributes | |
Extension attribute1 - Extension attrbute15 |
If you use Microsoft 365 extension attributes to store additional information for device accounts, you could select these attributes and map them to Other Attributes. Learn more in: How to map Active Directory users to Office 365 cloud users |
Map to text file | |
Select data source |
Specify the text file to be imported. The […] (three dots) button allows the user to browse for the file and the Create/Edit button allows the creation or editing of the existing file in the built-in Data Source editor. |
Separator used in file |
Specify the separator used in the source CSV file. |
Data source anchor attribute |
Select a column in the data source that contains the attribute value for identifying and mapping a computer. |
System anchor attribute |
Specify device anchor attribute. |
Other Query Settings | |
System properties |
List of properties required for this rule to be executed correctly. |
Sort by |
Sort result objects list. |
Limit result set |
This setting is used to optimize performance by limiting the number of objects returned by the Microsoft Graph API. Unlike query criteria, any post-filters on the returned objects are applied after they are returned, which means that the final set of returned objects could be less than the number configured here despite these objects existing in the source system. |
MS Graph query condition (OData) |
By default, Query criteria are used. But when the MS Graph query condition is specified, it overrides the Query criteria setting. See this article for examples: How to use Query Builder dialog for Query Criteria and Filter rule settings. |
MS Graph advanced queries |
Enables consistency level eventually which uses an index that might not be up-to-date with recent changes to the object. |
Initialization script | |
Script |
Usually, rules use query criteria to limit the query search scope. It improves the performance of the executed rule. Due to the PowerShell limitations, it is not possible to use calculated expressions in query criteria. That is the point where the initialization script can help. You can initialize a global variable in this setting and then use it in query criteria. IMPORTANT: To use a variable, declared in the initialization script, in the query scope, it must be global: Example: Update AD users, created in the last ten days.
|
Output section
This section defines the output format of this rule.
To get more information about this section, please see the Rule Output section article.
Enforce/Schedule section
This section defines the schedule for how often to run the rule.
To get more information about this section, please see the Rule Enforce/Schedule section article.
Comments
0 comments
Please sign in to leave a comment.