This setting defines the search query scope. To improve query performance, limit the scope to a specific Entra ID administrative unit.

IMPORTANT: To test the rule configuration, limit the rule scope to an administrative unit that contains test accounts or objects.

Specify the user state to include in the query:

• Any

• Enabled

• Disabled

This setting allows for the inclusion of only licensed or unlicensed users or all users.

Specify the user mailbox type to include in the query:

• Any

• User

• Shared

• Room

• Equipment

Specify the user type to include in the query:

• All user types

• Member 

• Guest

You can filter users by assigned licenses and apps/services:

License filter conditions are split into two groups: filter by licenses and filter by apps/services.

Licenses can be filtered by ALL, ANY, and NOT:

• ALL - user must have all listed licenses assigned

• ANY - user must have at least one listed license assigned

• NOT - user must not have any listed licenses assigned.

Apps/services filter conditions:

• ENABLED (all specified) and DISABLED (all specified):

• ENABLED (all specified) - user must have all listed apps/services

• DISABLED (all specified) - user must not have all listed apps/services.

Also, you can add filtering by inheritance of assigned applications and services:

• Filter by direct or inherited (GBL) assignments

• Filter by direct assignments only

• Filter by inherited assignments (GBL).

If set to Yes the output report will include the license assignment paths: direct or inherited (GBL-assigned).

If set to Yes the output report will include the names of all apps assigned to the user instead of the aggregate count.

If Yes, show service plans in separate columns is selected service plans in separate columns will be displayed.

If set to Yes the output report will include the names and statuses of all apps assigned to the user.

The separator is used when displaying multiple licenses or app names in a single output column. Possible separators are:

• Newline 

• Semicolon

• Comma 

If set to Yes the output report will only list those assigned licenses explicitly included in the filter above. 

Other Query Settings

Each object property defined in this setting matches the column that will be displayed in the Web Portal for this web query.

To display additional columns, add the required properties to the Properties to display list.

To add extension attribute 1 that is synchronized from AD, you need to use a value like:

"OnPremisesExtensionAttributes/extensionAttribute1~Extension Attribute 1"

Sort result objects list.

To hide unwanted data based on criteria, not supported by the Microsoft 365 query criteria above, set the filtering conditions here.

TIP: For optimal performance, use the Query criteria above to filter objects whenever possible.

This setting is used to optimize performance by limiting the number of objects returned by the Microsoft Graph API.

Unlike query criteria, any post-filters on the returned objects are applied after they are returned, which means that the final set of returned objects could be less than the number configured here despite these objects existing in the source system. 

By default, Query criteria are used. But when the MS Graph query condition is specified, it overrides the Query criteria setting.

See this article for examples: How to use Query Builder dialog for Query Criteria and Filter rule settings.

Initialization script