Skip to Content
Technical Articles
Author's profile photo Ivelina Kiryakova

Identity Provisioning: How to Get Users Based on Group Assignments from MS Azure AD

Filtering users and groups in MS Azure AD and provisioning them to target systems supported by Identity Provisioning is hardly any news for you. What might be news, however, is that you can combine filters to get users based on their group assignments. Moreover, you don’t need to add conditions in the default read transformation.

What used to be achieved by “condition-based” filtering (until now, to get users based on their group assignments, you had to define a condition for reading specific group and set the aad.user.attributes.membership.active to true), is now achieved by “property-based” filtering only.

For this, you need to set the aad.user.filter.group.filter.combine property to true. As its name implies, it combines filters defined on aad.user.filter and aad.group.filter properties. After running a Read or Resync job, the search result will be narrowed down to users that match the user filter and at the same time are members of а group that matches the group filter.

Note: When combining filters, it is important that both – user and group filters, are defined. Otherwise, you will not get the expected result. For more information, see: List of Properties -> aad.user.filter.group.filter.combine.

Example Scenario Overview

Let’s start from the basic filtering capabilities that Identity Provisioning service provides. First, we’ll apply group and user filters separately without combining them. Then, we’ll combine both filters by adding aad.user.filter.group.filter.combine=true.

Prerequisites

  • In this example scenario, MS Azure AD is configured as a source system and Identity Authentication is configured as the target system.
  • A provisioning job has already been run. As a result, in Identity Authentication there are 180 users and 67 groups provisioned from MS Azure AD.
  • The following 3 users exist in MS Azure AD and Identity Authentication:
Name City Country Member of Group
Sarah Williams Los Angeles US Employee
Stefan Schmidt Munich Germany Employee, Procurement
Michelle Brown Los Angeles US Employee, Procurement

Filtering a Group

First, we’ll filter a group in MS Azure AD and provision it to Identity Authentication when aad.user.filter.group.filter.combine is not defined or is set to false.

1. On the Properties tab of your MS_Azure_AD source system, set aad.group.filter=displayName eq ‘Procurement’.

2. On the Jobs tab, run the provisioning job and verify that only one group is read.

After applying the group filter, one group is read, and the rest (previously existed) 66 groups in Identity Authentication are deleted. All 180 users in MS Azure AD are read but no users are deleted because a user filter is not yet defined.

3. In the User Groups section of your Identity Authentication tenant, verify that the Procurement group is created.

The Procurement group contains only two group members: Michelle Brown and Stefan Schmidt.

Filtering Users

Now, we’ll filter users in MS Azure AD and provision them to Identity Authentication when aad.user.filter.group.filter.combine is not defined or is set to false.

1. On the Properties tab of your MS_Azure_AD source system, set the aad.user.filter=City eq ‘Los Angeles’.

Keep the aad.group.filter property as-is.

2. On the Jobs tab, run the provisioning job and verify that only two users are read.

After applying the user filter, two users matching the user filter are read, and the rest (previously existed) 178 users in Identity Authentication are deleted.  

3. In the User Management section of your Identity Authentication tenant, verify that the two users from Los Angeles – Michelle Brown and Sarah Williams, are read (the third user is the tenant administrator).

4. In the User Groups section of your Identity Authentication tenant, you will notice that Michelle Brown is the only member of the Procurement group. Stefan Schmidt (from Munich) is removed as a group member and deleted as a user because he doesn’t match the user filter City eq ‘Los Angeles’.

User and Group Filtering Combined

Finally, we’ll combine the user and group filtering.

1. On the Properties tab of your MS_Azure_AD source system, set aad.user.filter.group.filter.combine=true.

Keep the aad.group.filter and aad.user.filter properties as-are.

2. On the Jobs tab, run the provisioning job and verify that only one user is read.

After combining both filters, one group – Procurement, and one user – Michelle Brown, are read.

Michelle Brown is the only user that matches the user filter City eq ‘Los Angeles’ and at the same time is a member of the group Procurement.

Although Sarah Williams matches the user filter (she is from Los Angeles), she is not a member of the group Procurement (she is a member of the group Employee). Therefore, her user is deleted.

Although Stefan Schmidt is a member of the group Procurement, he doesn’t match the user filter (he is from Munich). Therefore, his user is deleted when the user filter is applied. The group is updated.

3. In the User Management section of your Identity Authentication tenant, verify that Michelle Brown is the only user read from MS Azure AD (the second user is the tenant administrator).

Now, the floor is yours! You can test it out and share your feedback.

Assigned Tags

      6 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Istvan Bokor
      Istvan Bokor

      Nice and well-detailed documentation, thank you, Ivelina Kiryakova 🙂

      Author's profile photo E. Schuiteman
      E. Schuiteman

      Very nice blog, I was looking for this an long time, i set it up and it's working.

      One question is it also possible to filter on multiple groups or to filter for example on "Procurement*"

       

       

      Author's profile photo Ivelina Kiryakova
      Ivelina Kiryakova
      Blog Post Author

      Thanks E. Schuiteman,

      Filtering on multiple groups is possible by using the eq and or operators.

      For example, is you want to filter three groups, provide the value of the aad.group.filter property as follows: displayName eq 'Procurement' or displayName eq 'Development' or displayName eq 'Operations'

      Author's profile photo Benedikt Blömer
      Benedikt Blömer

      Hi Ivelina Kiryakova

      do I understand it correctly that if setting the aad.group.filter = displayName eq 'Procurement' and aad.user.filter.group.filter.combine = true, I will get all Users belonging to Group 'Procurement'?

      Is it normal that such a job runs for like 30 minutes in IPS?
      Also I am not getting my Group created in my IAS 🙁

      regards,
      Benedikt

      Author's profile photo Ivelina Kiryakova
      Ivelina Kiryakova
      Blog Post Author

      Hi Benedikt,

      Sorry for my late reply.

      To make the aad.user.filter.group.filter.combine property work, both user and group filters must be configured.

      I guess it's normal for the job to run longer as first, users are calculated based on the user filter, then groups are calculated based on the group filter and the user members matching the user filter.

       

      Best Regards,

      Ivelina

      Author's profile photo Miles O'Connor
      Miles O'Connor

      Informative write-up - thanks.

       

      One thing to note: If you are trying to filter users that are in a specific group only (but have no user filters that are needed) then you have to populate the aad.user.filter property with some value that will allow all users to be queried.

      What I tried and did not work:

      mail ne ' ' <-this would filter for users where mail does not equal blank space (trying to pull in all users).

      Based on MSFT graph API for user, ne should be a supported filter but it does not seem to be currently.

      What I tried that did work:

      mail ge ' ' <-this would filter for users where mail value is greater than equal blank space.

      Based on testing in the MSFT graph explorer, this returned all users successfully.

      This filter was used in the aad.user.filter and allowed me to create all users in the filtered group.