Use filters on Azure Active Directory user import

Dette emne er fortrinsvis for administratorer og/eller folk som bestyrer en Zylinc-løsning

Kun slutbruger-hjælpen er for tiden oversat til dansk. Hjælp til administration af Zylinc-løsninger er for tiden på engelsk.

When you Import users from Azure Active Directory, you can use a synchronization filter to determine that only users from a particular group and subgroups (for example people who belong to the Management group in Active Directory and any subgroups of that group) should be imported and synchronized. Examples:

  • displayName eq 'Management' (only import and synchronize users who belong to a group that has the display name Management (eq means equals))

  • endsWith(mail,'@example.org') (only import and synchronize users whose group e-mail addresses end with the domain example.org)

  • displayName eq 'Sales' or startsWith(displayName, 'Dev') (only import and synchronize users who belong to a group that has the display name Sales (and its subgroups) or a group whose display name starts with Dev (such as Development and its subgroups)

You can use these operators and functions in synchronization filters:

  • eq (equals), ne (doesn't equal)

  • lt (less than), gt (greater than), le (less than or equal to), ge (greater than or equal to)

  • and, or

  • startsWith, endsWith

  • in (read more), not (used to inverse some filters like startsWith() or endsWith()), any (lambda function), all (lambda function)

Zylinc Novus uses an API called Microsoft Graph to import and synchronize user data from Azure Active Directory. Microsoft Graph supports query parameters that you can use to specify and control the amount of data returned in a response. Specifically, Novus uses the $filter query parameter to retrieve just a subset of a collection. In plain English that means that you can narrow down exactly which groups you want to import and synchronize.

Zylinc Novus only filters on group members, not individual users.

When you specify a synchronization filter in Configuration Manager, Zylinc Novus takes your synchronization filter and applies it to a query that uses the $filter parameter. So, when you specify a synchronization filter like startsWith(displayName, 'Dev'), Zylinc Novus turns it into a query like this:

Kopier 
GET https://graph.microsoft.com/v1.0/groups?$filter=startsWith(displayName,'Dev')

It can be useful to know the entire query syntax, because it lets you test your synchronization filters before you use them.

To test your queries before you specify their synchronization filters in the Zylinc Novus Configuration Manager, you can use the free Microsoft tool Graph Explorer.

The tool lets you make requests and view responses from Microsoft Graph. If you create a free developer account and log in, you can test your queries on sample data as well as on your organization's own Azure Active Directory environment.

If you're going to test your queries, remember that (just like the app registration used in Import users from Azure Active Directory) you'll need these permissions to view groups and group members:

  • Group.Read.All

  • GroupMember.Read.All

  • User.Read.All

For more information about using synchronization filters, our developers recommend these links to Microsoft Graph help: