There may be some cases where you would like to filter the Azure AD records for Users and Groups. Some example cases can be listed as follows:
You have a large User database but actually, you don’t need all of them.
You don’t want to synchronize inactive users.
You are using your user AD for multiple departments or companies, countries and you would like to specify which of them needs to be synchronized.
You have a new naming convention for Azure AD groups and you want to sync only the new and nicely organized groupsThere are 4 types of groups and you are interested in only the ones for Office 365.
You would like to import only the users owning a specific Microsoft License.
… you may have many more reasons to filter the data from your Azure AD.
...
Now, you have the chance to add a filter for your Users and Groups under the Admin tab.
The filters need to be formatted according to Microsoft Graph API requirements. You may find some examples below. Please refer to Microsoft Graph API documentation for more details.
Type | Description | Filter |
---|---|---|
User Filter | Import only the active users. | accountEnabled eq true |
User Filter | Import the users based in London city. | city eq 'London' |
User Filter | Import users in a country. | country eq 'Ecuador' |
User Filter | Import users of two countries. | country eq 'Ecuador' or country eq 'India' |
User Filter | Import users of multiple countries. | country in ('Ecuador', 'India', 'Germany') |
User Filter | Import users which are having userType as Member | userType eq 'Member' |
User Filter | Import active users which are having userType as Member | accountEnabled eq true and userType eq 'Member' |
User Filter | Import only Engineering department | department eq 'Engineering' |
User Filter | Filter the users who are in Engineering department and also User Type is 'Member” | userType eq 'Member' and department eq 'Engineering' |
User Filter | Import users having the usage location as Japan or Great Britain. |
Filter Name
Filter
usageLocation in ('JP','GB') | ||
User Filter | Import only the users having a specific license assigned. Here, skuId is the license identifier. | assignedLicenses/any(s:s/skuId eq c42b9cae-ea4f-4ab7-9717-81576235ccac) |
Group Filter | Import only Microsoft 365 groups (aka unified groups) |
Group
groupTypes/any(c:c+eq+'Unified') |
Only import Groups starting with “corp”.
Group Filter | Import the groups having a name starting with “team”. | startswith(displayName, ' |
team') |
Only the active users.
Users
Notes:
When using the in operator, the request is limited to 15 expressions in the filter clause. More information.
Microsoft Graph API does not allow filtering the Licenses themselves. But you can filter the users according to their licenses as shown in the table above.
In case you get an warning message for the groups filter it may be a permission issue. Please review the note regarding the permission scopes on the source configuration page.
Each filter works for the specified data set. For example:
When a filter is applied for Users → Filtered Users are imported.
When a filter is applied for Groups → Filtered Groups are imported.
It is not possible to apply a filter to import the intersection area of Filtered Users and Filtered Groups as shown in the diagram below.
Drawio | ||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Important Note: Microsoft Graph API has some limitations for the filters. For example, not all properties support the filter feature. Since we are using the API with the expand option, advanced filtering is not supported. This means functions like “endsWith” are not supported. In summary, the following examples will not work with the filters due to the limitations of Microsoft Graph API. More information.
Description | Filter |
---|---|
Only the users having the organization's email address. |
Users
endsWith(mail,'@organization.com') | |
Users having an email address. | NOT(mail eq null) |
Another way to filter users having an email address. | mail ne null |
Import only if the users have a company name that is not Microsoft. |
companyName ne null and NOT(companyName eq 'Microsoft') | |
Do not import the users starting with Conf. |
NOT startsWith(displayName, 'Conf') | |
Do not import the users having user type as Guest | not(userType in ('Guest')) |
Import the users in Latium Office location. | officeLocation eq 'Latium Office' |
Only the users who are members of a specific group. | N/A |
Note |
---|
Filtering groups is only available when “Full Throttle” feature is enabled. For more information refer to import configuration page. |