DirWiz Logo

Article Tags

o365 Discovery - Query on Group Membership

2020-09-18 17:05:40
Features Office 365 UnitySync 

This o365 Membership query solution requires UnitySync v3.0.20 or greater.

As usual, source o365 Query Filters are entered on the Source tab of your connection.

Below are examples for filtering o365 Users based on Group membership.

a) To limit discovery of o365 users who are members of ONE group, use the below syntax. i.e Group name is: GroupADistList20191209160207).

(memberof=CN=GroupADistList20191209160207,OU=AlphaCo.onmicrosoft.com,OU=Microsoft Exchange Hosted Organizations,DC=NAMPR07A004,DC=prod,DC=outlook,DC=com)

Similarly, you can filter on more than one Group membership.

b) To limit discovery to users if they belong to EITHER or BOTH of TWO groups. (Notice the leading | char, which means OR).

(|(memberof=CN=GroupADistList20191209160207,OU=AcmeCo.onmicrosoft.com,OU=Microsoft Exchange Hosted Organizations,DC=NAMPR07ABB004,DC=prod,DC=outlook,DC=com)(memberof=CN=SecurityGroup20191209162151,OU=ACmeCo.onmicrosoft.com,OU=Microsoft Exchange Hosted Organizations,DC=NAMPR07ABB004,DC=prod,DC=outlook,DC=com))

c) You can also limit discovery requiring a User belong to BOTH specified Groups. (Notice the leading & char, which means AND).

(&(memberof=CN=GroupADistList20191209160207,OU=AlphaCo.onmicrosoft.com,OU=Microsoft Exchange Hosted Organizations,DC=NAMPR07A004,DC=prod,DC=outlook,DC=com)(memberof=CN=SecurityGroup20191209162151,OU=AlphaCo.onmicrosoft.com,OU=Microsoft Exchange Hosted Organizations,DC=NAMPR07A004,DC=prod,DC=outlook,DC=com))

d) One more simple example. You can limit discovery to all users WHO DO NOT BELONG to a specific group. (Notice the leading ! which negates the syntax value. This would return the OPPOSITE of example (a) above.

(!(memberof=CN=NonSyncableGroup,OU=AlphaCo.onmicrosoft.com,OU=Microsoft Exchange Hosted Organizations,DC=NAMPR07A004,DC=prod,DC=outlook,DC=com))

What if I don’t know the syntax for my Memberof values?

To filter on a group’s membership, you need the complete DN of the o365 Group.

a) Configure the source tab to discover ALL o365 Users. (or a small User filter to pull a few test users).

b) Run the o365 Discovery.

c) Review the ldif.txt file for an instance of the group name you are looking for.

Share this article: Twitter reddit