O365 Discovery - Query on Group Membership

Created: 2020-09-18 16:59:09
Modified: 2023-10-04 10:24:49
Tags: Features Office 365 UnitySync

This O365 Membership query solution requires UnitySync v4.5 or greater.

As usual, source O365 Query Filters are entered on the Source tab of your connection.

Below are examples for filtering O365 Users based on Group membership.

a) To limit discovery of O365 users who are members of ONE group, use the below syntax. i.e Group name is: GroupADistList20191209160207).

NOTE: These filters go in the Optional USER filter.

(memberof=CN=GroupADistList20191209160207,OU=AlphaCo.onmicrosoft.com,OU=Microsoft Exchange Hosted Organizations,DC=NAMPR07A004,DC=prod,DC=outlook,DC=com)

Similarly, you can filter on more than one Group membership.

b) To limit discovery to users if they belong to EITHER or BOTH of TWO groups. (Notice the leading | char, which means OR).

(|(memberof=CN=GroupADistList20191209160207,OU=AcmeCo.onmicrosoft.com,OU=Microsoft Exchange Hosted Organizations,DC=NAMPR07ABB004,DC=prod,DC=outlook,DC=com)(memberof=CN=SecurityGroup20191209162151,OU=ACmeCo.onmicrosoft.com,OU=Microsoft Exchange Hosted Organizations,DC=NAMPR07ABB004,DC=prod,DC=outlook,DC=com))

c) You can also limit discovery requiring a User belong to BOTH specified Groups. (Notice the leading & char, which means AND).

(&(memberof=CN=GroupADistList20191209160207,OU=AlphaCo.onmicrosoft.com,OU=Microsoft Exchange Hosted Organizations,DC=NAMPR07A004,DC=prod,DC=outlook,DC=com)(memberof=CN=SecurityGroup20191209162151,OU=AlphaCo.onmicrosoft.com,OU=Microsoft Exchange Hosted Organizations,DC=NAMPR07A004,DC=prod,DC=outlook,DC=com))

d) One more simple example. You can limit discovery to all users WHO DO NOT BELONG to a specific group. (Notice the leading ! which negates the syntax value. This would return the OPPOSITE of example (a) above.

(!(memberof=CN=NonSyncableGroup,OU=AlphaCo.onmicrosoft.com,OU=Microsoft Exchange Hosted Organizations,DC=NAMPR07A004,DC=prod,DC=outlook,DC=com))

What if I don’t know the syntax for my Memberof values?

To filter on a group’s membership, you need the complete DN of the O365 Group.

a) Configure the source tab to discover ALL O365 Users. (or a small User filter to pull a few test users).

b) Run the o365 Discovery.

c) Review the ldif.txt file for an instance of the group name you are looking for.

Final Notes:

The use of the above Memberof filter may be used in combination with the list-opath-filter option.

The use of the above Memberof filter solution can not be used if you’ve disabled automatic Group discovery and do not have Groups checked on the Source tab.

Share this article:

  1. Directify - Self Service

  2. Mimic - Replication

  3. UnitySync - Sync
  1. emPass - Sync
  1. Profiler
  2. SimpleSync