Null Dynamic Membership Rules in Azure Active Directory

Azure Active Directory has the ability to create Security Groups with Dynamic membership. This is great if you can apply logic to a group, as members will fall in and out of scope without any work required.

Microsoft have a great writeup on how it all works and how to create rules, however I’ve run into a scenario not covered in the documentation.

If you create a Dynamic membership rule and want to include only attributes that have no value, the term ‘null’ works fine. You can create your group or modify the rule without issue.
However, if your binary operator (the equals part in the example above) is set to ‘not’, it won’t work.
The use case I had for ‘not null’ was to have a group of users which only had employee numbers, which was an easy way of filtering out test accounts, service accounts and so on.

You’ll get this error:

Failed to create group

Failed to create group ‘groupname’. Dynamic membership rule validation error: Invalid operands found for operator.Invalid operands found for operator -not

The way to fix this is to go into the ‘Advanced Rule’ option and change the term ‘null’ to ‘$null’

Note that you can’t do this from the simple rule view, changing ‘null’ to ‘$null’ there results in the code looking like this:

(user.extensionAttribute1 -eq “$null”)


Where it should look like this, without the quotes:

(user.extensionAttribute1 -eq $null)

A simple fix, but something that’s not documented on the support page. Hope this helps anyone who runs into the same problem.

Update Microsoft’s Documentation Yourself

This might be a strange concept to many people out there. Microsoft is letting you help correct/update/add to their online documentation at

I’m typing this from Microsoft’s Headquarters as part of the MVP Summit, and the session is one of the few not under NDA which is a good reason to blog it :) Here’s my summary of the presentation:

Docs.Microsoft.Com is the new platform for Microsoft’s technical documentation across their entire product line for IT Professionals and Developers.

Why contribute?

To share your knowledge, help others and for Microsoft MVPs it adds to your contributions to keep the badge next year. This isn’t to do Microsoft’s documentation for them.

Where to start?

Start small – clarifications, examples (e.g. SDK/PowerShell), guidance tips and translations. If you see something wrong, fix it.

How to do it

You’ll need a GitHub account – (don’t worry, you won’t need a client – this is all browser based).

Once you’re signed up, you find the article you want to change and choose the ‘Edit’ link on the top right below ‘Feedback’:

Then, you’ll need to click the pen icon (highlighted in yellow) to edit the actual text:

Now you’re able to change the raw text. The documents themselves are in Markdown. This means you’ll need to use characters to modify your text. For example **test** will come out as test. There’s a great cheatsheet here on lots of examples, but for starters follow what you can already see in the documentation rather than trying to create new styles.

You can use the ‘Preview’ tab to see the document with your new changes too. Once you’re happy, at the bottom of the page give a brief description of the change, and click ‘Propose File Change’

After that, you’ll see the final page which shows your change, and the button to ‘Create Pull Request’

You’re done! (For the most part). Your change gets sent off to the document owner for review. You’ll get some emails back advising of the progress, any questions/clarification and in the end, the change approved and your request closed.

It’s a very simple process while making sure the documentation is still Microsoft controlled. Get updating today!

Become an Office Insider

Similar to the Windows Insiders program, you can also be an Office Insider.

The programs have the same ideas – give users access to new features before everyone else, and let those users provide feedback to help report issues or shape decisions that will go out to the rest of the world.

This program is for the Click To Run version of Office, not MSI.

If you’re not already a Windows Insider, Microsoft has easy to follow instructions. It’s also not a requirement to be a Windows Insider to be an Office Insider.

For Office Insiders, it depends what version of Office you’re licensed to. Home, Personal and University licenses can just go to File > Account > Office Insider from any Office app, and follow the prompts.

However if you’re using a School or Work account, you won’t see this option. The full instructions are available from Microsoft but here’s the condensed version:

Download Office 2016 Deployment Tool and run it. It will extract a setup.exe and configuration.xml file.

Edit the configuration.xml file: The line -<Add Channel=”Monthly” OfficeClientEdition=”32″> needs the word ‘Monthly‘ changed to either ‘InsiderFast’ to get updates as early in the process as possible.

Open an admin commant prompt, navigate to the folder that contains the two above files and run:

Setup.exe /configure configuration.xml

(If you have any issues, try uninstalling your existing version of Office).

Once that’s done, you should be good to go. Launch an Office app such as Word, log in with your Work/School account, and go to File > Account. Under the About Word section, you should see a mention of Office Insider:

If you want to be an Office Insider for apps on iOS or Android, then follow the instructions here on how to register and obtain updates (it’s very easy!).

OneDrive for Business Auto Sign In – Windows 10

If you’re looking at starting to use OneDrive for Business and you’re working with a PCs joined to a local domain, you can now have a seamless sign in experience for end users (Note that the Group Policy setting for this is in preview according to the documentation).

OneDrive for Business from the client’s perspective has been dropped. It’s just OneDrive now, even though the backend is OneDrive for Business as part of an Office 365 subscription.

You’ll need Windows 10 1709+ for this, as that’s the first version of Windows 10 that has OneDrive baked in. There’s no deployment of the app required then, so you won’t need to use or modify OneDrive for Business. The newer client has much less syncing issues too – if you’re not sure what one you’re using, check what executable is running. OneDrive.exe is the new client, where Groove.exe is the older.

Since OneDrive is part of Windows 10 now, if you aren’t ready for this or don’t want it yet, you’ll need to use the Group Policy setting ‘PRevent the usage of OneDrive for file storage’ which is found in Computer Settings > Policies > Administrative Tempates > Windows Components > OneDrive (note that this is different to the location of where the above new policies sit for OneDrive, which is one level down straight under Administrative Templates).

If you’re migrating from an existing install, then you’ll need to follow this process. Otherwise if you’re starting fresh, there’s a great guide here to go through.


The short version of these steps is:

  1. Windows 10 1709 already has OneDrive, so no deployment required.
  2. Get the ADML and ADMX Group Policy files and deploy them in your environment. Make sure they’re the latest ones too, which you should be able to get from any Windows 10 1709 PC in the path %localappdata%\Microsoft\OneDrive\BuildNumber\adm\
  3. Configure your Group Policies to the settings you want, but the one you’ll need for auto sign in is “Silently configure OneDrive using Windows 10 or domain credentials“. This setting should set the regsitry key [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\OneDrive] “SilentAccountConfig”=dword:00000001. With this setting, there’s an extra registry settings to configure:[HKEY_CURRENT_USER\SOFTWARE\Microsoft\OneDrive] “EnableADAL”=dword:00000001 – This setting enables Modern Authentication for OneDrive.

That’s it!

After this is configured and you log on, the OneDrive client will automatically sign in as the logged on user – assuming you’re properly set up on the Azure AD and Office 365 side of things. There’s no prompt, no notification and users can start using it straight away at their convenience.

If you’re planning on moving user’s home drives to OneDrive, you’ll need to manually move the files or run a script like this to migrate the data – or find a paid solution.


Outlook 2016 Secondary Mailbox Cached Mode

After migrating to Outlook 2016 from 2010, I noticed this inconsistency.

If you use secondary mailboxes in Outlook, you’re probably going to want them in Online Mode rather than Cached Mode. With Cached Mode on, you’ll have an OST file created for each extra mailbox you add, and you’ll hit performance issues if you have over 500 folders over all mailboxes added to the account.

One of the ways to avoid these performance issues is turning off ‘Download shared folders’ in the mailbox settings:

‘Download shared folders’ disabled

This can be done manually, or company wide with the Group Policy setting “Disable shared mail folder caching” found in User Configuration / Administrative Templates / Microsoft Outlook 2016 / Outlook Options / Delegates. Enabling this will disable and grey out the option as per the screenshot above.

However, I was previously doing this through a registry setting ‘CacheOthersMail’ under HKEY_CURRENT_USER\Software\Policies\Microsoft\office\16.0\outlook\cached mode with the value set to 0. This worked on Outlook 2010 fine I believe, but in 2016 it did something slightly strange. Although clicking on a secondary mailbox’s folders showed they were in Online Mode with the status bar status of ‘Online’, the ‘Download shared folders’ tickbox was still enabled. I’ve confirmed this on both CTR and MSI versions of Office 2016.

At first I thought nothing of this, as it seemed to be working as intended. However, after a while I worked out that having it configured this way lead to performance issues, and people who had over 500 folders had cases where the inbox would stop updating. Changing the tickbox setting resolved the issue, despite the secondary mailboxes before and after this showing as ‘Online’. I didn’t dig into this any further so I can’t explain what was actually going on, but at a guess it was still doing some sort of sync or connection on each folder despite it being in Online Mode.

My advice is – make sure the ‘Download shared folders’ tickbox is off rather than just checking that the folders show as being ‘Online’. If you really need a secondary mailbox in cached mode but want to disable it by default, you could add it as a seperate mailbox account which will have it’s own cached mode settings.