Azure Active Directory has the ability to create Security Groups with Dynamic membership. This is great if you can apply logic to a group, as members will fall in and out of scope without any work required.
Microsoft have a great writeup on how it all works and how to create rules, however I’ve run into a scenario not covered in the documentation.
If you create a Dynamic membership rule and want to include only attributes that have no value, the term ‘null’ works fine. You can create your group or modify the rule without issue.
However, if your binary operator (the equals part in the example above) is set to ‘not’, it won’t work.
The use case I had for ‘not null’ was to have a group of users which only had employee numbers, which was an easy way of filtering out test accounts, service accounts and so on.
Note that you can’t do this from the simple rule view, changing ‘null’ to ‘$null’ there results in the code looking like this:
(user.extensionAttribute1 -eq “$null”)
Where it should look like this, without the quotes:
(user.extensionAttribute1 -eq $null)
A simple fix, but something that’s not documented on the support page. Hope this helps anyone who runs into the same problem.