Group mappings are used to determine the [target-system] groups that a user should (or should not) be a member of.
When setting up a group mapping, you select the [target-system] group that you want to set up as well as an expression that will determine if the user will or will not be a member.
If the expression evaluates to true, then the user will be a member of the group and if the expression evaluates to false, then the user will not be a member of the group.
We can use either a simple or conditional expression in the mappings. The possibilities of what can be done with expressions are plentiful, as any C# expression can be used.
Remember that Connect to AD also supports conditional expressions, which allows you to evaluate multiple conditions before determining which value to use in the mapping.
Connect to AD only supports group mappings to Entra ID security and M365 groups. It does not support mail-enabled groups, such as Exchange security or distribution groups, nor does it support mappings for Entra ID dynamic groups.
When setting up a group mapping, there is an option Add only (do not remove users from this group)
If Add only (do not remove users from this group) is switched on, then users that evaluate to false will not be removed from the group if they are currently a member of the group.
Remove from All Groups
The Remove from All Groups mapping is a special group mapping that can be used to remove a user from all the groups they are currently a member of.
When a user matches the defined expression, they will be removed from all their current groups (except their primary group).
This is especially useful for terminated employees. If the expression is set to:
Employment.EmployeeStatusCode == "T"
Employment.EmployeeStatus == "Terminated"
A terminated employee will meet this condition and they will be removed from all groups and no other group mappings will be processed.
Comments
0 comments
Please sign in to leave a comment.