How to Validate Microsoft Entra Dynamic Group Membership Rules in Intune

Start by signing into the Microsoft Intune admin center with your administrator credentials. You'll need either Groups Administrator or Intune Administrator role permissions.

https://endpoint.microsoft.com

Once logged in, navigate to the Groups section:

1. Click on Groups in the left navigation pane
2. Select All groups from the submenu

Choose an existing dynamic group or create a new one for testing. Dynamic groups must be either user-based or device-based, not mixed.

To create a new dynamic group:

1. Click + New group
2. Set Group type to Security
3. Enter a descriptive Group name like "Test-DynamicUsers-Validation"
4. Set Membership type to Dynamic User or Dynamic Device
5. Click Add dynamic query

For an existing dynamic group, simply click on the group name from the list.

Access the rule validation interface within your selected dynamic group:

1. Click on the Dynamic membership rules tab
2. You'll see the current rule (if any) in the rule editor
3. Click on the Validate Rules sub-tab or button

The validation interface will load, showing options to add users or devices for testing. This is where you'll test your membership rules against real objects in your tenant.

Current rule example:
(user.department -eq "IT") and (user.accountEnabled -eq true)

Select up to 20 users or devices to test against your dynamic membership rule. Choose a diverse set that includes both expected members and non-members.

For user-based groups:

1. Click + Add users
2. Search for users by name, email, or department
3. Select users from different departments, locations, or roles
4. Include at least 2-3 users who should match the rule
5. Include 2-3 users who should NOT match the rule
6. Click Select

For device-based groups:

1. Click + Add devices
2. Search for devices by name or operating system
3. Select a mix of Windows, iOS, Android devices if applicable
4. Include devices with different compliance states
5. Click Select

Run the validation process and examine the detailed results for each test object:

1. Click Validate (validation may run automatically after selection)
2. Wait for the validation to complete (usually 10-30 seconds)
3. Review the Verification details section

The results will show:

• Membership status: ✓ Member or ✗ Not a member
• Rule evaluation: Which parts of the rule matched or failed
• Attribute values: Current values for attributes used in the rule

Example validation result:
User: john.doe@company.com
Status: ✓ Member
Rule evaluation: (user.department -eq "IT") = TRUE
                (user.accountEnabled -eq true) = TRUE
Final result: TRUE (both conditions met)

Use the validation feature to test rule changes before applying them to the live group:

1. Click Edit to modify the current rule
2. Make your changes in the rule builder or text editor
3. Return to the Validate Rules tab
4. Click Validate again with the same test objects
5. Compare the new results with previous validation

Common rule modifications to test:

Original: (user.department -eq "IT")
Modified: (user.department -eq "IT") or (user.department -eq "Engineering")

Original: (device.deviceOSType -eq "Windows")
Modified: (device.deviceOSType -eq "Windows") and (device.isCompliant -eq true)

Document the changes and their impact:

• How many additional users/devices will be included?
• Are any current members excluded by the new rule?
• Do the results match your targeting expectations?

Test advanced rule syntax including wildcards, contains operations, and multiple conditions:

For complex string matching:

user.mail -match ".*@(contoso|fabrikam)\.com$"
user.displayName -contains "Manager"
user.extensionAttribute1 -in ["Value1", "Value2", "Value3"]

For device rules with multiple conditions:

(device.deviceOSType -eq "Windows") and 
(device.deviceOSVersion -match "10\..*") and 
(device.isCompliant -eq true)

Test each component separately:

1. Start with a simple rule testing one condition
2. Add complexity gradually
3. Validate after each addition
4. Use parentheses to control evaluation order

Common advanced scenarios to test:

• Multiple department inclusion with OR logic
• Exclusion patterns using NOT operations
• Date-based rules for account creation or last sign-in
• Custom attribute matching for specialized targeting

Create documentation of your validation process and save the confirmed rule:

1. Screenshot or export the validation results
2. Document the test objects used and their outcomes
3. Note any unexpected results and their explanations
4. Record the final rule syntax
5. Click Save to apply the validated rule

Create a validation report template:

Dynamic Group Validation Report
Group Name: [Group Name]
Rule: [Rule Syntax]
Test Date: [Date]
Test Objects: [Count] users/devices
Expected Members: [Count]
Actual Members: [Count]
Discrepancies: [List any unexpected results]
Approved By: [Administrator]
Deployment Date: [Date]

Post-deployment monitoring:

• Check group membership after 24 hours
• Verify that Intune policies are applying correctly
• Monitor for any user/device complaints about missing access
• Set up alerts for group membership changes

Address frequent problems encountered during rule validation:

Insufficient Privileges Error:

# Check your current role assignments
Get-MgRoleAssignment -Filter "principalId eq '[your-user-id]'"

If using PIM, activate your role:

1. Go to Microsoft Entra admin center
2. Navigate to Privileged Identity Management
3. Click My roles
4. Activate Groups Administrator role

Deprecated Attribute Issues:

Replace deprecated attributes in your rules:

❌ Deprecated: user.organizationalUnit -eq "OU=Sales,DC=contoso,DC=com"
✅ Use instead: user.department -eq "Sales"

Rule Syntax Errors:

• Use -match ".*pattern.*" for wildcard matching
• Ensure proper parentheses for complex logic
• Check attribute names against the official schema
• Test string comparisons with exact case matching