Policy Rules Guide
This a how-to guide on using and configuring templates based on policy rules.
Policy Configuration
The policy configuration is the rule that describes which users should have this policy applied to them
Policy Rule
The policy rule is an expression based on the SQL WHERE query format. For more advanced users, you can create/text your rules using the Microsoft SQL Server Management Studio and connecting directly to the dataset.
The queryable properties are based on the Microsoft Graph user object properties. Here are the common properties that you would use for your rule:
Property | Type | Description | Example |
AccountEnabled | Boolean | Specifies whether the account is enabled/disabled |
AccountEnabled=1 All enabled users |
City | String | City='Bellevue' | |
Country | String | Country='United States' | |
Department | String | Department='Sales' | |
ExtensionAttribute1 | String | Synchronized from on-premise Active Directory | ExtensionAttribute1='My Value" |
ExtensionAttribute2 | String | Synchronized from on-premise Active Directory | ExtensionAttribute2='My Value" |
ExtensionAttribute3 | String | Synchronized from on-premise Active Directory | ExtensionAttribute3='My Value" |
ExtensionAttribute4 | String | Synchronized from on-premise Active Directory | ExtensionAttribute4='My Value" |
ExtensionAttribute5 | String | Synchronized from on-premise Active Directory | ExtensionAttribute5='My Value" |
ExtensionAttribute6 | String | Synchronized from on-premise Active Directory | ExtensionAttribute6='My Value" |
ExtensionAttribute7 | String | Synchronized from on-premise Active Directory | ExtensionAttribute7='My Value" |
ExtensionAttribute8 | String | Synchronized from on-premise Active Directory | ExtensionAttribute8='My Value" |
ExtensionAttribute9 | String | Synchronized from on-premise Active Directory | ExtensionAttribute9='My Value" |
ExtensionAttribute10 | String | Synchronized from on-premise Active Directory | ExtensionAttribute10='My Value" |
ExtensionAttribute11 | String | Synchronized from on-premise Active Directory | ExtensionAttribute11='My Value" |
ExtensionAttribute12 | String | Synchronized from on-premise Active Directory | ExtensionAttribute12='My Value" |
ExtensionAttribute13 | String | Synchronized from on-premise Active Directory | ExtensionAttribute13='My Value" |
ExtensionAttribute14 | String | Synchronized from on-premise Active Directory | ExtensionAttribute14='My Value" |
ExtensionAttribute15 | String | Synchronized from on-premise Active Directory | ExtensionAttribute15='My Value" |
JobTitle | String | JobTitle='Sales Manager" | |
String |
Mail LIKE '%@bittitan.com' All users that have an email address with the domain bittitan.com |
||
PhysicalDeliveryOfficeName | String | Location field shown in the Address List | PhysicalDeliveryOfficeName='Bellevue' |
PostalCode | String | Zip or postal code | PostalCode='98004' |
ShowInAddressList | Boolean | Specifies whether the user is visible in the Address List |
ShowInAddressList=0 All users that are hidden from the Address List |
State | String | State or province | State='WA' |
UsageLocation | String | 2 letter ISO 3166 country code for service usage location | UsageLocation='US' |
UserPrincipalName | String | Username used to login to Microsoft 365 |
UserPrincipalName LIKE '%@bittitan.com' All users that have a login name with the domain bittitan.com |
You may combine two or more expressions using SQL Logical Operators such as the AND or OR. For example:
Department='Sales' OR Department='Marketing'
User Exceptions
Even though the policy is defined as a query language, there are circumstances in which you may have one or more users that fall outside of the policy rule. In these circumstances, specify the email address of each specific user you wish to include in the policy. Specify one email address per line.
You may configure just the user exceptions list if you want to explicitly specify who this policy should apply to without a policy rule.
Best Practices
- Specify your policy with a rule and/or user exception
- Do not select the checkbox and click click Next
- This will verify the validity of your configuration
- You may see who specifically the policy will apply to by downloading and viewing the logs
Comments
Please sign in to leave a comment.