Policy Rules

Policy Rules Guide

This a how-to guide on using and configuring templates based on policy rules.

Policy Configuration

The policy configuration is the rule that describes which users should have this policy applied to them

Policy Rule

The policy rule is an expression based on the SQL WHERE query format. For more advanced users, you can create/text your rules using the Microsoft SQL Server Management Studio and connecting directly to the dataset.

 

mceclip0.png

 

The queryable properties are based on the Microsoft Graph user object properties. Here are the common properties that you would use for your rule:

 

Property Type Description Example
AccountEnabled Boolean Specifies whether the account is enabled/disabled

AccountEnabled=1

All enabled users

City String   City='Bellevue'
Country String   Country='United States'
Department String   Department='Sales'
ExtensionAttribute1 String Synchronized from on-premise Active Directory ExtensionAttribute1='My Value"
ExtensionAttribute2 String Synchronized from on-premise Active Directory ExtensionAttribute2='My Value"
ExtensionAttribute3 String Synchronized from on-premise Active Directory ExtensionAttribute3='My Value"
ExtensionAttribute4 String Synchronized from on-premise Active Directory ExtensionAttribute4='My Value"
ExtensionAttribute5 String Synchronized from on-premise Active Directory ExtensionAttribute5='My Value"
ExtensionAttribute6 String Synchronized from on-premise Active Directory ExtensionAttribute6='My Value"
ExtensionAttribute7 String Synchronized from on-premise Active Directory ExtensionAttribute7='My Value"
ExtensionAttribute8 String Synchronized from on-premise Active Directory ExtensionAttribute8='My Value"
ExtensionAttribute9 String Synchronized from on-premise Active Directory ExtensionAttribute9='My Value"
ExtensionAttribute10 String Synchronized from on-premise Active Directory ExtensionAttribute10='My Value"
ExtensionAttribute11 String Synchronized from on-premise Active Directory ExtensionAttribute11='My Value"
ExtensionAttribute12 String Synchronized from on-premise Active Directory ExtensionAttribute12='My Value"
ExtensionAttribute13 String Synchronized from on-premise Active Directory ExtensionAttribute13='My Value"
ExtensionAttribute14 String Synchronized from on-premise Active Directory ExtensionAttribute14='My Value"
ExtensionAttribute15 String Synchronized from on-premise Active Directory ExtensionAttribute15='My Value"
JobTitle String   JobTitle='Sales Manager"
Mail String  

Mail LIKE '%@bittitan.com'

All users that have an email address with the domain bittitan.com

PhysicalDeliveryOfficeName String Location field shown in the Address List PhysicalDeliveryOfficeName='Bellevue'
PostalCode String Zip or postal code PostalCode='98004'
ShowInAddressList Boolean Specifies whether the user is visible in the Address List

ShowInAddressList=0

All users that are hidden from the Address List

State String State or province State='WA'
UsageLocation String 2 letter ISO 3166 country code for service usage location UsageLocation='US'
UserPrincipalName String Username used to login to Microsoft 365

UserPrincipalName LIKE '%@bittitan.com'

All users that have a login name with the domain bittitan.com

 

You may combine two or more expressions using SQL Logical Operators such as the AND or OR. For example:

Department='Sales' OR Department='Marketing'

User Exceptions

Even though the policy is defined as a query language, there are circumstances in which you may have one or more users that fall outside of the policy rule. In these circumstances, specify the email address of each specific user you wish to include in the policy. Specify one email address per line.

You may configure just the user exceptions list if you want to explicitly specify who this policy should apply to without a policy rule.

Best Practices

  • Specify your policy with a rule and/or user exception
  • Do not select the checkbox and click click Next
    • This will verify the validity of your configuration
    • You may see who specifically the policy will apply to by downloading and viewing the logs
Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.