Rule Syntax for Azure user.memberof

I'm trying to create a dynamic group with a dynamic membership rule that adds a user who are not part of a another group.

so based on documentation user.memberof -any (group.objectId -in ['my-group-id']) works but I'm trying to modify it. -not (user.memberof -any (group.objectId -in ['my-group-id']) Have tried this but will give an invalid property same goes if I modify (group.objectId -not ['my-group-id']) gives an invalid operand.

As mentioned in the documentation, there is a limitation, saying:

The memberOf attribute can't be used with other operators. For example, you can't create a rule that states “Members Of group A can't be in Dynamic group B.”

I have one group created with dynamic query user.department -eq "IT" having below users as members:

I created a new dynamic group by including the same members of the above group with this dynamic query:

user.memberof -any (group.objectId -in ['above-group-id'])

When I tried to modify the dynamic query to exclude the members present in another group, I too got those same errors like this:

-not (user.memberof -any (group.objectId -in ['my-group-id']))

user.memberof -any (group.objectId -not ['my-group-id'])

So it's not possible to exclude the members of specific group while creating dynamic group with the memberOf attribute.

Alternatively, you can filter out users based on their properties like department, companyName, jobTitle, city, country, etc.

When I modified the dynamic query to user.department -ne "IT" based on user property, it worked:

To confirm that, I checked the group members where users from DemoGrp01 excluded successfully like this:

Reference: Exclude user from a dynamic group based on group membership - Microsoft Q&A by Aaron Gill