Azure AD Groups Filters

Hello experts ,

We are trying to create a filter to ignore office 365 groups in the aggregation.

We have done the following filter without success:
(NOT(groupTypes/any(c:c eq ‘Unified’))) getting a 400 error.

If we remove the NOT and change the eq to a ne we still get a 400 error.

But if we leave the filter positive [groupTypes/any(c:c eq ‘Unified’)] we get a success.

Where are we wrong in negating the filter?

Thanks you.

Hello @jabarrero ,
Is it not enough to disable Microsoft 365 groups in the connector settings?
Microsoft 365 groups is the new name for Office365 groups.

Thank you for your reply @yannick_beot .

We had already taken that into account as it continues to bring them in.
That’s why we thought that the best option is to do it through a filter.

If you have disabled Microsoft 365 support after a first aggregation, did you try to “reset” the source and aggregate again entitlements?


We have tried the ones you have told us about and it brings us all the groups.

The configuration of the connector is as follows:

The filter field is empty.

I have also unchecked “Aggregate All Groups”.
But like I said, if you have check “Manage Microsoft 365 Groups”, then aggregate entitlements, the uncheck “Manage Microsoft 365 Groups”, it will not remove the Microsoft 365 Groups from the list.
Even a filter will not help.
You need to reset the connector first.
To reset a connector, you need to POST to the endpoint {{api-url}}/cc/api/source/reset/{{sourceID}}

Beware that it will erase all accounts and entitlements data in your source.


We have checked “Aggregate All Groups” because we need all groups except microsoft365 groups.

This is the reason why we are trying to avoid these groups by a filter.

Playing the Microsoft’s Graph Explorer, I cannot get a working filter that would exclude the Microsoft 365 groups.
I tried:

  • $filter=not+groupTypes/any(c:c+eq+‘Unified’)
  • $filter=not(groupTypes/any(c:c+eq+‘Unified’))
  • $filter=groupTypes/any()

Nothing works. I can in the opposite get only Microsoft 365 groups…


Using the consistency level header with the eventual value and in the count=true call it works when passing it to sailpoint there is no way to set the consistency level header with eventual value.

According to sailpoint documentation it accepts advanced filters.

Indeed, I do not see how to set headers or additional query parameters eventually on Azure AD Connectors.
Given the fact that even when you uncheck “Manage Microsoft 365 groups” and when you check “Manage all groups”, you still have Microsoft 365 groups, I would open a ticket for a potential bug.

Thanks for the help, keep us informed when you have a possible answer.

I was able to filter Microsoft 365 groups.
The entry groupFilters attribute with advanced query filters (NOT,NE and ENDSWITH) works fine.
You need to do the prerequisites mentioned below:

  1. Please add the attribute groupFilters with value as NOT groupTypes/any(c:c eq 'Unified') in the AzureAD source xml.
  2. Also please remove attribute owners from group schema while using these advanced query filters. The Azure API does not support advanced query filters (NOT, ENDSWITH and NE) along with expand attribute like “owners” in the URL.

Remember that you may need to reset the source to remove existing Microsoft 365 groups.

thank you very much for the help @yannick_beot , it is working correctly by carrying out this operation.