As IT professionals, we often find the need to push out changes to a small subset of our full user base. Manually maintaining pilot groups with users joining and leaving can create a lot of overhead.

A better way is using Dynamic groups - but how do you segment users cleanly in to different groups automatically? How do you avoid capturing Guests, or other non-human user accounts?

The answer is Dynamic queries.

We can use the user.objectId property to act as our random seed for splitting users in to groups. As a GUID, the user.objectid property’s first character will always be between 0-9 or a-f. With 16 different options, each individual character has a 6.25% chance of occurring.

We can use the user.userType property to differentiate between Members of the tenant and Guests. Use user.userType -eq "Member" for tentant members, or user.userType -eq "Guest" for Guests

user.accountEnabled -eq true ensures we only capture enabled users. Disabled users like leavers are automatically excluded

(user.assignedPlans -any (assignedPlan.servicePlanId -eq "c1ec4a95-1f05-45b3-a911-aa3fa01094f5" -and assignedPlan.capabilityStatus -eq "Enabled")) captures users with a Microsoft 365 Business Premium licence. Change the GUID for servicePlanId to your preferred licecne type. A reference for service plan ID’s is availabe here

Here are the rings I use

User_Pilot_Ring_1

Dynamic Query:

(user.objectId -startsWith "0") and (user.userType -eq "Member") and (user.accountEnabled -eq true) and (user.assignedPlans -any (assignedPlan.servicePlanId -eq "c1ec4a95-1f05-45b3-a911-aa3fa01094f5" -and assignedPlan.capabilityStatus -eq "Enabled"))

User_Pilot_Ring_2

Dynamic Query:

(user.objectId -match "^[0-4]") and (user.userType -eq "Member") and (user.accountEnabled -eq true) and (user.assignedPlans -any (assignedPlan.servicePlanId -eq "c1ec4a95-1f05-45b3-a911-aa3fa01094f5" -and assignedPlan.capabilityStatus -eq "Enabled"))

User_Pilot_Ring_3

Dynamic Query:

(user.objectId -match "^[0-9]|^[a-b]") and (user.userType -eq "Member") and (user.accountEnabled -eq true) and (user.assignedPlans -any (assignedPlan.servicePlanId -eq "c1ec4a95-1f05-45b3-a911-aa3fa01094f5" -and assignedPlan.capabilityStatus -eq "Enabled"))
^[0-9]|[a-b]