Documentation/Getting started

Your first ABAC rule in 10 minutes

From zero to a working ABAC rule in your Entra tenant. This guide walks you through step by step.

What you'll build

A rule that puts every employee whose jobTitle contains "Engineer" into the group Engineering-All. In ten minutes, and safely tested on a small test group first.

What you need

  • Access to your Entra tenant with the Global Administrator role (for the first connection) or User Administrator.
  • A ServiceChanger account.
  • At least a few employees with jobTitle populated.
Haven't connected your tenant yet? Start with Connect Microsoft Entra ID.

Step 1. Check your attribute data

Go to Users. ServiceChanger shows which attributes are populated per user. Look at jobTitle. How many users have it filled, how many don't? Empty attributes will not match later, so fill the important gaps in Entra first. ServiceChanger does not write attributes for you; you do that in Entra or your own sync.

Step 2. Create the group

If you want to write to a new group, create it in Entra ID (Groups > New group). If the group already exists, you can use it directly. For an on-prem synced group the change runs through your hybrid worker; see Hybrid and on-prem AD.

Step 3. Create the rule

Go to the rules in ServiceChanger and create a new one:

  • Attribute: jobTitle contains "Engineer"
  • Target group: Engineering-All
Save.

Step 4. Test on a small test group

Start small. First limit the rule to a small test group of a few users, for example a handful of engineers you know. That way you check the result on a limited group before you apply the rule to everyone.

Step 5. Verify

Look at who the rule affects in your test group. All users with "Engineer" in their jobTitle belong, including variants like "Principal Engineer" and "Staff Engineer", because contains catches those. Does the list look right? Too broad or too narrow? Adjust the attribute or use a composed attribute.

Step 6. Roll out more broadly

Does it look right on your test group? Widen the rule to the full scope and set it to Active. ServiceChanger updates the membership within minutes. For cloud-only groups through Microsoft Graph, for on-prem groups through the runbook and Entra Connect.

Check the result in Entra ID: Groups > Engineering-All > Members.

Related