Modifications to LDAP Filter Don't Appear to Work

[ccgthree]

Our organization's user-base includes guest accounts for non-accredited continuing education programs and other types of "uncommon" users. We distinguish these users in AD with an "EduPersonPrimaryAffiliation" attribute. Some of these users have accounts related to those continuing education programs alongside their normal/standard accounts. for identification purposes, both the guest and regular accounts have the same mail address.

We intend to block guest accounts from being synced to Entra from AD.

While running IdFix, I found that filter modifications to exclude users with EduPersonPrimaryAffiliation still returned those objects. And, in our case, those are the only objects producing any errors, according to IdFix.

The filter I (tried) to use is as follows:

(&(|(objectCategory=Person)(objectCategory=Group))(!(eduPersonPrimaryAffiliation=GUEST))(!(eduPersonPrimaryAffiliation=VOLUNTEER))(!(eduPersonPrimaryAffiliation=RETIRED))(!(eduPersonPrimaryAffiliation=ENTITY)))

is this expected behavior?

[ccgthree]

I should have added: The above filter works as expected when run against AD using standard cmdlets like Get-ADObject or other tools such as ldapsearch.