

The following are the operators used in NGL:



Usage: `and1 operator performs a logical and operation of the properties/statements immediately before and after it.

Syntax: property1 = value1 and property2 = value2


Microsoft365 sharepointtenant should-have sharingCapability = "Disabled" and enableAzureADB2BIntegration = false

Explanation: NGL will return all Microsoft365 apps’ that have sharing capability disabled and AzureAD B2B Integration option is false.


Usage: or operator performs a logical or operation of the properties/statements immediately before and after it.

Syntax: property1 = value1 or property2 = value2


Microsoft365 sharepointtenant should-have sharingCapability = "Disabled" or enableAzureADB2BIntegration = false

Explanation: NGL will return all Microsoft365 apps’ that have sharing capability disabled or AzureAD B2B Integration option is false.


Usage: not operator performs a logical not operation of the properties/statements immediately before and after it.

Syntax: not(property1 = value)


Microsoft365 sharepointtenant should-have sharingCapability = "Disabled" and not enableAzureADB2BIntegration = false

Explanation: NGL will return all Microsoft365 apps’ that have sharing capability disabled and where enabling AzureAD B2B Integration option is not false.



Usage: + operator performs addition of values immediately before and after it.

Syntax: len(list1) + len(list2) > 0

Usage: - operator performs subtraction of values immediately before and after it.

Syntax: len(list1) len(list2) > 0


Usage: * operator performs multiplication of values immediately before and after it.

Syntax: property1 * 2 > 10


Usage: % operator returns the remainder of the division of value immediately before and after it. 

Syntax: property1 % 4 = 0


Usage: / operator performs division of values immediately before and after it.

Syntax: property1 / 4 > 0


microsoft365 securescore should-not-have controlscores with-any-element [ controlname = "AdminMFAV2" and (count / total < 1) ]



Usage: = operator compares the property/statement/value before it with property/statement/value after it, and returns a boolean result.

Syntax: property1 = property2


Microsoft365 sharepointtenant should-have sharingCapability = "Disabled" 

Explanation: NGL will return all Microsoft365 apps’ that have sharing capability disabled.


Usage: != operator negates an equality comparison of the property/statement/value before it with property/statement/value after it, and returns a boolean result.

Syntax: property1 != property2


Microsoft365 sharepointtenant should-have sharingCapability != "Disabled" 

Explanation: NGL will return all Microsoft365 apps’ that have sharing capability not disabled.


Usage: > operator performs a greater than comparison of the property/statement/value before it with property/statement/value after it, and returns a boolean result.
Syntax: property1 > property2

microsoft365 malwarefilterpolicy should-have len(FileTypes) > 0

Explanation: NGL will return all Microsoft365 apps’ malware filter policy whose length of file type is greater than 0.


Usage: >= operator performs a greater than or equal to comparison of the properties/statement/value before it with properties/statement/value after it, and returns a boolean result.

Syntax: property1 >= property2


microsoft365 malwarefilterpolicy should-have len(FileTypes) >= 10

Explanation: NGL will return all Microsoft365 apps’ malware filter policy whose length of file type is greater than equal to 0.


Usage: < operator performs a lesser-than comparison of the properties/statement/value before it with properties/statement/value after it, and returns a boolean result.

Syntax: property1 < property2


microsoft365 malwarefilterpolicy should-have len(FileTypes) < 101

Explanation: NGL will return all Microsoft365 apps’ malware filter policy whose length of file type is less than 101.


Usage: <= operator performs a lesser-than or equal to comparison of the properties/statement/value before it with property/statement/value after it, and returns a boolean result.

Syntax: property1 <= property2


microsoft365 malwarefilterpolicy should-have len(FileTypes) <= 100

Explanation: NGL will return all Microsoft365 apps’ malware filter policy whose length of file type is less than equal to 100.


( )


  • `()` is used to capture a functions’ input parameters, or to order boolean expressions. See Functions to learn more.
  • ‘()’ is used to group elements.

Syntax: func1(arg1), (boolean1 or boolean2) and (boolean3 or boolean4)


github repository should-have age(created_at , "days") > 1
azuread deviceconfiguration should-have ( passwordminutesofinactivitybeforescreentimeout = 5 and passwordminutesofinactivitybeforelock = 0 ) or ( passcodeminutesofinactivitybeforescreentimeout = 5 and passcodeminutesofinactivitybeforelock = 0 )

[ ]

Usage: [ ] is used to access an element of a list. with-element uses these elements in arrays [ item1, item2 ]. See Keywords to learn more.

Syntax: list_property [element1]


github app should-not-have write_permissions with-any-element [ "administration" ]

{ }

Usage: { } is used to depict a structure. with-attribute uses this element to address key-value pairs inside nested objects { key1: val1, key2: val2 }.

Syntax: struct_attribute {member_attribute}


zoom User should-have in_meeting with-attribute { e2e_encryption = true }

Common Errors

This section outlines errors that may occur with the operators. 

Error ScenarioIncorrect NGL ExampleSample Error MessageSteps to fix the error
Identifier is not a string or numberAzureAD User should-have identities in [5, 6, 7]Error: type of 'identities' should be string or number, got listUse a property that satisfies the required data type. See DOM files to learn more.
For example: AzureAD User should-have mobilePhone in ["1-000-000-0123","000-000-1234"]
Identifier has a mismatch with the primitive type in the IN blockAzureAD User should-have employeeHireDate in ["5"]Error: 'employeeHireDate' of type 'number' should not be matched against a stringUse a property that satisfies the required data type. See DOM files to learn more.
For example: AzureAD User should-have employeeHireDate in [5]
Comparing two different data typesAzureAD User should-have department = trueError: left-side type 'string' should match right-side type 'boolean' in '=' comparison operationEnsure that the same data type are used for comparison.
For example: AzureAD User should-have department = "abc"
Using > or < to compare two boolean valuesAzureAD User should-have isResourceAccount > trueError: unsupported operation '>' on type 'boolean'Only '=' operator is applicable for boolean comparison.
For example: AzureAD User should-have isResourceAccount = true
Share this Doc


Or copy link

In this topic ...