I am trying to add a custom expression to an Authentication Policy. Since building the rule with just the UI does not allow the "OR"ing of some of the conditions, I wanted to try doing it with a custom expression.
The expression is basically (user.isMember of “Group1” or “Group2”) || user is not in any defined zone
The group part is documented, but how does one determine if the user is in a zone? I found a page that discusses the properties of the device object, but I cannot find one that discusses the default/built-in properties of the user object. I understand that the exact properties vary from each implementation depending on the customization of the universal directory, but the zone name for a given login should be a property that is built-in.
Any guidance here would be appreciated.