Skip to main content

Articles in this section

See more
Print

AD Groups | Enforce License rule (deprecated)

  • Updated

 

Rule description

Important: License assignment rules created before the 9.1.0 release make use of APIs that Microsoft is retiring on August 26, 2022. These rules must be migrated to their corresponding new versions before this time or the functionality will stop working.  Deprecated rules can be deleted after migration. Please see this article for details: Deprecated Rules.

This hybrid rule queries the specified Active Directory groups and for each member of these groups assigns the selected Office 365 license plans and options to the Office 365 account with an identical UserPrincipalName (UPN).

It is possible to use Ignore option to exclude the plan from the rule completely. In this case, this plan and its options will be ignored by the rule. If users already have assigned options from this plan, these options will keep. If users don't have the options from this plan, these options won't be assigned.

Note 1: Starting from version 6.2.0, this rule supports linked mailboxes. For more details please see the Provisioning Linked Mailboxes article.
Note 2: Starting from version 7.3.0, this rule also supports mapping between the Active Directory user account and Cloud user account by anchor attributes. For details, please see the How to map Active Directory users to Office 365 cloud users article.

 

When to use this rule

These are some typical license assignment scenarios, supplied with recommendations on an optimal configuration for the rule settings.

  1. Assign specific Office 365 license plan with its options to newly created user accounts in the selected groups:

    1. Set the Apply to unlicensed users only setting to Yes to enforce licenses only to unlicensed users.
    2. Set the Exclude Office 365 disabled users setting to Yes to exclude Office 365 disabled user accounts.
    3. Set the Exclude disables users from hybrid mapping setting to Yes to exclude disabled Active Directory user accounts.
    4. As usage location is mandatory to assign a license to an Office 365 user account, set the Change UsageLocation only if not set setting to Yes and pick a value for the Usage Location setting.
    5. For the License options setting, select the plan to be assigned and configure its options.
  2. Ensure that all members of the group have specific license plans and options assigned, and other conflicting plans revoked:
    1. Set Apply to unlicensed users only setting to No.
    2. Set the Exclude Office 365 disabled users setting and Exclude disables users from hybrid mapping setting to Yes only to include live user accounts.
    3. For the License options setting, select the plan to be assigned and configure its options. Set Revoke for conflicting license plans. Set Ignore setting for all the other plans.

  3. Add or remove license plan or option in bulk, to all members of the selected groups:

    1. Set Apply to unlicensed users only setting to No.
    2. Set the Exclude Office 365 disabled users setting and Exclude disables users from hybrid mapping setting to Yes only to include live user accounts.
    3. For the License options setting, select the plan or option to be assigned. Set Ignore setting for all the other plans.

Rule configuration:

  1. Query section: specify AD groups 

  2. Action section: specify license options to enforce Office 365 user accounts

 

Rule Settings

Query Section

Setting name Description

Include AD Group Members

Specify Distinguished Names of AD groups, which members will be assigned Office 365 licenses.

Apply to unlicensed users only

It is possible to apply licenses to unlicensed users only or all users, independently of whether they have Office 365 licenses or not.

Exclude Office 365 disabled users

This setting allows you to exclude Office 365 disabled users from the rule scope or to include them.

Properties to Display

To display additional Office 365 properties for each object found by the query, add those properties to the list.

Sort by

Sort result objects list.

Filter Office 365 query results

To hide unwanted data returned by the query, set the filtering conditions.

More options

  

Exclude AD Group Members

Specify AD groups Distinguished Names, which members will be excluded from Office 365 license assignment.

Tip: Use this setting to exclude some group members from assigning Office 365 licenses.

If the group, specified in Include AD Group Members, contains the same members as the group, specified in Exclude AD Group Members, these users won't be assigned Office 365 licenses.

Exclude disabled users from hybrid mapping

Excluding disabled AD user accounts from the hybrid mapping is possible.

Exclude shared mailboxes

Excluding shared mailboxes is possible.

Maximum number of users

By default, all objects that you have provisioned in Microsoft Office 365 are returned.

Tip: It is possible to change the default value in Microsoft Office 365 extension settings.

Stop rule if errors exceed

Too many errors may indicate rule misconfiguration or problems with connectivity.

Set this value to some integer value, indicating the number of occurred errors, when the rule execution should stop.

Stop rule if tenant licensing change detected

It is recommended to stop the rule execution if a tenant licensing change is discovered.

Tip: If licensing change is detected, you should click Update License in Microsoft Office 365 extension. For details, see KB20181017-1.

Initialization Script

 

Script

Usually, rules use query criteria to limit the query search scope. It improves the performance of the executed rule.

Due to PowerShell limitations, it is not possible to use calculated expressions in query criteria. That is the point where the initialization script can help. You can initialize a global variable in this setting and then use it in query criteria.

Important: To use a variable, declared in the initialization script, in the query scope, it must be global: $global:<variable name>.

Example: Update AD users, created in the last ten days.

  1. Add this initialization script:
{$global:DatePeriod = (Get-Date).AddDays(-10)}
  1. Use $DatePeriod variable in the query criteria builder:

 

Action Section

Setting name Description

License options

Select which Microsoft Office 365 license plans and options to assign or revoke to Office 365 user accounts.

Tip: It is also possible to click Ignore to completely exclude the plan from the rule. In this case, this plan and its options won't be taken into consideration at all. If users already have assigned options from this plan, these options will keep. If users don't have options from this plan, these options won't be assigned.

License update order

Select a method to assign selected license plans and options:

  1. Revoke Previous then Assign New.
  2. Assign New then Revoke Old - this setting is deprecated
  3. Revoke Previous then Assign New (Restore delegation) - this setting is used for Office 365 mailboxes only. 
Note: In most cases Revoke Previous then Assign New option should be used. Please contact Cayosoft support before changing the default value.

Enforce license precedence (Advanced)

For details, see KB20181026-1.

 

Change UsageLocation only if not set

It is possible to keep the current user's usage location or change it to a new one.

Usage Location

Select the usage location.

Important: If Office 365 user accounts don't have a location attribute set, Office 36 license won't apply to them, and the rule will stop with the error.

If you use Usage Location from AD value for this setting, you must be sure all Active Directory user accounts, that fall under this rule this, have a location attribute set.

 

Output Section

This section defines the output format of this rule.

To get more information about this section, please see the Output section article.

 

Enforce/Schedule section

This section defines the schedule for how often to run the rule.

To get more information about this section, please see the Enforce/Schedule section article.

 

Change History

Version Notes
7.3.0 The rule supports mapping between the Active Directory user account and the Cloud user account by anchor attributes.
6.3.1 Exclude shared mailboxes setting is added.
6.2.0 The rule supports linked mailboxes.
5.4.0 The rule is optimized and updated, and new License options control added.

 

 

© Copyright 2013-2025 Cayosoft Inc. All rights reserved.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request
Return to top

Related articles

Comments

0 comments

Please sign in to leave a comment.