Skip to main content

Articles in this section

See more
Print

AD Users | Validate License rule

  • Updated

AD Users | Validate License rule

This hybrid rule queries the specified Active Directory scope and for each returned user account, checks if selected license plans are assigned to the user, and for each license option in these plans validates whether the On/Off state of the options in the rule matches the state in Office 365. License plans that are not selected in the rule are ignored.

An Active Directory user account should have a corresponding Office 365 user account with an identical UserPrincipalName (UPN).

NOTE: This rule supports linked mailboxes. For more details, please see the Provisioning Linked Mailboxes in Cayosoft Administrator article.

This rule also supports mapping between the Active Directory user account and the Cloud user account by anchor attributes. For details, please see How to map Active Directory users to Office 365 cloud users article.

When to use this rule

Use this rule if you want to get the report and check the validity of Microsoft 365 licenses assigned to Microsoft 365 user accounts:

  1. During rule configuration, check license plans and options that should be assigned to Microsoft 365 user accounts.

  2. Run the rule and open the created report:

    1. If a user has a license option assigned and this option is also checked in the rule, you will see on value in the report next to the corresponding license option.
    2. If a user doesn't have a license option assigned and this option is not checked in the rule, you will see off value in the report next to the corresponding license option.
    3. If a user has a license option assigned and this option is not checked in the rule, you will see the ON (violation) value in the report next to the corresponding license option.
    4. If a user doesn't have a license option assigned and this option is checked in the rule, you will see the OFF (violation) value in the report next to the corresponding license option.
    5. If a user doesn't have the license plan specified in the rule, you will see off value in the report next to the corresponding license options.

NOTE: If you don't select a license plan, this plan will be ignored by the rule and won't be checked. Thus, even if a user has this plan assigned, the report will contain off value for every license option in this plan.

Rule configuration:

  1. Limit the query scope and set the query criteria.
  2. Specify license options for validation.

Rule Settings

Setting name Description
Limit AD scope to this domain or OU

This setting defines the search query scope. To improve query performance, limit the scope to a specific OU.

IMPORTANT: To test the rule configuration, limit the rule scope to an OU that contains test accounts or objects and use the Preview feature.
AD query criteria

Query criteria are sent with the query and may improve query performance.

TIP: For additional information on the criteria builder, see the How to use Query Builder dialog for Query Criteria and Filter rule settings.
Filter AD query results

Set the filtering conditions to hide unwanted data based on criteria not supported in the Query criteria setting.

Example: filter by the found object Distinguished Name.

TIP: For optimal performance, use the Query criteria setting above to filter objects whenever possible.
Exclude Office 365 disabled users

This setting allows you to exclude Office 365 disabled users from the rule scope or to include them.
License options

Select which Microsoft 365 license plans and options to assign or revoke to Microsoft 365 user accounts.

TIP: It is also possible to click Ignore to completely exclude the plan from the rule. In this case, this plan and its options won't be taken into consideration at all. If users already have assigned options from this plan, these options will keep. If users don't have options from this plan, these options won't be assigned.
Show Only Objects with Violations It is possible to display in the report only those user accounts whose Office 365 licenses plans and options are different from those specified in the validation rule.
Filter Office 365 query results

To hide unwanted data returned by the query, set the filtering conditions.
More Options
Returned properties

To display additional properties for each object found by the query, add those properties to the list.
Sort by

Sort result object list.
Domain controller Specify the domain controller to run the rule.
Credentials Specify credentials for connection to domain controller selected above.
Exclude disabled users from hybrid mapping Excluding disabled AD user accounts from the hybrid mapping is possible.
Exclude shared mailboxes This option excludes shared mailboxes from query scope.
Exclude resources mailboxes This option excludes resource mailboxes from query scope.
Maximum number of users

By default, all objects that you have provisioned in Microsoft Office 365 are returned.

TIP: It is possible to change the default value in the extension settings.
Initialization script
Initialization script

Usually, rules use query criteria to limit the query search scope. It improves the performance of the executed rule.

Due to the PowerShell limitations, it is not possible to use calculated expressions in query criteria. That is the point where the initialization script can help. You can initialize a global variable in this setting and then use it in query criteria.

IMPORTANT: To use a variable, declared in the initialization script, in the query scope, it must be global: $global:<variable name>.

Example: Update AD users, created in the last ten days.

  1. Add this initialization script

    Copy
    {$global:DatePeriod = (Get-Date).AddDays(-10)}

  2. Use the $DatePeriod variable in the query criteria builder:

Output Section

This section defines the output format of this rule.

To get more information about this section, please see the Rule Output section article.

Enforce/Schedule section

This section defines the schedule for how often to run the rule.

To get more information about this section, please see the Rule Enforce/Schedule section article.

Change History

Version Notes
13.1 The Stop rule if tenant licensing change detected setting has been deprecated.
7.3.0 The rule supports mapping between the Active Directory user account and Cloud user account by anchor attributes.
6.3.1 Exclude shared mailboxes setting is added.
6.2.0 The rule supports linked mailboxes.
5.4.0 The rule is optimized and updated.

© Copyright 2013-2026 Cayosoft Inc. All rights reserved.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request
Return to top

Related articles

Comments

0 comments

Please sign in to leave a comment.