Rule description
This hybrid rule queries the specified Active Directory scope and for each returned user account, checks if selected license plans are assigned to the user, and for each license option in these plans validates whether the On/Off state of the options in the rule matches the state in the Office 365. License plans that are not selected in the rule are ignored. An Active Directory user account should have a corresponding Office 365 user account with an identical UserPrincipalName (UPN).
When to use this rule
Use this rule if you want to get the report and check the validity of Office 365 licenses assigned to Office 365 user accounts:
- During rule configuration, check license plans and options that should be assigned to Office 365 user accounts.
-
Run the rule and open the created report:
-
If a user has a license option assigned and this option is also checked in the rule, you will see on value in the report next to the corresponding license option.
-
If a user doesn't have a license option assigned and this option is not checked in the rule, you will see off value in the report next to the corresponding license option.
-
If a user has a license option assigned and this option is not checked in the rule, you will see the ON (violation) value in the report next to the corresponding license option.
-
If a user doesn't have a license option assigned and this option is checked in the rule, you will see the OFF (violation) value in the report next to the corresponding license option.
-
If a user doesn't have the license plan, specified in the rule, you will see off value in the report next to the corresponding license options.
-
Rule configuration:
-
Limit the query scope and set the query criteria.
-
Specify license options for validation.
Rule Settings
Query Section
Setting name | Description |
---|---|
Limit AD scope to this domain or OU |
This setting defines the search query scope. To improve query performance, limit the scope to specific OU. Important: To test rule configuration, limit the rule scope to an OU that contains test accounts or objects.
|
AD query criteria |
Query criteria are sent with the query and may improve query performance. Tip: For different samples on the criteria builder, see KB20180410-1.
|
Filter AD query results |
To hide unwanted data based on criteria, not supported by the Active Directory query, set the filtering conditions here. Example: filter by the found object Distinguished Name. Tip: For optimal performance, use the Query criteria above to filter objects whenever possible.
|
Exclude Office 365 disabled users |
This setting allows to exclude Office 365 disabled users from the rule scope or to include them. |
License options |
Select Microsoft Office 365 plans that should be validated for user accounts. In these plans, select and unselect options to compare to the options assigned to the user. Then, report on each selected option. Tip: If users' accounts have the assigned license options different from the license options, checked in the rule, you will see a Violation mark in the report.
|
Show Only Objects with Violations |
It is possible to display in the report only those user accounts, whose Office 365 licenses plans and options are different from those specified in the validation rule.
|
Stop rule if tenant licensing change detected |
It is recommended to stop the rule execution if tenant licensing change is discovered. Tip: If licensing change is detected, you should click Update License in Microsoft Office 365 extension. For details, see KB20181017-1.
|
Filter Office 365 query results |
To hide unwanted data returned by the query, set the filtering conditions. |
More options |
|
Returned properties |
To display additional Office 365 properties for each object found by the query, add those properties to the list. |
Sort by |
Sort result objects list. |
Domain controller |
Specify the domain controller to run the rule. |
Credentials |
Specify credentials for connection to domain controller selected above. |
Exclude disables users from hybrid mapping |
Excluding disabled AD user accounts from the hybrid mapping is possible. |
Exclude shared mailboxes |
Excluding shared mailboxes is possible. |
Maximum number of users |
The maximum number of users returned from Office 365 by default is 2000. Tip: It is possible to change the default value in Microsoft Office 365 extension settings.
|
Initialization Script |
|
Script |
Usually, rules use query criteria to limit the query search scope. It improves the performance of the executed rule. Due to PowerShell limitations, it is not possible to use calculated expressions in query criteria. That is the point where the initialization script can help. You can initialize a global variable in this setting and then use it in query criteria. Important: To use a variable, declared in the initialization script, in the query scope, it must be global: $global:<variable name>.
Example: Update AD users, created in the last ten days.
{$global:DatePeriod = (Get-Date).AddDays(-10)}
|
Output Section
This section defines the output format of this rule.
To get more information about this section, please see the Output section article.
Enforce/Schedule section
This section defines the schedule for how often to run the rule.
To get more information about this section, please see the Enforce/Schedule section article.
Change History
Version | Notes |
---|---|
7.3.0 | The rule supports mapping between the Active Directory user account and Cloud user account by anchor attributes. |
6.3.1 | Exclude shared mailboxes setting is added. |
6.2.0 | The rule supports linked mailboxes. |
5.4.0 | The rule is optimized and updated. |
Comments
0 comments
Please sign in to leave a comment.