AD Groups | Validate License rule
This hybrid rule queries the specified Active Directory groups and for each user that is a member of these groups, checks if selected license plans are assigned to the user. For each license option in these plans, the rule validates whether the On/Off state of the options in the rule matches the state in Office 365. License plans that are not selected in the rule are ignored. An Active Directory user account should have a corresponding Office 365 user account with an identical UserPrincipalName (UPN).
NOTE: This rule supports linked mailboxes. For more details please see Provisioning Linked Mailboxes article.
NOTE: This rule also supports mapping between Active Directory user account and Cloud user account by anchor attributes. For details, please see How to map Active Directory users to Office 365 cloud users article.
When to use this rule
Use this rule if you want to get the report and check the validity of Office 365 licenses assigned to Office 365 user accounts by AD group membership:
During rule configuration, check license options that should be assigned to Office 365 user accounts.
-
Run the rule and open the created report:
If a user has a license option assigned and this option is also checked in the rule, you will see on the value in the report next to the corresponding license option.
If a user doesn't have a license option assigned and this option is not checked in the rule, you will see off value in the report next to the corresponding license option.
If a user has a license option assigned and this option is not checked in the rule, you will see ON (violation) value in the report next to the corresponding license option.
If a user doesn't have a license option assigned and this option is checked in the rule, you will see OFF (violation) value in the report next to the corresponding license option.
If a user doesn't have the license plan, specified in the rule, you will see off value in the report next to the corresponding license options.
NOTE: If you don't select a license plan, this plan will be ignored by the rule and won't be checked. Thus, even the user has this plan assigned, the report would contain off value for every license option in this plan.
Rule configuration:
Specify AD groups list
Specify license options for validation.
Rule Settings
| Setting name | Description |
|---|---|
| Query Settings | |
| Include AD Group Members | Specify Distinguished Names of AD groups, which members will be assigned Office 365 licenses. |
| Properties to Display |
Each object property defined in this setting matches the column that will be displayed in the Web Portal for this web query. To display additional columns, add the required properties to the Properties to display list. To add extension attribute 1 that is synchronized from AD, you need to use a value like:
Copy
|
| Sort by | Sort result object list. |
| License options |
Select which Microsoft 365 license plans and options to assign or revoke to Microsoft 365 user accounts. TIP: It is also possible to click Ignore to completely exclude the plan from the rule. In this case, this plan and its options won't be taken into consideration at all. If users already have assigned options from this plan, these options will keep. If users don't have options from this plan, these options won't be assigned. |
| Show Only Objects with Violations | It is possible to display in the report only those user accounts, whose Office 365 licenses plans and options different from those that specified in validation rule. |
| More Options | |
| Exclude AD Group Members |
Specify AD groups Distinguished Names, which members will be excluded from Office 365 license assignment. TIP: Use this setting to exclude some group members from assigning Office 365 licenses. If the group, specified in Include AD Group Members, contains the same members as the group, specified in Exclude AD Group Members, these users won't be assigned Office 365 licenses. |
| Exclude disabled users from hybrid mapping | Excludes disabled AD user accounts from the hybrid mapping is possible. |
| Exclude shared mailboxes | Excludes shared mailboxes is possible. |
| Maximum number of users |
By default, all objects that you have provisioned in Microsoft Office 365 are returned. TIP: It is possible to change the default value in the extension settings. |
| Initialization script | |
| Initialization script |
Usually, rules use query criteria to limit the query search scope. It improves the performance of the executed rule. Due to the PowerShell limitations, it is not possible to use calculated expressions in query criteria. That is the point where the initialization script can help. You can initialize a global variable in this setting and then use it in query criteria. IMPORTANT: To use a variable, declared in the initialization script, in the query scope, it must be global: Example: Update AD users, created in the last ten days.
|
Output Section
This section defines the output format of this rule.
To get more information about this section, please see the Rule Output section article.
Enforce/Schedule section
This section defines the schedule for how often to run the rule.
To get more information about this section, please see the Rule Enforce/Schedule section article.
Change History
| Version | Notes |
|---|---|
| 13.1 | The Stop rule if tenant licensing change detected setting has been deprecated. |
| 7.3.0 | The rule supports mapping between Active Directory user account and Cloud user account by anchor attributes. |
| 6.3.1 | Exclude shared mailboxes setting is added. |
| 6.2.0 | The rule supports linked mailboxes. |
| 5.4.0 | The rule was optimized and updated. |
Comments
0 comments
Please sign in to leave a comment.