AD Users | Enforce License rule (deprecated)

IMPORTANT: License assignment rules created before the 9.1.0 release make use of APIs that Microsoft is retiring on August 26, 2022. These rules must be migrated to their corresponding new versions before this time or the functionality will stop working. Deprecated rules can be deleted after migration. Please see this article for details: Deprecated Rules.

This hybrid rule queries the specified Active Directory scope and each user that satisfies specific criteria assigns the selected Office 365 license plans and options to the Office 365 account with an identical UserPrincipalName (UPN).

It is possible to use Ignore option to completely exclude the license plan from the rule. In this case, this licensing plan and its options will be ignored by the rule. If a user already has assigned options from this plan, these options will be preserved. If a user doesn't have the options from this plan, these options won't be assigned.

NOTE: Starting from version 6.2.0, this rule supports linked mailboxes. For more details please see Provisioning Linked Mailboxes in Cayosoft Administrator article.

Starting from version 7.3.0, this rule also supports mapping between Active Directory user account and Cloud user account by anchor attributes. For details, please see How to map Active Directory users to Office 365 cloud users article.

Video Tutorial

When to use this rule

These are some typical license assignment scenarios, supplied with recommendations on an optimal configuration for the rule settings.

1. Assign Office 365 license to newly created user accounts that have not been licensed:

   1. You can configure the rule to assign a license to recently created accounts only. For more information on how to do this, please see the Initialization script setting described below.

   2. Set the Apply to unlicensed users only setting to Yes to enforce licenses only to unlicensed users.

   3. Set the Exclude Office 365 disabled users setting to Yes to exclude Office 365 disabled user accounts.

   4. Set the Exclude disables users from hybrid mapping setting to Yes to exclude disabled Active Directory user accounts.

   5. As usage location is mandatory to assign a license to an Office 365 user account, set the Change Usage Location only if not set setting to Yes and pick a value for the Usage Location setting.

   6. For the License options setting, select the plan to be assigned and configure its options.

2. Ensure that all users in the scope have specific license plans and options assigned, and other conflicting plans revoked:

   1. Set Apply to unlicensed users only setting to No.

   2. Set the Exclude Office 365 disabled users and Exclude disables users from hybrid mapping settings to Yes to only include live user accounts.

   3. For the License options setting, select the plan to be assigned and configure its options. Set the Revoke setting for conflicting plans. Set the Ignore setting for all the other plans.

3. Add or remove license plan or option in bulk, to all users in the specified scope:

   1. Set Apply to unlicensed users only setting to No.

   2. Set the Exclude Office 365 disabled users and Exclude disables users from hybrid mapping settings to Yes only to include live user accounts.

   3. For the License options setting, select the plan or option to be assigned. Set Ignore setting for all the other plans.

Rule configuration:

1. Query section: limit the query scope and set the query criteria.

1. Action section: specify license options to enforce to Office 365 users.

1. Select the Ignore option next to the plans you want to exclude from the rule execution and preserve its current assignment state on users.

Setting name	Description
Query Section
Limit scope to this domain or OU	This setting defines the search query scope. To improve query performance, limit the scope to a specific OU. IMPORTANT: To test the rule configuration, limit the rule scope to an OU that contains test accounts or objects and use the Preview feature.
Query criteria	Query criteria are sent with the query and may improve query performance. TIP: For different samples on the criteria builder, see the How to use Query Builder dialog for Query Criteria and Filter rule settings.
Filter	To hide unwanted data based on criteria, not supported by the query, set the filtering conditions here. Example: filter by the found object Distinguished Name. TIP: For optimal performance, use the Query criteria above to filter objects whenever possible.
Apply to unlicensed users only	It is possible to apply licenses to unlicensed users only or all users, independently of whether they are licensed or not. TIP: Configuring this setting to Yes will significantly improve performance for initial license assignment to newly created user accounts.
Exclude Office 365 disabled users	This setting allows you to exclude Office 365 disabled users from the rule scope or to include them.
Filter Office 365 query results	To hide unwanted data returned by the query, set the filtering conditions.
More options
Returned properties	To display additional properties for each object found by the query, add those properties to the list.
Sort by	(missing or bad snippet)
Exclude disabled users from hybrid mapping	Excludes disabled AD user accounts from the hybrid mapping is possible.
Exclude shared mailboxes	Excludes shared mailboxes is possible.
Maximum number of users	By default, all objects that you have provisioned in Microsoft Office 365 are returned. TIP: It is possible to change the default value in the extension settings.
Stop rule if errors exceed	Too many errors may indicate rule misconfiguration or problems with connectivity. Set this value to some integer value, indicating the number of occurred errors, when the rule execution must stop.
Stop rule if tenant licensing change detected	It is recommended to stop the rule execution if a tenant licensing change is discovered. TIP: If licensing change is detected, you should click Update License in Microsoft 365 extension. For details, see the following article: How to update license cache and rules when the Office 365 license change detected.
Initialization Script
Initialization script	Usually, rules use query criteria to limit the query search scope. It improves the performance of the executed rule. Due to the PowerShell limitations, it is not possible to use calculated expressions in query criteria. That is the point where the initialization script can help. You can initialize a global variable in this setting and then use it in query criteria. IMPORTANT: To use a variable, declared in the initialization script, in the query scope, it must be global: $global:<variable name>. Example: Update AD users, created in the last ten days. Add this initialization script Copy {$global:DatePeriod = (Get-Date).AddDays(-10)} Use the $DatePeriod variable in the query criteria builder:
Action Section
License options	Select which Microsoft 365 license plans and options to assign or revoke to Microsoft 365 user accounts. TIP: It is also possible to click Ignore to completely exclude the plan from the rule. In this case, this plan and its options won't be taken into consideration at all. If users already have assigned options from this plan, these options will keep. If users don't have options from this plan, these options won't be assigned.
License update order	Select a method to assign selected license plans and options: Revoke Previous then Assign New. Assign New then Revoke Old - this setting is deprecated Revoke Previous then Assign New (Restore delegation) - this setting is used for Office 365 mailboxes only. NOTE: In most cases Revoke Previous then Assign New option should be used. Please contact Cayosoft support before changing the default value.
Change UsageLocation only if not set	It is possible to keep the current user's usage location or change it to a new one.
Usage Location	Select the usage location. IMPORTANT: If Microsoft 365 user accounts don't have a location attribute set, Microsoft 365 license won't be applied to them, and the rule will stop with the error. If you use Usage Location from AD value for this setting, you must be sure all Active Directory user accounts, that fall under this rule, have the country set. If the country that is specified for the Active Directory user account is different from the value of the usage location that is specified in this rule then the Country\region setting will be empty when you open Microsoft 365 License web action for the user. That is to info the administrator that Contry\region is different for Active Directory and Microsoft 365 user accounts.

Output Section

This section defines the output format of this rule.

To get more information about this section, please see the Rule Output section article.

Enforce/Schedule section

This section defines the schedule for how often to run the rule.

To get more information about this section, please see the Rule Enforce/Schedule section article.

Change History

Version	Notes
9.1.0	Domain Controller and Credentials settings have been removed.
7.3.0	The rule supports mapping between the Active Directory user account and the Cloud user account by anchor attributes.
6.3.1	Exclude shared mailboxes setting is added.
6.2.0	The rule supports linked mailboxes.
5.4.0	The rule is optimized and updated, and new License options control added. The rule supports linking to web actions as rules to run after the web action.