Microsoft 365 Groups | Enforce Licenses rule
Rule description
This rule queries the specified Microsoft 365 group and assigns the selected Microsoft 365 license plans and options to each group member.
The rule allows you to:
Assign or unassign required Microsoft 365 licenses for group members.
Update applications and services within already assigned licenses.
Ignore or unassign assigned licenses by setting All other licenses to Ignore or Unassign.
License Behavior:
Ignore: If a user already has assigned options from this plan, they will be preserved. If not, the options will not be assigned.
Unassign: The license, along with all its applications and services, will be removed.
When to use this rule
Below are common license assignment scenarios with recommended rule configurations:
-
Assign Microsoft 365 licenses to new, unlicensed users
Specify an Azure AD Administrative Unit.
Set Include licensed users to Licensed users only to enforce licenses only for unlicensed users.
Set User state to Show enabled only to exclude disabled Microsoft 365 user accounts.
Configure License options to select the plan and its specific options.
-
Ensure all group members have a specific license while revoking conflicting plans
Set Include licensed users to All users.
Set User state to Enabled to exclude disabled Microsoft 365 user accounts.
Select the plan to assign in License options and configure its settings.
Set Unassign for conflicting plans and Ignore for all others.
-
Bulk add or remove a license plan or option for all users in scope
Set Include licensed users to All users.
Set User state to Enabled to exclude disabled Microsoft 365 user accounts.
Select the license plan or option in License options and configure its settings.
Set Ignore for all other plans.
Rule configuration
Query section – Specify Microsoft 365 groups.
Action section – Define license plans and options to apply to Microsoft 365 users.
Use Enable or Disable to apply changes to specific license plans and options.
Select Ignore for plans that should be excluded from rule execution while preserving their current assignment state on users.
This rule ensures efficient license management by enforcing the correct assignments while maintaining flexibility for existing licenses.
Query section
| Setting name | Description |
|---|---|
Include MS365 Group members |
Specify cloud-only Microsoft 365 Group. TIP: Synced groups are not available for selection. If you want to assign the licenses based on synced groups, you need to use another rule: AD Groups | Enforce License rule. |
Other Query Settings | |
Properties to Display |
To display additional Microsoft 365 properties for each object found by the query, add those properties to the list. |
Sort by |
Sort result objects list. |
| Post-query filter |
Set the filtering conditions to hide unwanted data based on criteria not supported in the Query criteria setting. Example: filter by the found object Distinguished Name. TIP: For optimal performance, use the Query criteria setting above to filter objects whenever possible. |
| Sort by | Sort result objects list. |
| Maximum number of users |
By default, all objects that you have provisioned in Microsoft Office 365 are returned. TIP: It is possible to change the default value in the extension settings. |
| MS Graph query condition (OData) |
By default, Query criteria are used. But when the MS Graph query condition is specified, it overrides the Query criteria setting. See this article for examples: How to use Query Builder dialog for Query Criteria and Filter rule settings. |
Initialization script | |
| Script |
Usually, rules use query criteria to limit the query search scope. It improves the performance of the executed rule. Due to the PowerShell limitations, it is not possible to use calculated expressions in query criteria. That is the point where the initialization script can help. You can initialize a global variable in this setting and then use it in query criteria. IMPORTANT: To use a variable, declared in the initialization script, in the query scope, it must be global: Example: Update AD users, created in the last ten days.
|
Action section
| Setting name | Description |
|---|---|
License options |
Select which Microsoft 365 license plans and options to assign or revoke to Microsoft 365 user accounts. TIP: It is also possible to click Ignore to completely exclude the plan from the rule. In this case, this plan and its options won't be taken into consideration at all. If users already have assigned options from this plan, these options will keep. If users don't have options from this plan, these options won't be assigned. |
Change Usage Location only if not set |
Specify whether to keep the current user's usage location or change it to a new one. |
Usage Location |
Select the usage location. IMPORTANT: If Microsoft 365 user accounts don't have a location attribute set, Microsoft 36 license won't apply to them, and the rule will stop with the error. If you use Usage Location from AD value for this setting, you must be sure all Active Directory user accounts, that fall under this rule this, have a location attribute set. |
Output Section
This section defines the output format of this rule.
To get more information about this section, please see the Rule Output section article.
Enforce/Schedule Section
This section defines the schedule for how often to run the rule.
To get more information about this section, please see the Rule Enforce/Schedule section article.
Comments
0 comments
Please sign in to leave a comment.