Skip to main content

Articles in this section

See more
Print

Microsoft 365 Users | Enforce License

  • Updated

Microsoft 365 Users | Enforce License

Rule description

This rule queries Microsoft 365 and assigns the selected Microsoft 365 license plans and options to users who meet specific criteria.

The rule allows assigning or unassigning required Microsoft 365 licenses and updating applications and services within the assigned licenses. Additionally, assigned licenses can be ignored or unassigned by setting All other licenses to Ignore or Unassign.

  • Ignore: If a user already has assigned options from this plan, these options will be preserved. If a user does not have these options, they will not be assigned.

  • Unassign: The license itself and all its associated apps and services will be removed.

When to use this rule

Below are common license assignment scenarios along with recommendations for optimal rule configuration:

Assign a Microsoft 365 license to newly created, unlicensed user accounts

  • Specify the Azure AD Administrative Unit.

  • Set Include licensed users to Licensed users only to enforce licenses only for unlicensed users.

  • Set User state to Show enabled only to exclude disabled Microsoft 365 user accounts.

  • Under License options, select the plan to be assigned and configure its options.

Ensure that all users in scope have specific license plans and options while revoking conflicting plans

  • Set Include licensed users to All users.

  • Set User state to Enabled to exclude disabled Microsoft 365 user accounts.

  • Under License options, select the plan to be assigned and configure its options.

  • Set Unassign for conflicting plans.

  • Set Ignore for all other plans.

Add or remove a license plan or option in bulk for all users in the specified scope

  • Set Include licensed users to All users.

  • Set User state to Enabled to exclude disabled Microsoft 365 user accounts.

  • Under License options, select the plan or option to be assigned.

  • Set Ignore for all other plans.

Rule configuration

  • Query section: Define the query scope and criteria.

  • Action section: Specify the license plans and options to enforce for Microsoft 365 users. Use Enable or Disable next to license plans and options.

To preserve a license plan’s current assignment state on users, select Ignore next to the plan.

Query section

Setting name Description
General Settings

Limit scope to this Azure AD Administrative Unit

This setting defines the search query scope. To improve query performance, limit the scope to a specific Entra ID administrative unit.

IMPORTANT: To test the rule configuration, limit the rule scope to an administrative unit that contains test accounts or objects.

Query criteria

 

 (missing or bad snippet)

User state

Specify the user state to include in the query:

  • Any

  • Enabled

  • Disabled

Include licensed users

This setting allows for the inclusion of only licensed or unlicensed users or all users.

MS365 user mailbox type

Specify user mailbox type to include in the query:

  • Any

  • User

  • Shared

  • Room

  • Equipment

User type

Specify user type to include in the query:

  • All user types

  • Member 

  • Guest

Filter by licenses

You can filter users by assigned licenses and apps/services:

License filter conditions are split into two groups: filter by licenses and filter by apps/services.

Licenses can be filtered by ALL, ANY, and NOT:

  • ALL - user must have all listed licenses assigned

  • ANY - user must have at least one listed license assigned

  • NOT - user must not have any listed licenses assigned.

Apps/services filter conditions:

  • ENABLED (all specified) and DISABLED (all specified):

  • ENABLED (all specified) - user must have all listed apps/services

  • DISABLED (all specified) - user must not have all listed apps/services.

Also, you can add filtering by inheritance of assigned applications and services:

  • Filter by direct or inherited (GBL) assignments

  • Filter by direct assignments only

  • Filter by inherited assignments (GBL).

Other Query Settings

Properties to display

Each object property defined in this setting matches the column that will be displayed in the Web Portal for this web query.

To display additional columns, add the required properties to the Properties to display list.

To add extension attribute 1 that is synchronized from AD, you need to use a value like:

Copy
"OnPremisesExtensionAttributes/extensionAttribute1~Extension Attribute 1"

System properties

List of properties required for this rule to be executed correctly.

Post-query filter

To hide unwanted data based on criteria, not supported by the Microsoft 365 query criteria above, set the filtering conditions here.

TIP: For optimal performance, use the Query criteria above to filter objects whenever possible.

Sort by

Sort result objects list.

Maximum number of users

By default, all objects that you have provisioned in Microsoft Office 365 are returned.

TIP: It is possible to change the default value in the extension settings.

MS Graph query condition (OData)

By default, Query criteria are used. But when the MS Graph query condition is specified, it overrides the Query criteria setting.

See this article for examples: How to use Query Builder dialog for Query Criteria and Filter rule settings.

Initialization script

Script

Usually, rules use query criteria to limit the query search scope. It improves the performance of the executed rule.

Due to the PowerShell limitations, it is not possible to use calculated expressions in query criteria. That is the point where the initialization script can help. You can initialize a global variable in this setting and then use it in query criteria.

IMPORTANT: To use a variable, declared in the initialization script, in the query scope, it must be global: $global:<variable name>.

Example: Update AD users, created in the last ten days.

  1. Add this initialization script

    Copy
    {$global:DatePeriod = (Get-Date).AddDays(-10)}

  2. Use the $DatePeriod variable in the query criteria builder:

Action section

Setting name Description

License options

Select which Microsoft 365 license plans and options to assign or revoke to Microsoft 365 user accounts.

TIP: It is also possible to click Ignore to completely exclude the plan from the rule. In this case, this plan and its options won't be taken into consideration at all. If users already have assigned options from this plan, these options will keep. If users don't have options from this plan, these options won't be assigned.

Change UsageLocation only if not set

Specify whether to keep the current user's usage location or change it to a new one.

Usage Location

Select the usage location.

IMPORTANT: If Microsoft 365 user accounts don't have a location attribute set, Microsoft 36 license won't apply to them, and the rule will stop with the error. If you use Usage Location from AD value for this setting, you must be sure all Active Directory user accounts, that fall under this rule this, have a location attribute set.

Output Section

This section defines the output format of this rule.

To get more information about this section, please see the Rule Output section article.

Enforce/Schedule Section

This section defines the schedule for how often to run the rule.

To get more information about this section, please see the Rule Enforce/Schedule section article.

© Copyright 2013-2026 Cayosoft Inc. All rights reserved.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request
Return to top

Related articles

Comments

0 comments

Please sign in to leave a comment.