Rule description
This hybrid rule queries the specified Active Directory groups and for each member of these groups assigns the selected Microsoft 365 license and its' applications and services to the Microsoft 365 account with an identical UserPrincipalName (UPN).
The rule allows assigning/unassigning required Microsoft 365 licenses to the members of the specified groups and updating applications and services in the licenses that are already assigned. Also, assigned licenses can be ignored or unassigned by setting All other licenses to Ignore or Unassign.
Ignore value means that if a user already has assigned options from this plan, these options will be preserved. If a user doesn't have the options from this plan, these options won't be assigned.
Unassign means that the license itself and all its' apps/services will be unassigned.
When to use this rule
These are some typical license assignment scenarios, supplied with the recommendations on an optimal configuration for the rule settings.
-
Assign a specific Microsoft 365 license plan with its options to newly created user accounts in the selected groups:
- You can configure the rule to assign a license to recently created accounts only. For more information on how to do this, please see the Initialization script setting described below.
- Specify Include AD group members/Exclude AD group members settings.
- Set the Include licensed users to Licenses users only to enforce licenses only to unlicensed users.
- Set the Exclude MS 365 disabled users setting to Yes to exclude Microsoft 365 disabled user accounts.
- Set the Exclude AD disabled users setting to Yes to exclude disabled Active Directory user accounts.
- As usage location is mandatory to assign a license to a Microsoft 365 user account, set the Change UsageLocation only if not set setting to Yes and pick a value for the Usage Location setting.
- For the License options setting, select the licenses to be assigned and configure its apps/services.
- Ensure that all members of the group have a specific license assigned, and other conflicting plans revoked:
- Set Include licensed users to All users.
- Set the Exclude MS 365 disabled users setting and Exclude AD disabled users setting to Yes to only include live user accounts.
- For the License options setting, select the licenses to be assigned and configure their apps/services. Set Unassign for conflicting licenses. Set Ignore setting for all other licenses.
-
Add or remove license applications and services in bulk, to all members of the selected groups:
- Set Include licensed users to All users.
- Set the Exclude MS 365 disabled users setting and Exclude AD disabled users setting to Yes to only include live user accounts.
- For the License options setting, select the licenses to be updated and configure their apps/services.
- Set Ignore setting for all the other licenses.
Rule configuration:
-
Query section: specify AD groups
-
Action section: specify license options to enforce Microsoft 365 user accounts
Query Section
Setting name | Description |
---|---|
General Settings | |
Include AD group Members |
Specify Distinguished Names of AD groups, which members will be assigned Microsoft 365 licenses. |
Exclude AD group Members |
Specify AD groups Distinguished Names, which members will be excluded from Microsoft 365 license assignment. Tip: Use this setting to exclude some group members from assigning Microsoft 365 licenses.
If the group, specified in Include AD group Members, contains the same members as the group, specified in Exclude AD group Members, these users won't be assigned Microsoft 365 licenses. |
Microsoft 365 query criteria |
Query criteria are sent with the query and may improve query performance. Tip: For different samples on the criteria builder, see KB20180410-1.
|
Filter Microsoft 365 filter |
To hide unwanted data based on criteria, not supported by the Active Directory and Microsoft 365 query criteria above, set the filtering conditions here. Example: Filter by the found object Distinguished Name. Tip: For optimal performance, use the Query criteria above to filter objects whenever possible.
|
Exclude MS365 disabled users |
This setting allows to exclude Microsoft 365 disabled users from the rule scope or to include them. |
Exclude AD disabled users |
This setting allows to exclude AD-disabled users from the rule scope or to include them. |
Exclude shared mailboxes |
This setting allows to exclude shared mailboxes from the rule scope or to include them. |
Include licensed users |
This setting allows to include only licensed or unlicensed users or all users. |
Licensing Filters |
|
Filter by licenses |
You can filter users by assigned licenses and apps/services:
Also, you can add filtering by inheritance of assigned applications and services:
|
Other Query Settings |
|
Properties to display |
To display additional Microsoft 365 properties for each object found by the query, add those properties to the list. |
System properties |
List of properties required for this rule to be executed correctly. |
Sort by |
Sort result objects list. |
Maximum number of users |
The maximum number of users returned from Active Directory. Tip: It is possible to change the default value in Microsoft Microsoft 365 extension settings.
|
MS Graph query condition (OData) |
By default, Query criteria are used. But when the MS Graph query condition is specified, it overrides the Query criteria setting. See this article for examples: How to use Query Builder dialog for Query Criteria and Filter rule settings – Cayosoft Help Center. |
Initialization script |
|
Script |
Usually, rules use query criteria to limit the query search scope. It improves the performance of the executed rule. Due to PowerShell limitations, it is not possible to use calculated expressions in query criteria. That is the point where the initialization script can help. You can initialize a global variable in this setting and then use it in query criteria. Important: To use a variable, declared in the initialization script, in the query scope, it must be global: $global:<variable name>.
Example: Update AD users, created in the last ten days.
{$global:DatePeriod = (Get-Date).AddDays(-10)}
|
Action Section
Setting name | Description |
---|---|
License options |
Select which Microsoft 365 licenses and apps/services should be updated for the users:
License's apps and services can be set to Enable, Disable or Ignore. All other licenses settings mean all other licenses that are not specified in License options. They can be ignored or unassigned. |
Change UsageLocation only if not set |
Specify whether to keep the current user's usage location or change it to a new one. |
Usage Location |
Select the usage location. Important: If Microsoft 365 user accounts don't have a location attribute set, Microsoft 365 license won't be applied to them, and the rule will stop with the error. If you use Usage Location from AD value for this setting, you must be sure all Active Directory user accounts, that fall under this rule, have the country set. If the country that is specified for the Active Directory user account is different from the value of the usage location that is specified in this rule then the Country\region setting will be empty when you open Microsoft 365 License web action for the user. That is to info the administrator that Contry\region is different for Active Directory and Microsoft 365 user accounts. |
Output Section
This section defines the output format of this rule.
To get more information about this section, please see the Output section article.
Enforce/Schedule section
This section defines the schedule for how often to run the rule.
To get more information about this section, please see the Enforce/Schedule section article.
Change History
Version | Notes |
---|---|
9.1.0 | The rule has been added to the product. |
Comments
0 comments
Please sign in to leave a comment.