Rule description
This rule queries Microsoft 365 and for each user that satisfies specific criteria assigns the selected Microsoft 365 license plans and options.
The rule allows assigning/unassigning required Microsoft 365 licenses to the users and updating applications and services in the licenses that are already assigned. Also, assigned licenses can be ignored or unassigned by setting All other licenses to Ignore or Unassign.
Ignore value means that if a user already has assigned options from this plan, these options will be preserved. If a user doesn't have the options from this plan, these options won't be assigned.
Unassign means that the license itself and all its' apps/services will be unassigned.
When to use this rule
These are some typical license assignment scenarios, supplied with the recommendations on an optimal configuration for the rule settings:
-
Assign Microsoft 365 license to newly created Microsoft 365 user accounts that have not been licensed:
- Specify Azure AD Administrative Unit.
- Set the Include licensed users to Licenses users only to enforce licenses only to unlicensed users.
- Set the User state setting to Show enabled only to exclude Microsoft 365 disabled user accounts.
- For the License options setting, select the plan to be assigned and configure its option.
- Ensure that all users in the scope have specific license plans and options assigned, and other conflicting plans revoked:
- Set Include licensed users to All users.
- Set the User state setting to Enabled to exclude Microsoft 365 disabled user accounts.
- For the License options setting, select the plan to be assigned and configure its options. Set Unassign setting for conflicting plans. Set Ignore setting for all the other plans.
-
Add or remove license plan or option in bulk, to all users in the specified scope:
- Set Include licensed users to All users.
- Set the User state setting to Enabled to exclude Microsoft 365 disabled user accounts.
- For the License options setting, select the plan or option to be assigned. Set Ignore setting for all the other plans.
Rule configuration:
-
Query section: limit the query scope and set the query criteria
-
Action section: specify license plans and options to enforce Microsoft 365 users. Set Enable or Disable next to license plans and options.
- Select Ignore option next to the plans you want to exclude from the rule execution and preserve its current assignment state on users.
Rule Settings
Query Section
Setting name | Description |
---|---|
General Settings | |
Limit scope to this Azure AD Administrative Unit |
You can select Azure AD Administrative Unit to limit the Web Query scope. By default, the value is taken from the Virtual Admin Unit setting. Important: To test rule configuration, limit the rule scope to an Azure AD AU that contains test accounts or objects.
|
Query criteria
|
Query criteria are sent with the query and may improve query performance. Tip: For different samples on the criteria builder, see KB20180410-1.
|
User state |
Specify the user state to include in the query:
|
Include licensed users |
This setting allows for the inclusion of only licensed or unlicensed users or all users. |
MS365 user mailbox type |
Specify user mailbox type to include in the query:
|
User type |
Specify user type to include in the query:
|
Filter by licenses |
You can filter users by assigned licenses and apps/services:
Also, you can add filtering by inheritance of assigned applications and services:
|
Other Query Settings |
|
Properties to display |
To display additional Microsoft 365 properties for each object found by the query, add those properties to the list. |
System properties |
List of properties required for this rule to be executed correctly. |
Post-query filter |
To hide unwanted data based on criteria, not supported by the target system in the query criteria, set the filtering conditions here. Tip: For optimal performance, use the Query criteria above to filter objects whenever possible.
|
Sort by |
Sort result objects list. |
Maximum number of users |
The maximum number of users returned from Microsoft 365 by default is 2000. Tip: It is possible to change the default value in Microsoft Microsoft 365 extension settings.
|
MS Graph query condition (OData) |
By default, Query criteria are used. But when the MS Graph query condition is specified, it overrides the Query criteria setting. See this article for examples: How to use Query Builder dialog for Query Criteria and Filter rule settings – Cayosoft Help Center. |
Initialization script |
|
Script |
Usually, rules use query criteria to limit the query search scope. It improves the performance of the executed rule. Due to PowerShell limitations, it is not possible to use calculated expressions in query criteria. That is the point where the initialization script can help. You can initialize a global variable in this setting and then use it in query criteria. Important: To use a variable, declared in the initialization script, in the query scope, it must be global: $global:<variable name>.
Example: Update AD users, created in the last ten days.
{$global:DatePeriod = (Get-Date).AddDays(-10)}
|
Action Section
Setting name | Description |
---|---|
License options |
Select which Microsoft 365 licenses and apps/services should be updated for the users:
License's apps and services can be set to Enable, Disable or Ignore. All other licenses settings mean all other licenses that are not specified in License options. They can be ignored or unassigned. |
Change UsageLocation only if not set |
Specify whether to keep the current user's usage location or change it to a new one. |
Usage Location |
Select the usage location. Important: If Microsoft 365 user accounts don't have a location attribute set, Microsoft 365 license won't be applied to them, and the rule will stop with the error. |
Output Section
This section defines the output format of this rule.
To get more information about this section, please see the Output section article.
Enforce/Schedule section
This section defines the schedule for how often to run the rule.
To get more information about this section, please see the Enforce/Schedule section article.
Change History
Version | Notes |
---|---|
9.1.0 | The rule has been added to the product. |
Comments
0 comments
Please sign in to leave a comment.