Microsoft 365 Users with Licenses rule

Limit scope to this Azure AD Administrative Unit

You can select Azure AD Administrative Unit to limit the Web Query scope.

By default, the value is taken from the Virtual Admin Unit setting.

Query criteria

Query criteria are sent with the query and may improve query performance.

User state

Specify the user state to include in the query:

1. Any
2. Enabled
3. Disabled

Include licensed users

This setting allows for the inclusion of only licensed or unlicensed users or all users.

MS365 user mailbox type

Specify user mailbox type to include in the query:

1. Any
2. User
3. Shared
4. Room
5. Equipment

User type

Specify user type to include in the query:

1. All user types
2. Member 
3. Guest

Filter by licenses

You can filter users by assigned licenses and apps/services:

1. License filter conditions are split into two groups: filter by licenses and filter by apps/services.
2. Licenses can be filtered by ALL, ANY, and NOT:
   1. ALL - users must have all listed licenses assigned
   2. ANY - user must have at least one listed license assigned
   3. NOT - user must not have any listed licenses assigned.
3. Apps/services filter conditions: ENABLED (all specified) and DISABLED (all specified):
   1. ENABLED (all specified) - user must have all listed apps/services
   2. DISABLED (all specified) - user must not have all listed apps/services.

Also, you can add filtering by inheritance of assigned applications and services:

1. Filter by direct or inherited (GBL) assignments
2. Filter by direct assignments only
3. Filter by inherited assignments (GBL).

Show license assignment paths

If set to Yes the output report will include the license assignment paths: direct or inherited (GBL-assigned).

Show service plan details

If set to Yes the output report will include the names of all apps assigned to the user instead aggregate account.

Show service plan status

If set to Yes the output report will include the names and statuses of all apps assigned to the user.

License details separator character

The separator is used when displaying multiple licenses or apps names in a single output column. Possible separators are:

1. Newline 
2. Semicolon
3. Comma 

Include only filtered licenses in output

If set to Yes the output report will only list those assigned licenses that were explicitly included in the filter above. 

Other Query Settings

Properties to Display

To display additional Microsoft 365 properties for each object found by the query, add those properties to the list. 

System properties 

List of properties required for this rule to be executed correctly.

Sort by

Sort result objects list.

To hide unwanted data based on criteria, not supported by the target system in the query criteria, set the filtering conditions here.

Example: filter by the found object Distinguished Name.

Sort result objects list.

The maximum number of users returned from Microsoft 365 by default is 2000.

By default Query criteria are used. But when the MS Graph query condition is specified, it overrides the Query criteria setting.

Example: find all Microsoft 365 user accounts with displayname starting with 'Adam.'

(startswith(displayName,'Adam'))

Usually, rules use query criteria to limit the query search scope. It improves the performance of the executed rule.

Due to PowerShell limitations, it is not possible to use calculated expressions in query criteria. That is the point where the initialization script can help. You can initialize a global variable in this setting and then use it in query criteria.

Example: Update AD users, created in the last ten days.

1. Add this initialization script:

{$global:DatePeriod = (Get-Date).AddDays(-10)}

2. Use $DatePeriod variable in query criteria builder: