Forum Discussion

PatrickF11's avatar
PatrickF11
MCT
Jul 11, 2019

dynamic group based on assigned license

Hi,   is it possible to create a group with users based on a assigned license? So i want to include all users into this specific group who has e.g. an E3 license assigned, but not an E5.   It se...
dynamic groups
groups
powershell
Nick_Zhitkov's avatar
Nick_Zhitkov
Copper Contributor
Nov 29, 2022

This works perfectly for the dynamic group:
user.assignedPlans -any (assignedPlan.service -eq "TeamspaceAPI" -and assignedPlan.capabilityStatus -eq "Enabled")

To get Service names you can run PowerShell: 

Get-AzureADUser -SearchString "UserName" | Select -ExpandProperty AssignedPlans

The whole idea is that you can combine results by the part of the name using "contains" (to get all users licensed for AAD for. instance). I use it to get all users with any Teams License for any E or F licenses.
For the license separation you can use name that only exisit for the E3/E5 plan but you can do the same with Service Plan IDs. 

I hope it helped. 

PatrickF11's avatar
PatrickF11
MCT
Nov 29, 2022

Because of the long time passed by, i've updated my personal documentation in the meantime, too.

Just in case someone stumbles upon this topic:

 

I personally prefer using the ServicePlan ID:

  1. Get ServicePlan ID via Powershell
    1. Get-AzureADUserLicenseDetail -ObjectId $user.objectid | Select-Object -ExpandProperty ServicePlans
  2. Get ServicePlan ID via Graph Explorer (https://developer.microsoft.com/en-us/graph/graph-explorer)
    1. https://graph.microsoft.com/v1.0/users/email address removed for privacy reasons/licenseDetails
  3. Dynamic Rule Query
    1. user.assignedPlans -any (assignedPlan.servicePlanId -eq "xxx-xxx-xxx-xxx-xxx" -and assignedPlan.capabilityStatus -eq "Enabled")
  • Entra_lover5's avatar
    Entra_lover5
    Copper Contributor
    Mar 12, 2024

    PatrickF11 

     

    Patrick, I am trying to understand what the problem was with your original solution?  I am trying to do the same thing right now and was going to use your original solution, but am not following why you werent happy with it. 

     

    Thanks

     

    • PatrickF11's avatar
      PatrickF11
      MCT
      Mar 12, 2024

      Entra_lover5 The ServicePlanName isn’t „that unique“, as the SKU is. The approach that worked best for me is the one in my latest reply. (before this one)

      • Entra_lover5's avatar
        Entra_lover5
        Copper Contributor
        Mar 12, 2024

        PatrickF11 

         

        ahhh, ok I understand now.  I am using the service plan ID not the name, so I didn't realize.   I am not sure I am going to actually need the group as I originally thought.  My original plan was to create a dynamic group that tracks people with an intune license and then use that to apply  intune user windows policies to, but then I realized this is probably a bad idea because I have non-intune licensed users who have business  basic that will be logged in to a few shared device licensed intune shared PC.  If I do it this way, they wont be applied any policies at all, although I am not 100% clear if they will be applied policies in this situation.   Perhaps I have no choice but to apply everything to the device for these few shared (or kiosk) devices that are licensed for intune multi user shared device.

         

         

Resources