dynamic group based on assigned license

PatrickF11 · ‎Jul 11 2019

Hi,

is it possible to create a group with users based on a assigned license?

So i want to include all users into this specific group who has e.g. an E3 license assigned, but not an E5.

It seems, that the only way is to use the a ServicePlan name, not a SKU name, isn't it?

Even better would be a dynamic membership rule based on the SKU, not on a ServicePlan.

What i tried to do:

1. Get-MsolAccountSKU to find out the SKU name

2. Created a dynamic group without knowing which syntax to use :D

3. Used this dynamic membership rule as a workaround:

(user.assignedPlans -any ((assignedPlan.service -match "NAME") -and (assignedPlan.capabilityStatus -eq "Enabled")))

(I found the ServicePlan names via Get-MsolAccountSku | Where-Object {$_.SkuPartNumber -eq “ENTERPRISEPREMIUM”} | ForEach-Object {$_.ServiceStatus}

Thank you ina advance.

Patrick :)

adam deltinger · ‎Jul 11 2019

Why don’t u use licensing groups to assign licenses? If you don’t want to use this group for more, just create a dynamic group that pulls members of it?

PatrickF11 · ‎Jul 11 2019

@adam deltinger I don't want to assign licenses.

I want all users with a specific license to make Self Service Password Reset available.

This is why i want to create a dynamic group with all users with a specific license.

tweetiepie1983 · ‎Jul 11 2019

@PatrickF11

Hi if these users are using dedicated devices, you could set the dynamic group to target device model type. This is how we run our dynamic groups....

PatrickF11 · ‎Jul 11 2019

@tweetiepie1983

Thank you for your suggestion, but i think does not make sense in my environment.

Vasil Michev · ‎Jul 11 2019

@PatrickF11 sadly, this is (one of the many) limitation of the Graph, there's no going around it. Until they give us proper filtering capabilities, but doesn't look like much is happening on that front either.

You can of course always filter them "client-side" and use the resulting set of users to populate some other attribute, which you can then use to create the dynamic membership rule.

Steven-H · ‎Apr 03 2020

You can do this using the following advanced rule

(user.assignedPlans -any (assignedPlan.servicePlanId -eq "<servicePlanId>" -and assignedPlan.capabilityStatus -eq "Enabled"))

You can lookup service plan ids by using the Graph Explorer and looking at licenseDetails on a user that has the desired license assigned.

https://graph.microsoft.com/v1.0/users/someperson@yourdomain.tld/licenseDetails

Look in the resulting output for the specific thing to key off.

Links

Graph Explorer

licenseDetails (Graph API)

PatrickF11 · ‎Apr 07 2020

Hi @Steven-H

Thanks for your reply, this is nearly the same of what i'm using at the moment.

(Except that u use the id and not the name.)

Edit: I didn't think about the approach via the graph, thank you :)

shathaway · ‎Nov 17 2021

@PatrickF11

I was wondering if you have found a solution to creating a dynamic group based on license. I am looking to the do the same.

Thank you,

Steve

D6Boost · ‎Dec 02 2021

@shathaway

This expression appears to be working for me

(user.assignedPlans -all (assignedPlan.service -ne "Unassigned" -and assignedPlan.capabilityStatus -eq "Enabled"))

To use the expression builder :

Set the Property to: assignedPlans

Set the Operator to: all

Set the Value to: (assignedPlan.service -ne "Unassigned" -and assignedPlan.capabilityStatus -eq "Enabled")

PatrickF11 · ‎Dec 02 2021

@D6Boost

Am i missing something? With this you're just querying users who are licensede in any way, isn't it?

The initial quesiton was: How to group EXACT license like "M365 E3", not querying on any SKU which could be part of some other license as well.

@shathaway unfortunatelly not, but i (personally) don't need this anymore. :D

(nevertheless the question is still open.)

DegreeSix · ‎Dec 03 2021

@D6Boost

Scratch this - It looked like it worked to get my licensed users assigned to the group during testing.

In production, this failed horribly.

It turns out that groups, contact, and other items were added to the group because they too do not equal "Unlicensed".

So my dynamic group ended up with 168 members vs. the 35 I was expecting.

I'll post again if I figure this out.

jbrahms-es · ‎Jan 26 2022

@DegreeSix please share if you figure it out.

Right now we're in Intune beta testing with both MS365 E3 and E5 licenses, and EMS E3 and E5s. I want to create a group (or a filter) that will pull users who have that license and change them up to Windows Enterprise.

terocky · ‎Feb 08 2022

@PatrickF11

Hi PatrickF11, Did you find a solution yet? I am trying to do same as i have F3, E1 and E3 license users now.

Ketzpatel · ‎Feb 14 2022

Yes you can do this using any of your serviceplan ID and status. user.assignedPlans -any (assignedPlan.servicePlanId -eq "serviceplanID" -and assignedPlan.capabilityStatus -eq "Enabled")

PatrickF11 · ‎Feb 14 2022

@terocky

You can do this with (assignedPlan.service -match "NAME") as i mentioned in the initial posting or as @Ketzpatel said with the id. Currently i don't know any other / better method.

terocky · ‎Feb 15 2022

@PatrickF11 thanks PatrickF11

DomAnnicette · ‎Mar 08 2022

I just found this (because I'm trying to achieve the same goal). It works fine.
https://365bythijs.be/2020/01/20/creating-a-dynamic-group-with-all-aad-premium-licensed-users/

You can use this as an example to retrieve your subscription ObjectID and then ServicePlanID.

JoshBent · ‎Jul 28 2022

I entered this to the Rule syntax box;

user.assignedPlans -any (assignedPlan.servicePlanId -eq "70d33638-9c74-4d01-bfd3-562de28bd4ba" -and assignedPlan.capabilityStatus -eq "Enabled")

Obviously change the SKU to the product you need which can be found here: https://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/licensing-service-plan-refe...

worked perfectly.

PatrickF11 · ‎Jul 29 2022

Thank you Josh, at this moment i already know how to deal with that. :)
The linked article from Thijs Lecomte is really great, although I had to taught this by myself.

dynamic group based on assigned license

dynamic group based on assigned license

Re: dynamic group based on assigned license

Re: dynamic group based on assigned license

Re: dynamic group based on assigned license

Re: dynamic group based on assigned license

Re: dynamic group based on assigned license

Re: dynamic group based on assigned license

Re: dynamic group based on assigned license

Re: dynamic group based on assigned license

Re: dynamic group based on assigned license

Re: dynamic group based on assigned license

Re: dynamic group based on assigned license

Re: dynamic group based on assigned license

Re: dynamic group based on assigned license

Re: dynamic group based on assigned license

Re: dynamic group based on assigned license

Re: dynamic group based on assigned license

Re: dynamic group based on assigned license

Re: dynamic group based on assigned license

Re: dynamic group based on assigned license

Products (66)

Special Topics (42)

Video Hub (969)

Most Active Hubs

Most Active Hubs

Video Hub

dynamic group based on assigned license