Feature Request - "all users" should apply to all licensed users and skip unlicensed users

%3CLINGO-SUB%20id%3D%22lingo-sub-2466322%22%20slang%3D%22en-US%22%3EFeature%20Request%20-%20%22all%20users%22%20should%20apply%20to%20all%20licensed%20users%20and%20skip%20unlicensed%20users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2466322%22%20slang%3D%22en-US%22%3E%3CP%3EThis%20is%20from%20Microsoft%20365%20support%20case%20%2326219180.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIt%E2%80%99s%20unlikely%20that%20all%20users%20in%20a%20Microsoft%20365%20tenant%20will%20have%20the%20same%20license.%20You%E2%80%99ll%20have%20some%20users%20with%20license%20A%2C%20some%20with%20license%20B%2C%20and%20some%20unlicensed%20users%20with%20roles%20such%20as%20Global%20Admin.%20Certain%20Microsoft%20365%20products%20and%20features%20such%20as%20Intune%2C%20Conditional%20Access%20Policies%2C%20and%20Safe%20Links%20allow%20you%20to%20apply%20that%20setting%20to%20all%20users%20or%20all%20recipients%20in%20a%20domain.%20In%20some%20cases%2C%20like%20Intune%2C%20from%20a%20technical%20perspective%20if%20a%20user%20lacks%20the%20appropriate%20license%20he%20or%20she%20will%20not%20be%20impacted%20by%20the%20setting.%20In%20other%20cases%2C%20like%20some%20Conditional%20Access%20Policies%20or%20possibly%20Safe%20Links%2C%20choosing%20all%20users%20will%20cause%20the%20setting%20to%20apply%20to%20those%20who%20are%20and%20are%20not%20licensed%20for%20that%20product.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ETherefore%2C%20to%20be%20in%20licensing%20compliance%20the%20Microsoft%20365%20global%20admin%2C%20or%20admin%20configuring%20these%20features%2C%20should%20instead%20create%20a%20dynamic%20group%20and%20have%20that%20group%20query%20for%20the%20user's%20license.%20For%20example%2C%20create%20a%20dynamic%20group%20called%20Azure%20AD%20Premium%20P1%20users%20and%20have%20the%20dynamic%20membership%20rule%20query%20for%20the%20Microsoft%20365%20Business%20Premium%20license.%20Then%2C%20in%20your%20Conditional%20Access%20Policy%20use%20the%20Azure%20AD%20Premium%20P1%20users%20group%20instead%20of%20all%20users.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EChoosing%20not%20to%20do%20the%20above%20approach%20can%20lead%20to%20a%20situation%20where%2C%20if%20you%20are%20audited%20by%20Microsoft%2C%20you%20will%20be%20found%20to%20be%20out%20of%20compliance.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20feature%20request%20is%20this%3A%20configure%20Microsoft%20365%20so%20that%20%22all%20users%22%20or%20%22all%20recipients%20in%20this%20domain%22%20means%20%22all%20licensed%20users%20for%20this%20product%2C%20excluding%20all%20who%20are%20not%20licensed%20for%20this%20product.%22%20Creating%20these%20dynamic%20groups%20and%20updating%20them%20based%20on%20adding%20or%20removing%20different%20license%20names%20from%20the%20tenant%20will%20add%20administrative%20overhead%20that%20I%20prefer%20to%20not%20have.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMatthew%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2466322%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EMicrosoft%20365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Occasional Visitor

This is from Microsoft 365 support case #26219180.

 

It’s unlikely that all users in a Microsoft 365 tenant will have the same license. You’ll have some users with license A, some with license B, and some unlicensed users with roles such as Global Admin. Certain Microsoft 365 products and features such as Intune, Conditional Access Policies, and Safe Links allow you to apply that setting to all users or all recipients in a domain. In some cases, like Intune, from a technical perspective if a user lacks the appropriate license he or she will not be impacted by the setting. In other cases, like some Conditional Access Policies or possibly Safe Links, choosing all users will cause the setting to apply to those who are and are not licensed for that product.

 

Therefore, to be in licensing compliance the Microsoft 365 global admin, or admin configuring these features, should instead create a dynamic group and have that group query for the user's license. For example, create a dynamic group called Azure AD Premium P1 users and have the dynamic membership rule query for the Microsoft 365 Business Premium license. Then, in your Conditional Access Policy use the Azure AD Premium P1 users group instead of all users.

 

Choosing not to do the above approach can lead to a situation where, if you are audited by Microsoft, you will be found to be out of compliance.

 

The feature request is this: configure Microsoft 365 so that "all users" or "all recipients in this domain" means "all licensed users for this product, excluding all who are not licensed for this product." Creating these dynamic groups and updating them based on adding or removing different license names from the tenant will add administrative overhead that I prefer to not have.

 

Matthew

0 Replies