Create a Dynamic Rule Based on User License Plan

Published on by Dave Branscome

One of the great features in Azure AD is the ability to create Office 365 groups based on a set of rules that dynamically query user attributes to identify certain matching conditions. For example, I can create a dynamic membership rule that adds users to an Office 365 group if the user’s “state” property contains “NC”.

1_NCQuery

Pretty simple….

Recently, a partner asked me how they could create a dynamic membership rule that queries for users who have a specific license plan, such as an E3 or E5. It’s easy enough to get that information out of the Office 365 admin portal and create a group with assigned membership (where I statically add them to a group), but they wanted a dynamic group membership rule.

It takes a little work, but it’s not too difficult.

First, the dynamic membership rule must query for something that is unique to the E3 or E5 license plan.

So, once you connect to your tenant using the Azure AD PowerShell module, run the PowerShell script below. This will give you all the SKU’s and SKU ID’s that exist in your tenant.

$allSKUs=Get-AzureADSubscribedSku
$licArray = @()
for($i = 0; $i -lt $allSKUs.Count; $i++)
{
$licArray += “Service Plan: ” + $allSKUs[$i].SkuPartNumber
$licArray +=  Get-AzureADSubscribedSku -ObjectID $allSKUs[$i].ObjectID | Select -ExpandProperty ServicePlans
$licArray +=  “”
}
$licArray

In my case, I see this sort of output for the E5 SKU, indicated by ENTERPRISEPREMIUM as the Service Plan.

Notice the FORMS_PLAN_E5 designation:

2_E5 SKU

A little further down, I see ENTERPRISEPACK as a Service Plan, which indicates an E3 SKU.

Notice the FORMS_PLAN_E3 designation:

3_E3 SKU

For this example, I want a dynamic membership group containing users with an E3 SKU. The FORMS_PLAN_E3 distinguishes those users from the users who have the FORMS_PLAN_E5 SKU, so I can key off that value. I could have selected another SKU with “E3” at the end of the name, but I picked the one for Forms.

Next, I take the SKU ID for the FORMS_PLAN_E3 (beginning with 2789c901-) and make it part of an advanced query, like this:

user.assignedPlans -any (assignedPlan.servicePlanId -eq “2789c901-c14e-48ab-a76a-be334d9d793a” -and assignedPlan.capabilityStatus -eq “Enabled”)

4_DynamicRule

I add it to my advanced rule and click Save.

After a few minutes, the query enumerates the users with the E3 SKU and adds them to the dynamic group.

5_Dynamic membership

What makes this so convenient is that, if later on I license more users with E3, they will be added to the group dynamically as well.

Have fun with your dynamic groups!

5 thoughts on “Create a Dynamic Rule Based on User License Plan

  1. Is there a way to only add users that have recently been granted a license or create a secondary group for users that have only recently been added to the dynamic group that was created in this example?

    Like

    Reply

      1. Essentially, I’m trying to create an automation for users that have recently been assigned a license. The more I look into it, the more I realize that I will need to run PowerShell within the Power Automate workflow.

        Like

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.