Skip to content

Creating a dynamic group with all AAD Premium licensed users

Dynamic Groups in Azure AD are truly an amazing feature. It lets you manage a large group of users without the need to manually add every one of them in a specific group.

Some organizations only have AAD Premium licenses for a subset of users, using dynamic groups makes it really easy to scope your AADP policies (like Conditional Access policies) to only the licensed users.

As the documentation says you can use the assignedPlans multi-valued property to create a group based on licenses. The AssignedPlans property has three values:

  • capabilityStatus
  • service
  • servicePlanId

The capabilityStatus is a property that tells us if the the license is enabled. Service is the license name, ServicePlanID is the ID for the license. I suggest always using the ID, as this is less subject to change than the service.

Getting the ServicePlanID

Run the ‘Get-AzureADSubscribedSKU’ command after connecting to AzureAD Powershell. This will return the ObjectID, SkuPartNumber and SkuID of every license you own. Select the correct ObjectID of the license you want and write it down.

Use the ObjectID that you got from the previous command. In the command output, you will find the ServicePlanID.

Get-AzureADSubscribedSku -objectid ead8488e-5b94-4a8f-a590-e789b41346f6_b05e124f-c7cc-45a0-a6aa-8cf78c946968 | select -expand serviceplans

Create the AzureAD group

Navigate to Azure Active Directory (aad.portal.azure.com) and select ‘Groups’.

Select ‘New group’ in the Groups page.

Choose ‘Security’ as the preferred Group Type and choose ‘Dynamic user’ as the membership type. Choose whatever values you would like for the Group Name and Group Description.
Select ‘Add dynamic query’ to configure the query you would like to base this group on.

Use the following rule for a dynamic group based on all AADP licensed users. Use the ServicePlanID you found through Powershell.

user.assignedPlans -any (assignedPlan.servicePlanId -eq "41781fb2-bc02-4b7c-bd55-b576c07bb09d" -and assignedPlan.capabilityStatus -eq "Enabled")

After creating the group, you can monitor the membership processing status and last update date.

If you wait until the ‘processing status’ states ‘Update complete’, you will find that the group has been populated.

6 thoughts on “Creating a dynamic group with all AAD Premium licensed users Leave a comment

  1. thanks its working , do you know maybe how i do the same thing expect users that inside other group ?
    something like that ….
    user.assignedPlans -any (assignedPlan.servicePlanId -eq “41781fb2-bc02-4b7c-bd55-b576c07bb09d” -and assignedPlan.capabilityStatus -eq “Enabled”) execpt users that are inside thing group “groupID”

    Like

      • I think the request is to create a dynamic group based on your described filters, but exclude members of another group.

        gma; instead of using the code, you can also manually add filter criteria; this would help to outline how an exclusion may appear in the code underneath; then customise accordingly.

        Like

      • Its not possible to exclude another group. You could exclude certain users through user parameters (like name, department) while using an and statement

        Like

  2. Based on the command used, if I wanted to create a dynamic group that adds all users that have an active license on their mailbox, would I just use “user.assignedPlans -any” ?

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: