Dynamic security group with all users with any plan (all licensed users)

Brase, Daniel 321 Reputation points

Hi guys,

I'm trying to create a dynamic security group with only licensed users. I've already found this and some other examples to get this working. To test around I started with this filter:

(user.accountEnabled -eq True) and (user.assignedplans -any (assignedplan.serviceplanid -eq "3e26ee1f-8a5f-4d52-aee2-b81ce45c8f40"))  


This works generally, but I want a rule with any plan and not a specific one. So I tried this one:

(user.accountEnabled -eq True) and (user.assignedplans -all (assignedplan.serviceplanid -ne null))  

But that doesn't work in my case:


This is also working but I want it vice versa:

(user.accountEnabled -eq True) and (user.assignedplans -any (assignedplan.serviceplanid -eq null)  


Maybe someone has a hint.

Thanks, Daniel.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,808 questions
0 comments No comments
{count} vote

Accepted answer
  1. Brase, Daniel 321 Reputation points

    Ok, I was able to manage it on my own. I got it working with the not operator:

    (user.accountEnabled -eq True) and not (user.assignedplans -all (assignedplan.serviceplanid -eq null))  


    I would have expected that if I use -eq operator and have a result, the the operator -ne switches the result. Anyway, maybe this helps someone else.

    4 people found this answer helpful.

1 additional answer

Sort by: Most helpful
  1. Jason E. Eaby 5 Reputation points

    So, I managed to get it working without a "not" by changing the "-all" operator to "-any" and using an "-ne".

    Like this:

    (user.accountEnabled -eq true) and (user.assignedPlans -any (assignedPlan.servicePlanID -ne null))

    Hope this helps someone.

    1 person found this answer helpful.