Rule for hiding non-license users in dynamic AD group

SFL IT 1 Reputation point

Hello, I would like to ask for help with one 'problem' - I can't find the answer on any forums or support. The issue is that I have created a dynamic AD group, which is supposed to display all users who have any license assigned to their account. Accounts without a license (administrative, group, embedded, temporary, inactive, etc) are not to be included. Here I have a problem, because I can't handle the rule to NOT display accounts without pinned licenses. So far I got the result that SHOWS me accounts without licenses with the rule:
(user.assignedPlans -all (assignedPlan.servicePlanId -eq null))
And I thought that hiding them would be taken care of by replacing -eq with -ne, but it's not. Then it displays me all the accounts in our domain. How can I HIDE accounts in Azure AD dynamic group that do not have ANY license assigned to their profile? Thank you very much for helping me out!

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
18,644 questions
0 comments No comments
{count} votes

4 answers

Sort by: Most helpful
  1. Marilee Turscak-MSFT 32,541 Reputation points Microsoft Employee

    Which guide are you following? For the rule that you are using, you would filter by capabilityStatus

     (user.assignedPlans -all (assignedPlan.capabilityStatus -eq "Enabled")) -and (user.userType -eq "Member")  

    or, for a specific plan you could do:

    (user.assignedPlans -any (assignedPlan.servicePlanId -eq "<servicePlanId>" -and assignedPlan.capabilityStatus -eq "Enabled"))

    There is a discussion here around different methods of accomplishing this.

    You can also follow the instructions in View licensed and unlicensed Microsoft 365 users with PowerShell to display only the licensed users:

    Get-MsolUser -All | where {$_.isLicensed -eq $true}  

    There are multiple ways to do this though, and several are also covered in this thread.

    Let me know if any of these work for you. I'm happy to troubleshoot if you run into any issues.

    0 comments No comments

  2. SFL IT 1 Reputation point


    I followed all of the available steps in google.
    The rule that you put here still shows me alot of users who do not have any license on their account and are Members.
    I need it to be a dynamic Azure AD group to allow users access to specific content.

    My rule right now looks like this:

    (user.displayName -notContains "OUT") and (user.accountEnabled -eq true) and (user.mail -ne null) and (user.mail -notContains "EXT.") and (user.userType -ne "Guest") and (user.userPrincipalName -ne null)

    Yet it still is not enough for me because the group contains users like temporary created users without any license.
    By putting this rule:

    (user.assignedPlans -all (assignedPlan.capabilityStatus -eq "Enabled"))

    I still get users with no active license. I would like to reduce the users in this group to the minimum.
    What else should i try to do? I just want to hide all of them and show only licensed, active users.

    Thank you

    0 comments No comments

  3. SFL IT 1 Reputation point

    Now I made something like this:

    > (user.assignedPlans -all (assignedPlan.capabilityStatus -eq "Enabled" -or assignedPlan.servicePlanId -eq "efccb6f7-5641-4e0e-bd10-b4976e1bf68e" -or assignedPlan.servicePlanId -eq "b05e124f-c7cc-45a0-a6aa-8cf78c946968" -or assignedPlan.servicePlanId -eq "3b555118-da6a-4418-894f-7df1e2096870" -or assignedPlan.servicePlanId -eq "f245ecc8-75af-4f8e-b61f-27d8114de5f3")) -and (user.displayName -notContains "OUT") and (user.accountEnabled -eq true) and (user.mail -ne null) and (user.mail -notContains "EXT.") and (user.userType -ne "Guest") and (user.userPrincipalName -ne null)

    But it again showed me only account without any licenses. 41 users which i want to hide.
    How can i fix this rule to show EMS E3, EMS E5, M365 Business Basic and M365 Business Standard users?
    And if the account has any other license or doesnt have any license so they are not in the dynamic group?

    Please, let me know. Thank you

    0 comments No comments

  4. SFL IT 1 Reputation point


    Could you please let me know how to make it through?

    0 comments No comments