Share via

Group based Licensing in Azure AD

TheAlchemist90 1 Reputation point
2022-08-31T17:38:03.407+00:00

Hello all,

I have a question about group licensing. I would like to create an Azure AD group that will assign an E3 license, P1 license, as well as a conferencing license to newly created users. I need 1 group for all 3 licenses. I would also like for the group to be unassigned automatically once a user is deleted or disabled. Does anyone know if it is possible to create this type of group and automate the unassign portion? Any advice or scripts are appreciated, thanks!

Microsoft Security | Microsoft Entra | Microsoft Entra ID

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Dillon Silzer 57,826 Reputation points Volunteer Moderator
    2022-08-31T18:00:03.897+00:00

    Hi @TheAlchemist90

    You can do the following steps to achieve this:

    1) Navigate to https://aad.portal.azure.com/#view/Microsoft_AAD_IAM/GroupsManagementMenuBlade/\~/AllGroups

    2) Choose New Group

    3) Choose Group Type > Microsoft 365

    4) Choose Membership Type > Dynamic User

    5) Add Dynamic Query

    Edit the rule syntax and use the example (this will remove them from the group if their account is not enabled):

    (user.accountEnabled -eq true) and ((user.mail -eq "******@mail.com") or (user.mail -eq "******@mail.com") or (user.mail -eq "******@mail.com"))

    6) After you create the group go to Licenses under Manage:

    236683-image.png

    7) Go to the Assign button and assign the licenses you want to these users.

    If this is helpful please accept answer.

    1 person found this answer helpful.
    0 comments
  2. Andreas Baumgarten 123.4K Reputation points MVP Volunteer Moderator
    2022-08-31T18:11:38.867+00:00

    Hi @TheAlchemist90 ,

    regarding the group-based licensing please take a look here: https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-licensing-whatis-azure-portal

    If you delete an AAD user the user object will be removed from the AAD group as well.
    For the "disabled user" scenario you need to build some "automation" around -> For instance using PowerShell to remove deactivated users from the AAD group. This automation could be done by an Azure Automation runbook on a scheduled base (for instance run every night).
    The feature "Dynamic membership for a group in AAD" is a possible solution for this requirement as well. But this feature requires an Azure AD Premium P1 license or Intune for Education for each user: https://learn.microsoft.com/en-us/azure/active-directory/enterprise-users/groups-dynamic-membership

    ----------

    (If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

    Regards
    Andreas Baumgarten

    1 person found this answer helpful.
    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.