This post is all about leveraging Dynamic User Groups in Azure Active Directory to organise your users in the easiest way possible. I will also be giving you a real-world example in a previous project on why this is awesome and why you should be thinking outside the box to save you and your team precious time and money. Let’s go!
Solution
Step 1) Create a Dynamic User Group, I gravitate towards Microsoft Endpoint Manager for Security Group creations.
Tip: Take an organised approach. I like to put User Managed (UM) or Device Managed (DM) at the front of a group name for easy identification.
Tip: Don’t shy from a detailed description, take your time and make sure it’s clear what this group is and does. I also like to add the creation date and name, so if anyone has further questions about the group, they know who to go see.
Step 2) Create the Dynamic Membership Rule.
Let’s talk about this query a bit more. So what we’re trying to achieve here is if any user with an assigned license/plan equals “41781fb2-bc02-4b7c-bd55-b576c07bb09d” and is active/”Enabled”, pull them into this group. Because it’s a Dynamic Group and not an assigned group, this will happen automatically.
But how do I find the service plan ID? That my friends can be referenced right here.
I would recommend searching for the desired GUID by ctrl+f and typing the keyword to find the license you need.
Conclusion & Worthy Notes
I used this to find people who had a Visio Plan/License within the organisation to pull them all into a specific group. From there, I packaged up the Microsoft Visio application and assigned that UM-Visio-License dynamic group to the application and deployed it from Intune. Visio was user-specific in the organisation, and we didn’t want to install the application on everyone’s machine, only the people who use it.
- Don’t be tricked by the product reference table on Microsoft’s website. Scroll horizontally to show the complete table.
- You can replace the GUID in the query to suit your own situation;
user.assignedPlans -any (assignedPlan.servicePlanId -eq “41781fb2-bc02-4b7c-bd55-b576c07bb09d” -and assignedPlan.capabilityStatus -eq “Enabled”)
- Remember, it can take up to an hour to sync and populate members in the group (depending on user count).
Credit
On my journey to finding answers, these articles assisted me greatly…
- Creating a dynamic group with all aad premium licensed users
- Create a dynamic rule based on user license plan
Complete your first step in Windows Autopilot by knowing how to extract the HWID from this post.
Thanks for the information, we use a lot of Dynamic Groups, as it gets to difficult to manage. Cheers, Ben.
It can definitely become a nightmare quickly without proper organisation and structure thatβs for sure! Thanks Ben, appreciate the comment.
Cheers,
Chad