Simple Dynamic Rule to group users based on License | AAD

This post is all about leveraging Dynamic User Groups in Azure Active Directory to organise your users in the easiest way possible. I will also be giving you a real-world example in a previous project on why this is awesome and why you should be thinking outside the box to save you and your team precious time and money. Let’s go!


Step 1) Create a Dynamic User Group, I gravitate towards Microsoft Endpoint Manager for Security Group creations.

Tip: Take an organised approach. I like to put User Managed (UM) or Device Managed (DM) at the front of a group name for easy identification.
Tip: Don’t shy from a detailed description, take your time and make sure it’s clear what this group is and does. I also like to add the creation date and name, so if anyone has further questions about the group, they know who to go see.

Step 2) Create the Dynamic Membership Rule.

user.assignedPlans -any (assignedPlan.servicePlanId -eq “41781fb2-bc02-4b7c-bd55-b576c07bb09d” -and assignedPlan.capabilityStatus -eq “Enabled”)

Let’s talk about this query a bit more. So what we’re trying to achieve here is if any user with an assigned license/plan equals “41781fb2-bc02-4b7c-bd55-b576c07bb09d” and is active/”Enabled”, pull them into this group. Because it’s a Dynamic Group and not an assigned group, this will happen automatically.

But how do I find the service plan ID? That my friends can be referenced right here.

I would recommend searching for the desired GUID by ctrl+f and typing the keyword to find the license you need.

Conclusion & Worthy Notes

I used this to find people who had a Visio Plan/License within the organisation to pull them all into a specific group. From there, I packaged up the Microsoft Visio application and assigned that UM-Visio-License dynamic group to the application and deployed it from Intune. Visio was user-specific in the organisation, and we didn’t want to install the application on everyone’s machine, only the people who use it.

  • You can replace the GUID in the query to suit your own situation;

user.assignedPlans -any (assignedPlan.servicePlanId -eq “41781fb2-bc02-4b7c-bd55-b576c07bb09d” -and assignedPlan.capabilityStatus -eq “Enabled”)

  • Remember, it can take up to an hour to sync and populate members in the group (depending on user count).


On my journey to finding answers, these articles assisted me greatly…

Complete your first step in Windows Autopilot by knowing how to extract the HWID from this post.

2 thoughts on “Simple Dynamic Rule to group users based on License | AAD”

    1. It can definitely become a nightmare quickly without proper organisation and structure that’s for sure! Thanks Ben, appreciate the comment.


Leave a Comment

Your email address will not be published. Required fields are marked *