How to filter out unlicensed users in Azure AD Dynamic Groups
Dynamic Groups are a great feature in Azure AD to automatically manage group memberships as it can add and remove group members automatically using membership rules based on member attributes.
When the attributes of a user or a device change, the system evaluates all dynamic group rules in a directory to see if the change would trigger any group adds or removes. If a user or device satisfies a rule on a group, they’re added as a member of that group. If they no longer satisfy the rule, they’re removed. You can’t manually add or remove a member of a dynamic group.
We often get the question how we can remove unlicensed users from the Dynamic Group Membership. Please find below the instructions. Note that we have also included the removal of guest users, so you will get rid of both all at once!
Create new Dynamic Group
Go to your Azure Active Directory and click Add Group
You can create either an O365 Group or a Security Group (depending on your requirements). Make sure you set Member Type to Dynamic.
Click on Add Dynamic Query
In the Dynamic Query, fill in the following:
(user.userType -ne "Guest" and user.accountEnabled -eq True) and not (user.assignedPlans -all (assignedPlan.servicePlanId -eq ""))
Explanation:
user.userType -ne "Guest"
User Type not equals Guest (Filter out the Guests)
user.accountEnabled -eq True
User Accounts must be Enabled
not (user.assignedPlans -all (assignedPlan.servicePlanId -eq "")
User should not have any assigned license plans
You can also validate your rules and test it with different types of users. In the screenshot below the first user is a Guest user, the 2nd is an unlicensed, and the 3rd is a licensed user.
Problem Solved!
