How to filter out unlicensed users in Azure AD Dynamic Groups

Dynamic Groups are a great feature in Azure AD to automatically manage group memberships as it can add and remove group members automatically using membership rules based on member attributes.

When the attributes of a user or a device change, the system evaluates all dynamic group rules in a directory to see if the change would trigger any group adds or removes. If a user or device satisfies a rule on a group, they’re added as a member of that group. If they no longer satisfy the rule, they’re removed. You can’t manually add or remove a member of a dynamic group.

We often get the question how we can remove unlicensed users from the Dynamic Group Membership. Please find below the instructions. Note that we have also included the removal of guest users, so you will get rid of both all at once!

Create new Dynamic Group

Go to your Azure Active Directory and click Add Group

You can create either an O365 Group or a Security Group (depending on your requirements). Make sure you set Member Type to Dynamic.

Click on Add Dynamic Query

In the Dynamic Query, fill in the following:

(user.userType -ne "Guest" and user.accountEnabled -eq True) and 
not (user.assignedPlans -all (assignedPlan.servicePlanId -eq ""))

Explanation:

user.userType -ne "Guest"

User Type not equals Guest (Filter out the Guests)

user.accountEnabled -eq True

User Accounts must be Enabled

not (user.assignedPlans -all (assignedPlan.servicePlanId -eq "")

User should not have any assigned license plans

You can also validate your rules and test it with different types of users. In the screenshot below the first user is a Guest user, the 2nd is an unlicensed, and the 3rd is a licensed user.

Problem Solved!