RISHAssign EMS licenses to all licensed users with dynamic groups
Azure conditional access provides flexible control over access to Office 365 resources and services based on location/user group membership/device etc. If you set up conditional access rules, any user who doesn’t have an Azure AD Premium license will not be affected by them - access is permitted by default!
How to work around this without manually assigning licenses to every user or using a dodgy script? Azure AD has a capability called Dynamic Groups. With Dynamic Groups you can create a group with membership based on a query.
This query will result in a group that contains all users with Exchange, Sharepoint, Office or S4B enabled.
(user.assignedPlans -any ((assignedPlan.service -match "exchange|SharePoint|Microsoft(CommunicationsOnline|Office)") -and (assignedPlan.capabilityStatus -eq "Enabled")))
Then you simply assign EMS licenses to the dynamic group. Now, when a user is activated for Exchange etc, they immediately get an EMS license and Conditional Access applies. The user will inherit the license until they are no longer a member of the group
Read more about creating Dynamic Groups here https://docs.microsoft.com/en-us/azure/active-directory/active-directory-groups-dynamic-membership-azure-portal
During testing in a small environment I found that the license membership changed within 5 minutes.
Possible values for assignedPlan.service
| Value | Service Friendly Name |
|---|---|
| ProcessSimple | Flow for Office365 |
| PowerAppsService | PowerApps for Office 365 |
| TeamspaceAPI | Microsoft Teams |
| ProjectWorkManagement | Microsoft Planner |
| Sway | Sway |
| YammerEnterprise | Yammer |
| MicrosoftOffice | Office 365 ProPlus |
| MicrosoftCommunicationsOnline | Skype for Business Online |
| SharePoint | SharePoint Online |
| exchange | Exchange Online |
| Deskless | Staff Hub |
| RMSOnline | Azure Information Protection Plan Azure Rights Management |
| MultiFactorService | Azure Multi-Factor Authentication |
| AADPremiumService | Azure Active Directory Premium |
| SCO | Intune A Direct |
| Adallom | Microsoft Cloud App Security |
| VolumeLicensing | Microsoft Business Center |
Possible values for assignedPlan.capabilityStatus
| Value | Meaning |
|---|---|
| Deleted | License has been removed |
| Enabled | License is active |
| Suspended | License has been removed (applies to EMS licenses) |