Azure Active Directory Policy - Microsoft 365 License Assignment Guide

User Account Security Assessment Guide

This a how-to guide on using and configuring the Azure Active Directory Policy for Microsoft 365 Assignment.

Policy Configuration

The policy configuration is the rule that describes which users should have this policy applied to them

Policy Rule

The policy rule is an expression based on the SQL WHERE query format. For more advanced users, you can create/text your rules using the Microsoft SQL Server Management Studio and connecting directly to the dataset.

 

mceclip0.png

 

The queryable properties are based on the Microsoft Graph user object properties. Here are the common properties that you would use for your rule:

 

Property Type Description Example
AccountEnabled Boolean Specifies whether the account is enabled/disabled

AccountEnabled=1

All enabled users

City String   City='Bellevue'
Country String   Country='United States'
Department String   Department='Sales'
ExtensionAttribute1 String Synchronized from on-premise Active Directory ExtensionAttribute1='My Value"
ExtensionAttribute2 String Synchronized from on-premise Active Directory ExtensionAttribute2='My Value"
ExtensionAttribute3 String Synchronized from on-premise Active Directory ExtensionAttribute3='My Value"
ExtensionAttribute4 String Synchronized from on-premise Active Directory ExtensionAttribute4='My Value"
ExtensionAttribute5 String Synchronized from on-premise Active Directory ExtensionAttribute5='My Value"
ExtensionAttribute6 String Synchronized from on-premise Active Directory ExtensionAttribute6='My Value"
ExtensionAttribute7 String Synchronized from on-premise Active Directory ExtensionAttribute7='My Value"
ExtensionAttribute8 String Synchronized from on-premise Active Directory ExtensionAttribute8='My Value"
ExtensionAttribute9 String Synchronized from on-premise Active Directory ExtensionAttribute9='My Value"
ExtensionAttribute10 String Synchronized from on-premise Active Directory ExtensionAttribute10='My Value"
ExtensionAttribute11 String Synchronized from on-premise Active Directory ExtensionAttribute11='My Value"
ExtensionAttribute12 String Synchronized from on-premise Active Directory ExtensionAttribute12='My Value"
ExtensionAttribute13 String Synchronized from on-premise Active Directory ExtensionAttribute13='My Value"
ExtensionAttribute14 String Synchronized from on-premise Active Directory ExtensionAttribute14='My Value"
ExtensionAttribute15 String Synchronized from on-premise Active Directory ExtensionAttribute15='My Value"
JobTitle String   JobTitle='Sales Manager"
Mail String  

Mail LIKE '%@bittitan.com'

All users that have an email address with the domain bittitan.com

PhysicalDeliveryOfficeName String Location field shown in the Address List PhysicalDeliveryOfficeName='Bellevue'
PostalCode String Zip or postal code PostalCode='98004'
ShowInAddressList Boolean Specifies whether the user is visible in the Address List

ShowInAddressList=0

All users that are hidden from the Address List

State String State or province State='WA'
UsageLocation String 2 letter ISO 3166 country code for service usage location UsageLocation='US'
UserPrincipalName String Username used to login to Microsoft 365

UserPrincipalName LIKE '%@bittitan.com'

All users that have a login name with the domain bittitan.com

 

You may combine two or more expressions using SQL Logical Operators such as the AND or OR. For example:

Department='Sales' OR Department='Marketing'

User Exceptions

Even though the policy is defined as a query language, there are circumstances in which you may have one or more users that fall outside of the policy rule. In these circumstances, specify the email address of each specific user you wish to include in the policy. Specify one email address per line.

You may configure just the user exceptions list if you want to explicitly specify who this policy should apply to without a policy rule.

Best Practices

  • Specify your policy with a rule and/or user exception
  • Do not select the checkbox and click click Next
    • This will verify the validity of your configuration
    • You may see who specifically the policy will apply to by downloading and viewing the logs

Connection Configuration

The Voleer Integration specified is used to perform the license assignment. Ensure that the credentials specified have the appropriate permissions.

 

mceclip1.png

License Options

The license options specify what and how the licenses should be applied to user

 

mceclip2.png

License Selection

Select one or more licenses you wish to apply.

Note that some licenses may have dependencies on other licenses being enabled or some licenses may not be combined with other licenses. The form does not validate these combinations. Any invalid combination will be displayed as an error when the licenses are applied.

Overwriting Licenses

There are two methods for applying licenses to users.

  1. Add licenses defined in policy to existing licenses assigned to user (any licenses on the user that is not specified on the policy will be preserved)
  2. Replace currently assigned licenses on use with those of the policy (any licenses on the user that is not specified on the policy will be removed)

Usage Location

Not all Microsoft services are available in all locations. Before a license can be assigned to a group, you must specify the usage location. This is an optional field on the policy which will override existing values if specified. The following articulates the policy behavior for this value:

 

Usage Location Specified on User Usage Location Specified on Policy Behavior
  The usage location on the user will be preserved
  The usage location on the user will be initialized by the policy
The usage location on the user will be overwritten by the policy

 

 

 

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.