Azure AD’s Dynamic Memberships for Groups and Assigning Licenses to Groups features can be used to circumvent the overlap that might occur when user accounts are assigned both an Azure AD P1 and Azure AD P2 license.
In this blogpost, I’ll walk you through the scenario.
About Azure AD licensing
Today, Azure Active Directory offers three subscription licenses; free, premium and premium P2. The plain ‘Premium’ licenses are commonly referred to as P1 licenses to distinguish them from the more elaborate and costly P2 licenses.
The table on the Azure Active Directory pricing page details the differences between the free, premium P1 and premium P2 subscription licenses.
Azure AD Premium P2 subscription licenses include Azure AD Premium P1 subscription licenses. Therefore, for any organization using a mix of these two licenses in their Azure AD tenant(s), it’s important to make sure any account is not both assigned an Azure AD Premium P1 subscription license and an Azure AD Premium P2 subscription license. Dynamic groups are useful to make this distinction within an Azure AD tenant.
About Dynamic Memberships for Groups
The first Azure AD feature we use in this scenario is the Dynamic Groups feature.
In Azure Active Directory, admins can create complex attribute-based rules to enable dynamic memberships for groups. Dynamic group memberships reduce the burden of adding and removing users to groups manually. You can set up a rule for dynamic membership on security groups and Office 365 groups.
The dynamic nature is delivered through continuous re-evaluation; when any attribute of a user or device changes, Azure AD evaluates all dynamic group rules to see if the change would trigger any group membership changes. If a user or device satisfies a rule on a group, they are dynamically added as a member of that group. If they no longer satisfy the rule, they are removed.
You can't manually add or remove a member of a dynamic group.
About Assigning Licenses to Groups
The second Azure AD feature we use is the ability assign licenses to groups. This feature makes it super-easy to not just assign licenses to groups, but also report on licenses, based on the number of members of a aptly-named group. When used with Access Reviews, the possibilities seem endless.
Getting ready
For this scenario, I’ll assume you have an Azure AD tenant with both a registered Azure AD Premium P1 subscription and a registered Azure AD Premium P2 subscription.
Privileges
To perform the steps where we create a group below, you will need to sign in with an account that has the Global administrator role assigned. To perform the steps where we assign the license to the newly created group, the Global administrator role suffices, but the License administrator role is also good enough.
Getting the required information
To create the dynamic membership rules, we first have to get some information out of the Azure AD tenant.
Use the following lines of PowerShell on a system with the Azure AD PowerShell Module installed to get the Stock Keeping Unit (SKU) information on the available subscription licenses in the Azure AD tenant:
Get-AzureADSubscribedSku | select SkuId,SkuPartNumber | Format-Table
We need the SKU for the Azure AD Premium P2 subscription license. Copy the GUID for the ServicePlanID for the AAD_PREMIUM_P2 subscription license SKU. The GUID might be different between Azure AD tenants, depending on the way Azure AD Premium P2 subscription licenses are acquired, but it should look something like this:
eec0eb4f-6444-4f95-aba0-50c24d67f998
How to create the group to assign P2 licenses
The need for Azure AD Premium P2 licenses is based on a couple of scenarios:
- User accounts for people who create, perform and/or finish Azure AD Access Reviews
- Privileged accounts for admins who need to perform Privileged Identity Management (PIM) to gain access to their administrator roles
- Admins who want to use the expanded Risk events and Risky users reports as part of Azure AD Identity Protection, admins who want to set risk-based Conditional Access policies in Azure AD Identity Protection and admins who want to require multi-factor authentication registration as part of Azure AD Identity Protection
- Admins who want to use the Entitlement Management Public Preview features and other future Azure AD Identity Governance features
Create the group
Follow these steps to create the group in the Azure AD portal:
- Sign in to the Azure portal using an account that has the Global administrator role assigned.
- In the left navigation pane, click on (the icon of) Azure Active Directory.
- In Azure AD’s navigation menu, click on Groups.
- Click + New Group.
- In the New Group pane, specify the following information:
- For Group Type select Security from the drop-down list
- As the Group name specify a group name that fits the organization’s naming convention
- Use the Group description to denote that this group assigns Azure AD Premium P2 licenses to its members
- As the Membership type select Assigned.
- Click Members, select the user accounts in the Azure AD tenant that you want to assign Azure AD Premium P2 licenses.
- Click the Select button at the bottom of the pane to return to the New Group pane.
- Click the Create button at the bottom of the New Group pane.
Assign the P2 license
Perform these steps toand to assign Azure AD Premium P2 subscription licenses to its members in the Azure Portal:
- In the left navigation pane, click on (the icon of) Azure Active Directory again.
- In Azure AD’s navigation menu, click on Licenses.
- In the Licenses menu, click on All Products.
- Select Azure AD Premium P2 or a subscription license that includes Azure AD Premium P2 from the list of All products by clicking on the selection square in front of it.
- Click + Assign.
- In the Assign license pane, select Users and Groups.
- Select the previously created security group.
- When you assign a subscription license that includes Azure AD Premium P2 make the appropriate choices by:
- Click Assignment options in the Assign license pane.
- On the License options blade, make the appropriate choices.
- Click OK at the bottom of the blade.
- Click the Select button at the bottom of the pane to go back to the Assign license pane.
- Click the Assign button at the bottom of the Assign license pane.
How to create the group that assigns P1 licenses to other users without overlap
Now, let’s create the second group. This will be a group with dynamic user memberships. Perform these steps:
Create the group
Follow these steps to create the group in the Azure AD portal:
- In the left navigation pane, click on (the icon of) Azure Active Directory.
- In Azure AD’s navigation menu, click on Groups.
- Click + New Group.
- In the Group pane, specify the following information:
- For Group Type select Security from the drop-down list
- As the Group name specify a group name that fits the organization’s naming convention
- Use the Group description to denote that this group assigns Azure AD Premium P2 licenses to its members
- As the Membership type select Dynamic User.
- Click Add dynamic query.
- In the Dynamic membership rules pane, build a rule, by clicking + Add expression.
- In the And/or column select And from the drop-down list.
- In the Property column typeassignedPlans
- In the Operator column select Any from the drop-down list.
- In the Value column type(assignedPlan.servicePlanId -neq " <PasteP2SKUHere> ")
- Create any additional membership rules that you would like to apply, if you don’t want to assign Azure AD Premium P1 licenses to all users, but a more select set of users.
- Click the Save button at the top of the Dynamic membership rules pane.
- Click the Create button at the bottom of the New Group pane.
Assign the P1 license
Follow these steps to assign Azure AD P1 subscription licenses for users that do not have Azure AD Premium P2 subscription licenses assigned:
- In the left navigation pane, click on (the icon of) Azure Active Directory again.
- In Azure AD’s navigation menu, click on Licenses.
- In the Licenses menu, click on All Products.
- Select Azure AD Premium P1 from the list of All products.
- Click + Assign.
- In the Assign license pane, select Users and Groups.
- Select the previously created security group.
- Click the Select button at the bottom of the pane to go back to the Assign license pane.
- Click the Assign button at the bottom of the Assign license pane.
Concluding
Using two features for Azure AD groups, we can create a strong solution to tackle the scenario to mutually exclusively assign Azure AD Premium P1 subscription licenses and Azure AD Premium P2 subscription licenses.
Hat Tip
Thanks to Daniel Stefaniak for his help tackling this scenario.
Further reading
Dynamic membership rules for groups in Azure Active Directory
Create a dynamic group and check status
Dynamic Group Membership in Azure Active Directory (Part 1)
The above does not work, first -neq is not a valid syntax and secondly a user will be assigned many other SKU#'s that are -ne to the SKU# you are trying to not license them based on if they have is assigned, thus this rule will ALWAYS be true and include ALL enabled users regardless of if they are a member or not of SKU# below
(user.assignedPlans -any (assignedPlan.servicePlanId -ne "SKU#")
The below worked for me, the SKU is for PowerBi Pro, you can find your SKU here: https://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/licensing-service-plan-reference
user.assignedPlans -any (assignedPlan.servicePlanId -eq "70d33638-9c74-4d01-bfd3-562de28bd4ba" -and assignedPlan.capabilityStatus -eq "Enabled")