Use Azure AD dynamic groups based on ServicePlanId

Azure AD Dynamic Groups is not something new. We have this in Exchange for long time but we are also able to use them even in Azure Active Directory with the Azure AD Premium 1 license. Why should we use dynamic groups instead of static groups? In this post I will give you some example where we find the benefit.

Example 1 : Create groups based on what kind of license they have.
If you pinpoint all Azure AD Premium 2 users into a group, then you can deploy risk-based users to this group and all new users with correct license will get the function. How can we archive this?Sign-in to this address https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview

Navigate go groups and create a new group

1, Add security group and select membership to Dynamic User.

2, Add dynamic query

user.assignedPlans -any (assignedPlan.servicePlanId -eq "eec0eb4f-6444-4f95-aba0-50c24d67f998" -and assignedPlan.capabilityStatus -eq "Enabled")

3, Save the query. Based on how many users you have it will take some time before you see the result.

Below you can fins most of the generic ServicePlanId. Find the one you need to query and just change the number in above query.

Audio Conferencing (3e26ee1f-8a5f-4d52-aee2-b81ce45c8f40)
Azure Active Directory Premium P1 (41781fb2-bc02-4b7c-bd55-b576c07bb09d)
Azure Active Directory Premium P2 (eec0eb4f-6444-4f95-aba0-50c24d67f998)
Azure Advanced Threat Protection (14ab5db5-e6c4-4b20-b4bc-13e36fd2227f)
Azure Information Protection Premium P1 (6c57d4b6-3b23-47a5-9bc9-69f17b4947b3)
Azure Information Protection Premium P2 (5689bec4-755d-4753-8b61-40975025187c)
Customer Lockbox (9f431833-0334-42de-a7dc-70aa40db46db)
Exchange Online (Plan 2) (efb87545-963c-4e0d-99df-69c6916d9eb0)
Flow for Office 365 (07699545-9485-468e-95b6-2fca3738be01)
Information Barriers (c4801e8a-cb58-4c35-aca6-f2dcc106f287)
Information Protection for Office 365 - Premium (efb0351d-3b08-4503-993d-383af8de41e3)
Information Protection for Office 365 - Standard (5136a095-5cf0-4aff-bec3-e84448b38ea5)
Insights by MyAnalytics (33c4f319-9bdd-48d6-9c4d-410b750a4a5a)
Microsoft Azure Active Directory Rights (bea4c11e-220a-4e6d-8eb8-8ea15d019f90)
Microsoft Azure Multi-Factor Authentication (8a256a2b-b617-496d-b51b-e76466e88db0)
Microsoft Cloud App Security (2e2ddb96-6af9-4b1d-a3f0-d6ecfd22edb2)
Microsoft Defender Advanced Threat Protection (871d91ec-ec1a-452b-a83f-bd76c7d770ef)
Microsoft Forms (Plan E5) (e212cbc7-0961-4c40-9825-01117710dcb1)
Microsoft Intune (c1ec4a95-1f05-45b3-a911-aa3fa01094f5)
Microsoft Kaizala (0898bdbb-73b0-471a-81e5-20f1fe4dd66e)
Microsoft MyAnalytics (Full) (34c0d7a0-a70f-4668-9238-47f9fc208882)
Microsoft Planner (b737dad2-2f6c-4c65-90e3-ca563267e8b9)
Microsoft Search (94065c59-bc8e-4e8b-89e5-5138d471eaff)
Microsoft StaffHub (8c7d2df8-86f0-4902-b2ed-a0458298f3b3)
Microsoft Stream for O365 E5 SKU (6c6042f5-6f01-4d67-b8c1-eb99d36eed3e)
Microsoft Teams (57ff2da0-773e-42df-b2af-ffb7a2317929)
Mobile Device Management for Office 365 (882e1d05-acd1-4ccb-8708-6ee03664b117)
Office 365 Advanced eDiscovery (4de31727-a228-4ec3-a5bf-8e45b5ca48cc)
Office 365 Advanced Security Management (8c098270-9dd4-4350-9b30-ba4703f3b36b)
Office 365 Advanced Threat Protection (Plan 1) (f20fedf3-f3c3-43c3-8267-2bfdd51c0939)
Office 365 Advanced Threat Protection (Plan 2) (8e0c0a52-6a6c-4d40-8370-dd62790dcd70)
Office 365 Privileged Access Management (b1188c4c-1b36-4018-b48b-ee07604f6feb)
Office 365 ProPlus (43de0ff5-c92c-492b-9116-175376d08c38)
Office Online (e95bec33-7c88-4a70-8e19-b10bd9d0c014)
Phone System (4828c8ec-dc2e-4779-b502-87ac9ce28ab7)
Power BI Pro (70d33638-9c74-4d01-bfd3-562de28bd4ba)
PowerApps for Office 365 Plan 3 (9c0dab89-a30c-4117-86e7-97bda240acd2)
Premium Encryption in Office 365 (617b097b-4b93-4ede-83de-5f075bb5fb2f)
SharePoint Online (Plan 2) (5dbe027f-2339-4123-9542-606e4d348a72)
Skype for Business Online (Plan 2) (0feaeb32-d00e-4d66-bd5a-43b5b83db82c)
Sway (a23b959c-7ce8-4e57-9140-b90eb88a9e97)
To-Do (Plan 3) (3fb82609-8c27-4f7b-bd51-30634711ee67)
Whiteboard (Plan 3) (4a51bca5-1eff-43f5-878c-177680f191af)
Windows 10 Enterprise (Original) (21b439ba-a0ca-424f-a6cc-52f954a5b111)
Yammer Enterprise (7547a3fe-08ee-4ccb-b430-5077c5041653)

You can fins more information in this link below.
https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/licensing-service-plan-reference

Example 2: Find all users with Teams license active and list properties
Instead of writing advanced script to list users with a specific serviceId you can use this dynamic query to list all users with Teams enabled, then we can verify with a foreach if the Teams run Teams-only or Islands mode.

$TeamsUsers = Get-AzureADGroupMember -Top 1000 -ObjectId f069085e-f197-4b2e-a17b-2bc79843b770
$TeamsUsers.count

$output=@()
Foreach ($x in $TeamsUsers)
    {
    $output +=  Get-CsOnlineUser -Identity $x.UserPrincipalName | Select-Object UserPrincipalName, TeamsUpgradeEffectiveMode, TeamsUpgradePolicy
    }
    $output | Out-GridView

Example 3: Enabled Office 365 ATP on only licensed users
Create a dynamic group and select all users with an Office 365 Advanced Threat Protection (Plan 1/2) license. Assign this group to the Office 365 ATP service and only the correct users will get the function enabled. We don´t need to verify if correct users are in correct group anymore. If you assign the user the license they also get the functionality automatically. As you can see I have just a few case but I think you got the point how you should use dynamic groups in many scenarios now.