I want to control M365 licenses via entitlements and I would like an automated way to do so. Initially, this seems like a no-brainer to create a couple of roles, and the rules so that the user will get either an F3 or E3 license. But then how do I handle “upgrades?” If an F3 user gets permission from their manager to be allocated an E3 license, then I would want to remove them from the corresponding role and assign them to the E3 role without having ISC try to also give them the F3 role.
How does one go about assigning an entitlement automatically, one time, then “play nice” if manual changes are made to the group membership?
Lets create 2 Roles.
- M365 F3 Role
- M365 E3 Role
These Roles contains Access Profiles with entitlements pointing to AD/AzureAD.
Allow both automatic and Access Requests.
Along with your attribute based conditions like department, job title. location … etc
Add additional condition that F3 Role, should not have E3 group. If user gets E3 Group, automatically F3 will be removed.
-
Use Before Provisioning Rule, if user requests for E3/F3 and has F3/E3, update the provisioning plan to remove the other group.
-
Since this is going to be AD/AzureAD which has Native Rules, instead of going to before provisioning Rule which is a cloud Rule. You can add PowerShell to remove the other group if user requested for license upgrade/degrade.
-
You can use workflows as well to remove the other license.
Thanks
Krish
2 Likes
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.