Dynamic membership rule for Teams Room accounts

Teams Room accounts are usually excluded from conditional access. To do so, they have to be in a security group, which of course we don’t want to do manually.

Most companies choose to use a naming standard and simply use that as a rule to create an exclusion group. This is easy to circumvent, I can create a guest user with the right name et voila zero CA policies!

A better way is to identify the accounts based on their assigned licenses, e.g. Teams Rooms Basic (6af4b3d6-14bb-4a2a-960c-6c902aad34f3). This, however, is not supported as an Azure AD group membership rule as this is stored in the AssignedLicenses property which will throw an “Unsupported Property” error.

The assignedPlans property however, does not contain unique plans. E.g. Teams1 is also used in most other licenses. Same goes with mcomeetadv and whiteboard_plan3, this means we can’t use MS’s example for license-based rules, but we CAN compare all at once (a full / all match, instead of any).

The following rule only matches users that ONLY have TEAMS1, MCOMEETADV and WHITEBOARD_PLAN3:

(user.assignedPlans -all (assignedPlan.servicePlanId -in ["3e26ee1f-8a5f-4d52-aee2-b81ce45c8f40","57ff2da0-773e-42df-b2af-ffb7a2317929","4a51bca5-1eff-43f5-878c-177680f191af"] -and assignedPlan.capabilityStatus -eq "Enabled")) -and
not (user.assignedPlans -all (assignedPlan.servicePlanId -eq ""))

Here’s another example that would match users with either MS Teams Basic or MS Teams Pro:

((user.assignedPlans -all (assignedPlan.servicePlanId -in ["3e26ee1f-8a5f-4d52-aee2-b81ce45c8f40","57ff2da0-773e-42df-b2af-ffb7a2317929","4a51bca5-1eff-43f5-878c-177680f191af"] -and assignedPlan.capabilityStatus -eq "Enabled")) -or 
(user.assignedPlans -all (assignedPlan.servicePlanId -in ["41781fb2-bc02-4b7c-bd55-b576c07bb09d","3e26ee1f-8a5f-4d52-aee2-b81ce45c8f40","4828c8ec-dc2e-4779-b502-87ac9ce28ab7","c1ec4a95-1f05-45b3-a911-aa3fa01094f5","57ff2da0-773e-42df-b2af-ffb7a2317929","0feaeb32-d00e-4d66-bd5a-43b5b83db82c","4a51bca5-1eff-43f5-878c-177680f191af","92c6b761-01de-457a-9dd9-793a975238f7"] -and assignedPlan.capabilityStatus -eq "Enabled")))
not (user.assignedPlans -all (assignedPlan.servicePlanId -eq ""))

if you want to do something similar for other licenses, here are the options/combinations:


Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Inline Feedbacks
View all comments