Dynamically Assign AIP Policies

In a previous post on how to dynamically assign Intune licenses using Azure dynamic user security groups.

When an organisation has configured global labels like the default labels displayed below. An organisation can choose to apply a policy to all users or all Azure Information Protection Plan 1 licensed users or all Azure Information Protection Plan 2 licensed users.

Azure Information Protection Plan 1 Azure Security Group

Create an Azure Active Directory Dynamic User Security Group , Edit the query and enter the query below for Azure Information Protection Plan 1 licensed users.

user.assignedPlans -any (assignedPlan.servicePlanId -eq “6c57d4b6-3b23-47a5-9bc9-69f17b4947b3” -and assignedPlan.capabilityStatus -eq “Enabled”)

Azure Information Protection Plan 2 Azure Security Group

Create an Azure Active Directory Dynamic User Security Group , Edit the query and enter the query below for Azure Information Protection Plan 2 licensed users.

user.assignedPlans -any (assignedPlan.servicePlanId -eq “689bec4-755d-4753-8b61-40975025187c” -and assignedPlan.capabilityStatus -eq “Enabled”)

If the during the creation of the group , it fails with an error , delete the “” that encapsulates the “guid” and “enabled” within the query and use your keyboard to replace the “” if you are copying them from this blog post.

So this solution enables administrators to apply policies to all AIP plan 1 and plan 2 licensed users and because it is dynamic , it will catch all new employees in the organisation.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s