Assign Azure/O365 licenses based on AD group membership


Hello,

just a short post today.

I thgought it might be a good idea to share more scripts in future, so here is the first one to assign Azure/O365 licenses based on AD group membership.
EMS/AADP and RMS licenses can also be assigned directly in Azure using group memberships but you still have to handle O365 licenses by your own with scripts.

So at some customers I have the reqirement to also manage O365 licenses after synchronizing objects with AADConnect, so I decided to manage all licenses with script.

This script still need some improvement in security (PW stored in file) but you can modify that like you want.
Also I do not cover License Option of O365 Licenses, instead the complete O365 features will be assigned.

But anyway this might be useful for the one or other out there:


Import-Module MSOnline
$Env:ADPS_LoadDefaultDrive = 0
Import-Module ActiveDirectory

#Modify the name of the licenses and AD groupnames for license assignment prior running that script
#You can get a list of your licenses by running the AzureAD PS cmdlet: Get-MSOLAccountSku
#In addition also have a look on all values in <> and replace them by your need.

#PW should maybe stored a little more secure using an encrypted file only readable by the user who run that script.
$secpasswd = ConvertTo-SecureString "<MySecurePW>" -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential ("<AADCServiceAccount>", $secpasswd)

Connect-MsolService -Credential $creds

function log($message)
{
write-debug $message
$datum = Get-Date -Format "dd.MM.yyyy - HH:mm:ss"
$datum + ": " + $message | out-file C:\Logs\AssignAzureLicense.log -append
}

# Exclude the Synchronized Account, created by Azure AD Connect, get data from your Azure AD
$SyncUserList = Get-MsolUser -Synchronized | where { $_.UserPrincipalName -ne "Sync_<SyncServer>_<ID>@<domain>.onmicrosoft.com" }

if ($SyncUserList)
{
foreach ($user in $SyncUserList)
{
$UPN = $user.UserPrincipalName
#Get licenses from current user
$hasEMSLicense = $user.Licenses | where { $_.AccountSkuId -eq "<tenant>:EMS" }
$hasO365License = $user.Licenses | where { $_.AccountSkuId -eq "<tenant>:ENTERPRISEPACK" }

#Check AD groups if user should get a license
$assignEMSLicense=(Get-ADUser -Filter {UserPrincipalName -eq $UPN} -Properties userPrincipalName,memberof).memberof -like "CN=GRP_AzureEMSLicense*"
$assignO365License=(Get-ADUser -Filter {UserPrincipalName -eq $UPN} -Properties userPrincipalName,memberof).memberof -like "CN=GRP_AzureO365License*"

#Set usageLocation if not present, requirement for assigning licenses
#If you synchronize that value from AD you can remove that value
If ($user.UsageLocation -eq $null) { Set-MsolUser -UserPrincipalName $user.UserPrincipalName -UsageLocation "DE" }

#Assign EMS license
If ($assignEMSLicense -and -not $hasEMSLicense)
{
Get-MsolUser -UserPrincipalName $user.UserPrincipalName | Set-MsolUserLicense -AddLicenses "<tenant>:EMS"
$message = "Assign EMS license to user: " + $user.UserPrincipalName ; Log $message
}

#Remove EMS license
If (-not $assignEMSLicense -and $hasEMSLicense)
{
Get-MsolUser -UserPrincipalName $user.UserPrincipalName | Set-MsolUserLicense -RemoveLicenses "<tenant>:EMS"
$message = "Remove EMS license from user: " + $user.UserPrincipalName ; Log $message
}

#Assign O365 license
If ($assignO365License -and -not $hasO365License)
{
Get-MsolUser -UserPrincipalName $user.UserPrincipalName | Set-MsolUserLicense -AddLicenses "<tenant>:ENTERPRISEPACK"
$message = "Assign O365 license to user: " + $user.UserPrincipalName ; Log $message
}

#Remove O365 license
If (-not $assignO365License -and $hasO365License)
{
Get-MsolUser -UserPrincipalName $user.UserPrincipalName | Set-MsolUserLicense -RemoveLicenses "<tenant>:ENTERPRISEPACK"
$message = "Remove O365 license from user: " + $user.UserPrincipalName ; Log $message
}
}
}

 

Advertisements

About Peter Stapf
Senior Consultant Identity and Access MVP (Enterprise Mobility)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s