Office 365 license assignment

Automatic assignment of Office 365 licenses

Office 365 license assignment

Automatic assignment of Office 365 licenses

Office 365 license assignment

For a long time I have gotten into the habit of assigning Office 365 licenses with a small powershell function, very simple

$bal = $global:username + "@" + $global:domaine
Set-MsolUser -UserPrincipalName $bal -UsageLocation "FR"
Set-MsolUserLicense -UserPrincipalName $bal -AddLicenses "XXXX:ENTERPRISEPACK"
[string]$Consumedlicence = Get-MsolAccountSku | Where-Object AccountSkuId -EQ "XXXX:ENTERPRISEPACK" | select ConsumedUnits
[string]$ActiveLicence = Get-MsolAccountSku | Where-Object AccountSkuId -EQ "XXXX:ENTERPRISEPACK" |  select ActiveUnits
Write-Host $Consumedlicence.split("=")[1].split("}")[0] "out of" $ActiveLicence.split("=")[1].split("}")[0] "licenses are affected"

Unfortunately not everyone is familiar with PowerShell, I was asked to find an easier way to quickly dispatch Office 365 licenses to different users

After some research I found a solution proposed in Azure AD which allows to assign Office 365 licenses according to group membership.

In the environment in which I evolve at the time of writing this article we are in a hybrid configuration, that is to say that we have a local Active Directory which synchronizes with our tenant AzureAD via Azure AD Connect.

So I will do some of the configuration (creating groups for example) in my local Active Directory but for people in full azureAD nothing prevents to do it in cloud mode

Principle

The principle is quite simple actually.

  • Group creation in the Active Directory (or in AzureAD)
  • In AzureAD configured the assignment of Office 365 licenses on the groups created
  • dispatch users in groups

Creation of groups

Everything could be done via the mmc of Windows but as we are still on a blog that talks a little about Powershell we will do it from the command line ;-)

$HashArguments = @{
  Name = "XX-Licences O365-E3"
  SamAccountName = "XX-Licences O365-E3"
  GroupCategory = "Security"
  GroupScope = "Global"
  DisplayName = "Users M365E3"
  Path = "CN=Users,DC=Fabrikam,DC=Com"
  Description = "Put user XX here to assign them an E3 licence "
}

New-ADGroup @HashArguments

XX corresponds to the name of the entity for which I implemented this solution

For information, this way of writing the arguments is called Splatting

In my case, I created as many groups as licenses to assign Groupe AD

After forced synchronization from my Azure AD Connect server Synchro AAD

I can check on AzureAD that my groups are present

PS>  Connect-AzureAD -Credential $CredAdminO365
Account                                              Environment TenantId                             TenantDomain
-------                                              ----------- --------                             ------------
administrateur@XXXXXXXXXXXXXXXXXXXXXX.onmicrosoft.com AzureCloud  XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXX...


PS> Get-AzureADGroup -SearchString "XX-Licences O365-E3"
ObjectId                             DisplayName         Description
--------                             -----------         -----------
xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx XX-Licences O365-E3 Mettre ici les user XX pour leur affecter une licence E3

At this stage we have therefore created all the groups necessary to dispatch our various licenses to our users We will now see how to automatically assign licenses to members of different groups

Licensing

As we said above, the different licenses will be applied to the Azure AD groups and not directly to each user.

It is important to note this difference. We will see later that the licenses assigned via a group are said to be inherited while the others are said to be direct

First step I already check that there is no license assigned to my group

PS> Connect-MsolService -Credential $CredAdminO365
PS> (Get-MsolGroup -ObjectId xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx).Licenses | Select-Object SkuPartNumber

For assigning licenses to groups I did not find a solution in powershell so I will do it in graphical mode

Connect to its Azure AD tenant and go to Azure Active Directory then to Groups

Find the group previously created and click on Licences Licences

then click on Assignments then select the licenses that should be assigned to users who are members of this group selection Licences then click on Save

After a few seconds (and refresh of the page) the list of licenses appears liste Licences

test

To test, I will add a user to my group in the Active Directory Ajout groupe AD

After a few moments, to perform Azure AD Connect synchronization, the user appears in my AzureAD group

PS> Get-AzureADGroupMember -ObjectId "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
ObjectId                             DisplayName UserPrincipalName     UserType
--------                             ----------- -----------------     --------
xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx test.XX     test.XX@XXXXXXXXXX.fr Member

Now check the licenses that our Test user to retrieve

PS> Get-AzureADUser -SearchString "test.XX"
ObjectId                             DisplayName UserPrincipalName     UserType
--------                             ----------- -----------------     --------
xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx test.XX     test.XX@XXXXXXXXXX.fr Member

PS>  Get-AzureADUserLicenseDetail -ObjectId xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx | Select-Object SkuPartNumber
SkuPartNumber
-------------
EMS
ENTERPRISEPACK

Our Test user has successfully retrieved the Enterprise Mobility + Security E3 (EMS) and Office 365 E3 (ENTERPRISEPACK) licenses

We can also verify this directly in the Azure Active Directory console by going to the user's account Detail utilisateur

By looking at the licenses more closely, you will realize that in fact 2 EMS licenses and 2 Office 365 E3 licenses are affected. Direct and inherited! Detail utilisateur Indeed, my users, had previously, already assigned licenses directly via the Office 365 administration console or by the script at the beginning of the article.

In the case where the same license is reassigned to the user (as in this example) it is not too annoying, indeed it displays 2 licenses but it only counts one at the level of billing.

On the other hand, if the user already has an Office 365 E3 license and we want to switch it to an Office 365 F1 license, this is more problematic because the new F1 license, inherited from the group, will only be active from time when the direct E3 license will be removed.

License cleaning

This part will be the subject of a new article to come ;-)

Crazy teasing :-)


See also