## Automatic assignment of Office 365 licenses

For a long time I have gotten into the habit of assigning Office 365 licenses with a small powershell function, very simple

$bal =$global:username + "@" + $global:domaine Set-MsolUser -UserPrincipalName$bal -UsageLocation "FR"
Set-MsolUserLicense -UserPrincipalName $bal -AddLicenses "XXXX:ENTERPRISEPACK" [string]$Consumedlicence = Get-MsolAccountSku | Where-Object AccountSkuId -EQ "XXXX:ENTERPRISEPACK" | select ConsumedUnits
[string]$ActiveLicence = Get-MsolAccountSku | Where-Object AccountSkuId -EQ "XXXX:ENTERPRISEPACK" | select ActiveUnits Write-Host$Consumedlicence.split("=")[1].split("}")[0] "out of" $ActiveLicence.split("=")[1].split("}")[0] "licenses are affected"  Unfortunately not everyone is familiar with PowerShell, I was asked to find an easier way to quickly dispatch Office 365 licenses to different users After some research I found a solution proposed in Azure AD which allows to assign Office 365 licenses according to group membership. In the environment in which I evolve at the time of writing this article we are in a hybrid configuration, that is to say that we have a local Active Directory which synchronizes with our tenant AzureAD via Azure AD Connect. So I will do some of the configuration (creating groups for example) in my local Active Directory but for people in full azureAD nothing prevents to do it in cloud mode ## Principle The principle is quite simple actually. • Group creation in the Active Directory (or in AzureAD) • In AzureAD configured the assignment of Office 365 licenses on the groups created • dispatch users in groups ## Creation of groups Everything could be done via the mmc of Windows but as we are still on a blog that talks a little about Powershell we will do it from the command line ;-) $HashArguments = @{
Name = "XX-Licences O365-E3"
SamAccountName = "XX-Licences O365-E3"
GroupCategory = "Security"
GroupScope = "Global"
DisplayName = "Users M365E3"
Path = "CN=Users,DC=Fabrikam,DC=Com"
Description = "Put user XX here to assign them an E3 licence "
}



XX corresponds to the name of the entity for which I implemented this solution

For information, this way of writing the arguments is called Splatting

In my case, I created as many groups as licenses to assign

After forced synchronization from my Azure AD Connect server

I can check on AzureAD that my groups are present

PS>  Connect-AzureAD -Credential $CredAdminO365 Account Environment TenantId TenantDomain ------- ----------- -------- ------------ administrateur@XXXXXXXXXXXXXXXXXXXXXX.onmicrosoft.com AzureCloud XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXX... PS> Get-AzureADGroup -SearchString "XX-Licences O365-E3" ObjectId DisplayName Description -------- ----------- ----------- xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx XX-Licences O365-E3 Mettre ici les user XX pour leur affecter une licence E3  At this stage we have therefore created all the groups necessary to dispatch our various licenses to our users We will now see how to automatically assign licenses to members of different groups ## Licensing As we said above, the different licenses will be applied to the Azure AD groups and not directly to each user. It is important to note this difference. We will see later that the licenses assigned via a group are said to be inherited while the others are said to be direct First step I already check that there is no license assigned to my group PS> Connect-MsolService -Credential$CredAdminO365
PS> (Get-MsolGroup -ObjectId xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx).Licenses | Select-Object SkuPartNumber


For assigning licenses to groups I did not find a solution in powershell so I will do it in graphical mode

Connect to its Azure AD tenant and go to Azure Active Directory then to Groups

Find the group previously created and click on Licences

then click on Assignments then select the licenses that should be assigned to users who are members of this group then click on Save

After a few seconds (and refresh of the page) the list of licenses appears

## test

To test, I will add a user to my group in the Active Directory

After a few moments, to perform Azure AD Connect synchronization, the user appears in my AzureAD group

PS> Get-AzureADGroupMember -ObjectId "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
ObjectId                             DisplayName UserPrincipalName     UserType
--------                             ----------- -----------------     --------
xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx test.XX     test.XX@XXXXXXXXXX.fr Member


Now check the licenses that our Test user to retrieve

PS> Get-AzureADUser -SearchString "test.XX"
ObjectId                             DisplayName UserPrincipalName     UserType
--------                             ----------- -----------------     --------
xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx test.XX     test.XX@XXXXXXXXXX.fr Member

SkuPartNumber
-------------
EMS
ENTERPRISEPACK


Our Test user has successfully retrieved the Enterprise Mobility + Security E3 (EMS) and Office 365 E3 (ENTERPRISEPACK) licenses

We can also verify this directly in the Azure Active Directory console by going to the user's account

By looking at the licenses more closely, you will realize that in fact 2 EMS licenses and 2 Office 365 E3 licenses are affected. Direct and inherited! Indeed, my users, had previously, already assigned licenses directly via the Office 365 administration console or by the script at the beginning of the article.

In the case where the same license is reassigned to the user (as in this example) it is not too annoying, indeed it displays 2 licenses but it only counts one at the level of billing.

On the other hand, if the user already has an Office 365 E3 license and we want to switch it to an Office 365 F1 license, this is more problematic because the new F1 license, inherited from the group, will only be active from time when the direct E3 license will be removed.