3 min read
Office365 and ADFS: Activate licenses for users depending on AD group membership
On Office365 the users have to be licensed in order to get access to the Office365 application. I’ve developed a PowerShell script which add a license depending on the group membership in the ActiveDirectory.
<#
$Metadata = @{
Title = "Set Office365 Licenses by ActiveDirectory Group Membership"
Filename = "Set-O365UserLicensesByADGroup.ps1"
Description = @"
Adding license to a Office365 user as long the user is in the correct ActiveDirectory group
or in the white list, the users is active, the user has a mailbox.
The script will remove inactive licenses or if necessary replace them.
"@
Tags = "powershell, activedirectory, office365, user, license, activation"
Project = ""
Author = "Janik von Rotz"
AuthorContact = "https://janikvonrotz.ch"
CreateDate = "2013-08-13"
LastEditDate = "2013-09-30"
Url = "https://gist.github.com/janikvonrotz/6218401"
Version = "3.0.0"
License = @'
This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 Switzerland License.
To view a copy of this license, visit https://creativecommons.org/licenses/by-sa/3.0/ch/ or
send a letter to Creative Commons, 444 Castro Street, Suite 900, Mountain View, California, 94041, USA.
'@
}
#>
#--------------------------------------------------#
# settings
#--------------------------------------------------#
$UsageLocation = "CH"
$WhiteList = @{
UserPrincipalName = "admin@vbluzern.onmicrosoft.com"
License = "vbluzern:STANDARDPACK"
},
@{
UserPrincipalName = "bison.testoff368@vbl.ch"
License = "vbluzern:STANDARDPACK"
},
@{
UserPrincipalName = "bison.test07@vbl.ch"
License = "vbluzern:STANDARDPACK"
},
@{
UserPrincipalName = "bison.test@vbl.ch"
License = "vbluzern:STANDARDPACK"
},
@{
UserPrincipalName = "bison.testoff367@vbl.ch"
License = "vbluzern:STANDARDPACK"
}
$LicenseConfig = @{
Name = "SharePoint Online Plan 1"
License = "vbluzern:SHAREPOINTSTANDARD"
ADGroupSID = "S-1-5-21-1744926098-708661255-2033415169-37562" # SPO_SharePointOnlinePlan1License
Rule = ""
},
@{
Name = "Enterprise Plan 1"
License = "vbluzern:STANDARDPACK"
ADGroupSID = "S-1-5-21-1744926098-708661255-2033415169-36657" # SPO_365E1License
Rule = "MailBoxExistOnline"
}
#--------------------------------------------------#
# modules
#--------------------------------------------------#
Import-Module MSOnline
Import-Module MSOnlineExtended
Import-Module ActiveDirectory
#--------------------------------------------------#
# main
#--------------------------------------------------#
# import credentials
$Credential = Import-PSCredential $(Get-ChildItem -Path $PSconfigs.Path -Filter "Office365.credentials.config.xml" -Recurse).FullName
Write-Host "Get Office365 users"
# connect to office365
Connect-MsolService -Credential $Credential
$MsolUsers = Get-MsolUser -All
Write-Host "Get ExchangeOnline mailboxes"
# import session
$s = New-PSSession -ConfigurationName Microsoft.Exchange `
-ConnectionUri https://ps.outlook.com/powershell `
-Credential $(Get-Credential -Credential $Credential) `
-Authentication Basic `
-AllowRedirection
$EOMailboxes = Invoke-Command -Session $s -ScriptBlock{Get-MailBox} | select UserPrincipalName | %{"$($_.UserPrincipalName)"}
# remove session"
Remove-PSSession $s
# combine users and their license
$LicenseAndUser = ($LicenseConfig |
%{$License = $_ ; Get-ADGroupMember $_.ADGroupSID -Recursive | Get-ADUser | where{$_.Enabled -eq $true} |
%{$_ | select UserPrincipalName, @{Name = "License"; Expression = {$License.License}}, @{Name = "Rule"; Expression = {$License.Rule}}}
}) + ($WhiteList | select @{Name = "UserPrincipalName"; Expression = {$_.UserPrincipalName}},
@{Name = "License"; Expression = {$_.License}},
@{Name = "Rule"; Expression = {""}})
foreach($User in $MsolUsers){
# first check whitelist
$Config = $LicenseAndUser | where{$_.UserPrincipalName -eq $User.UserPrincipalName}
if(($Config) -and ((($Config.Rule -eq "MailBoxExistOnline") -and ($EOMailboxes -contains $User.UserPrincipalName)) -or ($Config.Rule -eq ""))){
if($User.IsLicensed -and ($User.Licenses.AccountSkuId -ne $Config.License)){
Write-Host "Replace Office365 license: $($User.Licenses.AccountSkuId) with: $($Config.License) for user: $($User.UserPrincipalName)"
$User.Licenses | %{Set-MsolUserLicense -UserPrincipalName $User.UserPrincipalName -RemoveLicenses $_.AccountSkuId}
Set-MsolUserLicense -UserPrincipalName $User.UserPrincipalName -AddLicenses $Config.License
}elseif($User.IsLicensed){
Write-Host "User: $($User.UserPrincipalName) is already licensed with: $($Config.License)"
}else{
Write-Host "Set Office365 license: $($Config.License) for user: $($User.UserPrincipalName)"
Set-MsolUser -UserPrincipalName $User.UserPrincipalName -UsageLocation $UsageLocation
Set-MsolUserLicense -UserPrincipalName $User.UserPrincipalName -AddLicenses $Config.License
}
}else{
if($User.IsLicensed){
Write-Host "Remove Office365 license: $($User.Licenses.AccountSkuId) from user: $($User.UserPrincipalName)"
$User.Licenses | %{Set-MsolUserLicense -UserPrincipalName $User.UserPrincipalName -RemoveLicenses $_.AccountSkuId}
}else{
Write-Host "User: $($User.UserPrincipalName) is not allowed"
}
}
}
if($error){
Send-PPErrorReport -FileName "DirSync.mail.config.xml" -ScriptName $MyInvocation.InvocationName
}You’ll get your Office365AccountName with this Office365 command Get-MsolAccountSku
Link to the newest version of this script: https://gist.github.com/janikvonrotz/6218401
Categories: Office 365 , scriptingTags: activedirectory , license , membership , office365 , powershell
Edit this page
Show statistic for this page