Bechtle-Blog Office 365 PowerShell

Assign Office 365 licenses based on Active Directory groups

Dec 4,2016 / By / 2 Comments

Updated version available: https://www.michaelmiklis.de/update-assign-office-365-licenses-based-on-active-directory-groups-version-1-1/

I’ve done several Microsoft Office 365 projects with together with some of our customers. In most implementations, I was asked if there’s a way to assign Office 365 licenses (a.k.a. plans) to users based on their Active Directory group memberships.

Most companies have built their entire permission model on Microsoft Active Directory. With Active Directory Federation Services (ADFS) Microsoft offers a powerful and great tool for synchronizing user and group account from the customer’s on-premise environment into the Office 365 cloud.

Unfortunately, there is no built-in technique to automatically assign licenses. Therefore I wrote a small PowerShell script to complete this task.

You just need to modify the on the end to match your environment (username, password, group names, e.g.):

######################################################################
## (C) 2016 Michael Miklis (michaelmiklis.de)
##
##
## Filename:      Set-MSOLLicenseToADGroupMembers.ps1
##
## Version:       1.0
##
## Release:       Final
##
## Requirements:  -none-
##
## Description:   Assign Office 365 Licenses based on Active Directory
##                Groups.
##
## This script is provided 'AS-IS'.  The author does not provide
## any guarantee or warranty, stated or implied.  Use at your own
## risk. You are free to reproduce, copy & modify the code, but
## please give the author credit.
##
####################################################################
Set-PSDebug -Strict
Set-StrictMode -Version latest
 

function Set-MSOLLicenseToADGroupMembers {
    <#
    .SYNOPSIS
    Assigns Office 365 Licenses to Memebers of AD-Group
 
    .DESCRIPTION
    The Set-MSOLLicenseToADGroupMembers CMDlet gets all users from a
    specified AD-Group and assigns a specified Office 365 License to
    the corrosponding Office 365 identities
 
    .PARAMETER GroupName
    Name of the Active Group
 
    .PARAMETER License
    Name of the License

    .PARAMETER UsageLocation
    Name of the Location
 
    .EXAMPLE
    Set-MSOLLicenseToADGroupMembers -GroupName "Office365_E3" -License "contoso:ENTERPRISEPACK"

    #>
     
    param (
        [parameter(Mandatory=$true)]
        [ValidateNotNullOrEmpty()]$GroupName,
        [parameter(Mandatory=$true)]
        [ValidateNotNullOrEmpty()]$License,
        [parameter(Mandatory=$true)]
        [ValidateNotNullOrEmpty()]$LicenseName,
        [parameter(Mandatory=$false)]
        [ValidateNotNullOrEmpty()]$UsageLocation="DE"
    )

    foreach ($User in (Get-ADGroupMember -Identity $GroupName)) {
	$User = Get-ADUser -Identity $User -Properties UserPrincipalName
	$MsOlUser =  Get-MsolUser -UserPrincipalName $User.UserPrincipalName -ErrorAction SilentlyContinue 

	if ($MsOlUser -ne $null) {
		Write-Host ("Found Office 365 User: " + $MsOlUser.UserPrincipalName)
        	Set-MsolUser -UserPrincipalName $User.UserPrincipalName -UsageLocation $UsageLocation

		if ($MSOlUser.IsLicensed -eq $false) {
			Write-Host ("User not licensed - assigning license: " + $LicenseName)
        		Set-MsolUserLicense -UserPrincipalName $User.UserPrincipalName -LicenseOptions $License
		}
		else {
			if ($MSOlUser.Licenses[0].AccountSkuId -ne $LicenseName) {
				Write-Host ("User licensed with wrong license - assigning license: " + $LicenseName)
        		Set-MsolUserLicense -UserPrincipalName $User.UserPrincipalName -LicenseOptions $License
			}
			else {
				Write-Host ("User has already a correct license assigned: " + $LicenseName)
			}
		}
	}
    }

}

Import-Module MSOnline

$Username = "xxxxx"
$Password = "xxxxx"

# Convert the plain text password to a secure string
$SecurePassword=ConvertTo-SecureString –String $Password –AsPlainText –force
$Credential=New-object System.Management.Automation.PSCredential $Username,$SecurePassword

# Create new Office 365 license options
$LicenseOfficeProPlus = New-MsolLicenseOptions -AccountSkuId "SUBSCRIPTION_NAME:OFFICESUBSCRIPTION"
$LicenseE3withoutExchange = New-MsolLicenseOptions -AccountSkuId "SUBSCRIPTION_NAME:ENTERPRISEPACK" -DisabledPlans "EXCHANGE_S_ENTERPRISE"

# Connect to Microsoft Office 365 tenant
Connect-MsolService -Credential $credential

# Assign licenses based on Active Directory group membership
Set-MSOLLicenseToADGroupMembers -GroupName "O365_PROPLUS" -License $LicenseOfficeProPlus -LicenseName "SUBSCRIPTION_NAME:OFFICESUBSCRIPTION" -UsageLocation "DE"
Set-MSOLLicenseToADGroupMembers -GroupName "O365_E3" -License $LicenseE3withoutExchange -LicenseName "SUBSCRIPTION_NAME:ENTERPRISEPACK" -UsageLocation "DE"
You may also like
Script-Gallery: Fix-Printer.ps1
Update: Assign Office 365 licenses based on Active Directory groups (version 1.1)
Disable IPv6 in Windows for a specific network connection only
2 Comments
  • chris
    2017-01-19T11:43:15+00:000000001531201701 at 11:43
    Reply

    Hi. thanks for the code.
    May I ask where should I locate this script file? ADFS or local AD

    • Michael Miklis
      2017-01-24T15:08:27+00:000000002731201701 at 15:08
      Reply

      In most of my installations I put the script on the same server that is running the Azure AD Connect service.

Leave Your Comment

Your Comment*

Your Name*
Your Webpage

ABOUT ME
Michael is working as a cloud solutions architect for Bechtle AG. Having more than a decade experience in consulting and engineer-ing, Michael has managed mid-size to large-scale infrastructure, virtualization and public cloud projects with customers in all major industries.