Updated version available: https://www.michaelmiklis.de/update-assign-office-365-licenses-based-on-active-directory-groups-version-1-1/
I’ve done several Microsoft Office 365 projects with together with some of our customers. In most implementations, I was asked if there’s a way to assign Office 365 licenses (a.k.a. plans) to users based on their Active Directory group memberships.
Most companies have built their entire permission model on Microsoft Active Directory. With Active Directory Federation Services (ADFS) Microsoft offers a powerful and great tool for synchronizing user and group account from the customer’s on-premise environment into the Office 365 cloud.
Unfortunately, there is no built-in technique to automatically assign licenses. Therefore I wrote a small PowerShell script to complete this task.
You just need to modify the on the end to match your environment (username, password, group names, e.g.):
###################################################################### ## (C) 2016 Michael Miklis (michaelmiklis.de) ## ## ## Filename: Set-MSOLLicenseToADGroupMembers.ps1 ## ## Version: 1.0 ## ## Release: Final ## ## Requirements: -none- ## ## Description: Assign Office 365 Licenses based on Active Directory ## Groups. ## ## This script is provided 'AS-IS'. The author does not provide ## any guarantee or warranty, stated or implied. Use at your own ## risk. You are free to reproduce, copy & modify the code, but ## please give the author credit. ## #################################################################### Set-PSDebug -Strict Set-StrictMode -Version latest function Set-MSOLLicenseToADGroupMembers { <# .SYNOPSIS Assigns Office 365 Licenses to Memebers of AD-Group .DESCRIPTION The Set-MSOLLicenseToADGroupMembers CMDlet gets all users from a specified AD-Group and assigns a specified Office 365 License to the corrosponding Office 365 identities .PARAMETER GroupName Name of the Active Group .PARAMETER License Name of the License .PARAMETER UsageLocation Name of the Location .EXAMPLE Set-MSOLLicenseToADGroupMembers -GroupName "Office365_E3" -License "contoso:ENTERPRISEPACK" #> param ( [parameter(Mandatory=$true)] [ValidateNotNullOrEmpty()]$GroupName, [parameter(Mandatory=$true)] [ValidateNotNullOrEmpty()]$License, [parameter(Mandatory=$true)] [ValidateNotNullOrEmpty()]$LicenseName, [parameter(Mandatory=$false)] [ValidateNotNullOrEmpty()]$UsageLocation="DE" ) foreach ($User in (Get-ADGroupMember -Identity $GroupName)) { $User = Get-ADUser -Identity $User -Properties UserPrincipalName $MsOlUser = Get-MsolUser -UserPrincipalName $User.UserPrincipalName -ErrorAction SilentlyContinue if ($MsOlUser -ne $null) { Write-Host ("Found Office 365 User: " + $MsOlUser.UserPrincipalName) Set-MsolUser -UserPrincipalName $User.UserPrincipalName -UsageLocation $UsageLocation if ($MSOlUser.IsLicensed -eq $false) { Write-Host ("User not licensed - assigning license: " + $LicenseName) Set-MsolUserLicense -UserPrincipalName $User.UserPrincipalName -LicenseOptions $License } else { if ($MSOlUser.Licenses[0].AccountSkuId -ne $LicenseName) { Write-Host ("User licensed with wrong license - assigning license: " + $LicenseName) Set-MsolUserLicense -UserPrincipalName $User.UserPrincipalName -LicenseOptions $License } else { Write-Host ("User has already a correct license assigned: " + $LicenseName) } } } } } Import-Module MSOnline $Username = "xxxxx" $Password = "xxxxx" # Convert the plain text password to a secure string $SecurePassword=ConvertTo-SecureString –String $Password –AsPlainText –force $Credential=New-object System.Management.Automation.PSCredential $Username,$SecurePassword # Create new Office 365 license options $LicenseOfficeProPlus = New-MsolLicenseOptions -AccountSkuId "SUBSCRIPTION_NAME:OFFICESUBSCRIPTION" $LicenseE3withoutExchange = New-MsolLicenseOptions -AccountSkuId "SUBSCRIPTION_NAME:ENTERPRISEPACK" -DisabledPlans "EXCHANGE_S_ENTERPRISE" # Connect to Microsoft Office 365 tenant Connect-MsolService -Credential $credential # Assign licenses based on Active Directory group membership Set-MSOLLicenseToADGroupMembers -GroupName "O365_PROPLUS" -License $LicenseOfficeProPlus -LicenseName "SUBSCRIPTION_NAME:OFFICESUBSCRIPTION" -UsageLocation "DE" Set-MSOLLicenseToADGroupMembers -GroupName "O365_E3" -License $LicenseE3withoutExchange -LicenseName "SUBSCRIPTION_NAME:ENTERPRISEPACK" -UsageLocation "DE"
Hi. thanks for the code.
May I ask where should I locate this script file? ADFS or local AD
In most of my installations I put the script on the same server that is running the Azure AD Connect service.