Assign Office 365 licenses based on Active Directory groups MICHAEL MIKLIS

Updated version available: https://www.michaelmiklis.de/update-assign-office-365-licenses-based-on-active-directory-groups-version-1-1/

I’ve done several Microsoft Office 365 projects with together with some of our customers. In most implementations, I was asked if there’s a way to assign Office 365 licenses (a.k.a. plans) to users based on their Active Directory group memberships.

Most companies have built their entire permission model on Microsoft Active Directory. With Active Directory Federation Services (ADFS) Microsoft offers a powerful and great tool for synchronizing user and group account from the customer’s on-premise environment into the Office 365 cloud.

Unfortunately, there is no built-in technique to automatically assign licenses. Therefore I wrote a small PowerShell script to complete this task.

You just need to modify the on the end to match your environment (username, password, group names, e.g.):

######################################################################
## (C) 2016 Michael Miklis (michaelmiklis.de)
##
##
## Filename:      Set-MSOLLicenseToADGroupMembers.ps1
##
## Version:       1.0
##
## Release:       Final
##
## Requirements:  -none-
##
## Description:   Assign Office 365 Licenses based on Active Directory
##                Groups.
##
## This script is provided 'AS-IS'.  The author does not provide
## any guarantee or warranty, stated or implied.  Use at your own
## risk. You are free to reproduce, copy & modify the code, but
## please give the author credit.
##
####################################################################
Set-PSDebug -Strict
Set-StrictMode -Version latest
 

function Set-MSOLLicenseToADGroupMembers {
    <#
    .SYNOPSIS
    Assigns Office 365 Licenses to Memebers of AD-Group
 
    .DESCRIPTION
    The Set-MSOLLicenseToADGroupMembers CMDlet gets all users from a
    specified AD-Group and assigns a specified Office 365 License to
    the corrosponding Office 365 identities
 
    .PARAMETER GroupName
    Name of the Active Group
 
    .PARAMETER License
    Name of the License

    .PARAMETER UsageLocation
    Name of the Location
 
    .EXAMPLE
    Set-MSOLLicenseToADGroupMembers -GroupName "Office365_E3" -License "contoso:ENTERPRISEPACK"

    #>
     
    param (
        [parameter(Mandatory=$true)]
        [ValidateNotNullOrEmpty()]$GroupName,
        [parameter(Mandatory=$true)]
        [ValidateNotNullOrEmpty()]$License,
        [parameter(Mandatory=$true)]
        [ValidateNotNullOrEmpty()]$LicenseName,
        [parameter(Mandatory=$false)]
        [ValidateNotNullOrEmpty()]$UsageLocation="DE"
    )

    foreach ($User in (Get-ADGroupMember -Identity $GroupName)) {
	$User = Get-ADUser -Identity $User -Properties UserPrincipalName
	$MsOlUser =  Get-MsolUser -UserPrincipalName $User.UserPrincipalName -ErrorAction SilentlyContinue 

	if ($MsOlUser -ne $null) {
		Write-Host ("Found Office 365 User: " + $MsOlUser.UserPrincipalName)
        	Set-MsolUser -UserPrincipalName $User.UserPrincipalName -UsageLocation $UsageLocation

		if ($MSOlUser.IsLicensed -eq $false) {
			Write-Host ("User not licensed - assigning license: " + $LicenseName)
        		Set-MsolUserLicense -UserPrincipalName $User.UserPrincipalName -LicenseOptions $License
		}
		else {
			if ($MSOlUser.Licenses[0].AccountSkuId -ne $LicenseName) {
				Write-Host ("User licensed with wrong license - assigning license: " + $LicenseName)
        		Set-MsolUserLicense -UserPrincipalName $User.UserPrincipalName -LicenseOptions $License
			}
			else {
				Write-Host ("User has already a correct license assigned: " + $LicenseName)
			}
		}
	}
    }

}

Import-Module MSOnline

$Username = "xxxxx"
$Password = "xxxxx"

# Convert the plain text password to a secure string
$SecurePassword=ConvertTo-SecureString –String $Password –AsPlainText –force
$Credential=New-object System.Management.Automation.PSCredential $Username,$SecurePassword

# Create new Office 365 license options
$LicenseOfficeProPlus = New-MsolLicenseOptions -AccountSkuId "SUBSCRIPTION_NAME:OFFICESUBSCRIPTION"
$LicenseE3withoutExchange = New-MsolLicenseOptions -AccountSkuId "SUBSCRIPTION_NAME:ENTERPRISEPACK" -DisabledPlans "EXCHANGE_S_ENTERPRISE"

# Connect to Microsoft Office 365 tenant
Connect-MsolService -Credential $credential

# Assign licenses based on Active Directory group membership
Set-MSOLLicenseToADGroupMembers -GroupName "O365_PROPLUS" -License $LicenseOfficeProPlus -LicenseName "SUBSCRIPTION_NAME:OFFICESUBSCRIPTION" -UsageLocation "DE"
Set-MSOLLicenseToADGroupMembers -GroupName "O365_E3" -License $LicenseE3withoutExchange -LicenseName "SUBSCRIPTION_NAME:ENTERPRISEPACK" -UsageLocation "DE"

2 Comments

chris

2017-01-19T11:43:15+01:000000001531201701 at 11:43

Hi. thanks for the code.
May I ask where should I locate this script file? ADFS or local AD

Michael Miklis

2017-01-24T15:08:27+01:000000002731201701 at 15:08

In most of my installations I put the script on the same server that is running the Azure AD Connect service.

Assign Office 365 licenses based on Active Directory groups

Leave Your Comment Cancel reply