Bechtle-Blog Office 365 PowerShell

Assign Office 365 licenses based on Active Directory groups

Dec 4,2016 / By / 2 Comments

I’ve done several Microsoft Office 365 project with together with some of our customers. In most implementations I was asked if there’s a way to assign Office 365 licenses (a.k.a. plans) to users based on their Active Directory group memberships.

Most companies have built their entire permission model on Microsoft Active Directory. With Active Directory Federation Services (ADFS) Microsoft offers a powerful and great tool for synchronizing user and group account from the customers on-premise environment into the Office 365 cloud.

Unfortunately there is no built-in technique to automatically assign licenses. Therefore I wrote a small PowerShell script to complete this task.

You just need to modify the on the end to match your environment (username, password, group names, e.g.):

######################################################################
## (C) 2016 Michael Miklis (michaelmiklis.de)
##
##
## Filename:      Set-MSOLLicenseToADGroupMembers.ps1
##
## Version:       1.0
##
## Release:       Final
##
## Requirements:  -none-
##
## Description:   Assign Office 365 Licenses based on Active Directory
##                Groups.
##
## This script is provided 'AS-IS'.  The author does not provide
## any guarantee or warranty, stated or implied.  Use at your own
## risk. You are free to reproduce, copy & modify the code, but
## please give the author credit.
##
####################################################################
Set-PSDebug -Strict
Set-StrictMode -Version latest
 

function Set-MSOLLicenseToADGroupMembers {
    <#
    .SYNOPSIS
    Assigns Office 365 Licenses to Memebers of AD-Group
 
    .DESCRIPTION
    The Set-MSOLLicenseToADGroupMembers CMDlet gets all users from a
    specified AD-Group and assigns a specified Office 365 License to
    the corrosponding Office 365 identities
 
    .PARAMETER GroupName
    Name of the Active Group
 
    .PARAMETER License
    Name of the License

    .PARAMETER UsageLocation
    Name of the Location
 
    .EXAMPLE
    Set-MSOLLicenseToADGroupMembers -GroupName "Office365_E3" -License "contoso:ENTERPRISEPACK"

    #>
     
    param (
        [parameter(Mandatory=$true)]
        [ValidateNotNullOrEmpty()]$GroupName,
        [parameter(Mandatory=$true)]
        [ValidateNotNullOrEmpty()]$License,
        [parameter(Mandatory=$true)]
        [ValidateNotNullOrEmpty()]$LicenseName,
        [parameter(Mandatory=$false)]
        [ValidateNotNullOrEmpty()]$UsageLocation="DE"
    )

    foreach ($User in (Get-ADGroupMember -Identity $GroupName)) {
	$User = Get-ADUser -Identity $User -Properties UserPrincipalName
	$MsOlUser =  Get-MsolUser -UserPrincipalName $User.UserPrincipalName -ErrorAction SilentlyContinue 

	if ($MsOlUser -ne $null) {
		Write-Host ("Found Office 365 User: " + $MsOlUser.UserPrincipalName)
        	Set-MsolUser -UserPrincipalName $User.UserPrincipalName -UsageLocation $UsageLocation

		if ($MSOlUser.IsLicensed -eq $false) {
			Write-Host ("User not licensed - assigning license: " + $LicenseName)
        		Set-MsolUserLicense -UserPrincipalName $User.UserPrincipalName -LicenseOptions $License
		}
		else {
			if ($MSOlUser.Licenses[0].AccountSkuId -ne $LicenseName) {
				Write-Host ("User licensed with wrong license - assigning license: " + $LicenseName)
        		Set-MsolUserLicense -UserPrincipalName $User.UserPrincipalName -LicenseOptions $License
			}
			else {
				Write-Host ("User has already a correct license assigned: " + $LicenseName)
			}
		}
	}
    }

}

Import-Module MSOnline

$Username = "xxxxx"
$Password = "xxxxx"

# Convert the plain text password to a secure string
$SecurePassword=ConvertTo-SecureString –String $Password –AsPlainText –force
$Credential=New-object System.Management.Automation.PSCredential $Username,$SecurePassword

# Create new Office 365 license options
$LicenseOfficeProPlus = New-MsolLicenseOptions -AccountSkuId "SUBSCRIPTION_NAME:OFFICESUBSCRIPTION"
$LicenseE3withoutExchange = New-MsolLicenseOptions -AccountSkuId "SUBSCRIPTION_NAME:ENTERPRISEPACK" -DisabledPlans "EXCHANGE_S_ENTERPRISE"

# Connect to Microsoft Office 365 tenant
Connect-MsolService -Credential $credential

# Assign licenses based on Active Directory group membership
Set-MSOLLicenseToADGroupMembers -GroupName "O365_PROPLUS" -License $LicenseOfficeProPlus -LicenseName "SUBSCRIPTION_NAME:OFFICESUBSCRIPTION" -UsageLocation "DE"
Set-MSOLLicenseToADGroupMembers -GroupName "O365_E3" -License $LicenseE3withoutExchange -LicenseName "SUBSCRIPTION_NAME:ENTERPRISEPACK" -UsageLocation "DE"
You may also like
Disable IPv6 in Windows for a specific network connection only
Change DNS settings on multiple Windows Servers and Workstations
Using Windows certificate store in Mozilla Firefox
2 Comments
  • chris
    2017-01-19T11:43:15+00:000000001531201701 at 11:43
    Reply

    Hi. thanks for the code.
    May I ask where should I locate this script file? ADFS or local AD

    • Michael Miklis
      2017-01-24T15:08:27+00:000000002731201701 at 15:08
      Reply

      In most of my installations I put the script on the same server that is running the Azure AD Connect service.

Leave Your Comment

Your Comment*

Your Name*
Your Webpage

ABOUT ME
Michael has been working for more than a decade as a senior systems engineer for Bechtle AG. Michael has managed mid-size to large-scale infrastructure and virtualization projects with customers in all major industries.