Body:
The never ending story about Office 365 licensing continues… This time it’s an extension of Johan script to assign licenses based on groups, with additional functionality to remove and change licenses for users.
I’ve come across scenarios where this have been a requirement a couple of times, and wanted to see how much work that was required to get the job done. 🙂
If you just want to assign licenses for users based on groups, plain and simple, this is not the script for you…
Running the script
The script is tested in a tenant with two different license types (E1 and E3). Therefore, the functionality has been verified against that, so if you have three or four different licenses to assign in your tenant, you have to do your own testing! 🙂
The following functions are included in the script:
- Assignment of licenses for new users based on groups/licenseSKU’s in the $licenses hashtable
- Switch of licensetype if a user is moved from one group to another
- Removal of license if the user no longer is a member in any of the license assignment groups
IMPORTANT: Since the script actually will remove licenses for users that are not in any of the groups, you have to make sure that you populate the license assignment groups prior to first time running the script.
Apart from the above, the script requirements and setup details are the same as in this post.
LicenseO365Users.ps1
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 |
<# .SYNOPSIS Script that assigns Office 365 licenses based on Group membership in WAAD. .DESCRIPTION The script assigns of licenses for new users based on groups/licenseSKUs in the $licenses hashtable. It switch licensetype if a user is moved from one group to Another. It removes the license if the user no longer is a member in any of the license assignment Groups. .NOTES Author: Johan Dahlbom Blog: 365lab.net Email: johan[at]dahlbom.eu The script are provided “AS IS” with no guarantees, no warranties, and they confer no rights. #> #Import Required PowerShell Modules Import-Module MSOnline
#Office 365 Admin Credentials $CloudUsername = ‘admin@365lab.net’ $CloudPassword = ConvertTo-SecureString ‘Password’ -AsPlainText -Force $CloudCred = New-Object System.Management.Automation.PSCredential $CloudUsername, $CloudPassword
#Connect to Office 365 Connect-MsolService -Credential $CloudCred
$Licenses = @{ ‘E1’ = @{ LicenseSKU = ‘mstlabs:STANDARDPACK’ Group = ‘E1_Users’ }
‘E3’ = @{ LicenseSKU = ‘mstlabs:ENTERPRISEPACK’ Group = ‘E3_Users’ } }
$UsageLocation = ‘SE’
#Get all currently licensed users and put them in a custom object $LicensedUserDetails = Get-MsolUser -All | Where-Object {$_.IsLicensed -eq ‘True’} | ForEach-Object { [pscustomobject]@{ UserPrincipalName = $_.UserPrincipalName License = $_.Licenses.AccountSkuId } }
#Create array for users to change or delete $UsersToChangeOrDelete = @()
foreach ($license in $Licenses.Keys) {
#Get current group name and ObjectID from Hashtable $GroupName = $Licenses[$license].Group $GroupID = (Get-MsolGroup | Where-Object {$_.DisplayName -eq $GroupName}).ObjectId $AccountSKU = Get-MsolAccountSku | Where-Object {$_.AccountSKUID -eq $Licenses[$license].LicenseSKU}
Write-Output “Checking for unlicensed $license users in group $GroupName with ObjectGuid $GroupID…” #Get all members of the group in current scope $GroupMembers = (Get-MsolGroupMember -GroupObjectId $GroupID).EmailAddress #Get all already licensed users in current scope $ActiveUsers = ($LicensedUserDetails | Where-Object {$_.License -eq $licenses[$license].LicenseSKU}).UserPrincipalName
$UsersToHandle = ”
if ($GroupMembers) { if ($ActiveUsers) {
#Compare $Groupmembers and $Activeusers #Users which are in the group but not licensed, will be added #Users licensed, but not, will be evaluated for deletion or change of license $UsersToHandle = Compare-Object -ReferenceObject $GroupMembers -DifferenceObject $ActiveUsers -ErrorAction SilentlyContinue -WarningAction SilentlyContinue $UsersToAdd = ($UsersToHandle | Where-Object {$_.SideIndicator -eq ‘<='}).InputObject $UsersToChangeOrDelete += ($UsersToHandle | Where-Object {$_.SideIndicator -eq ‘=>’}).InputObject
} else {
#No licenses currently assigned for the license in scope, assign licenses to all group members. $UsersToAdd = $GroupMembers
}
} else {
Write-Warning “Group $GroupName is empty – will process removal or move of all users with license $($AccountSKU.AccountSkuId)” #If no users are a member in the group, add them for deletion or change of license. $UsersToChangeOrDelete += $ActiveUsers
}
#Check the amount of licenses left… if ($AccountSKU.ActiveUnits – $AccountSKU.consumedunits -lt $UsersToAdd.Count) { Write-Warning ‘Not enough licenses for all users, please remove user licenses or buy more licenses’ }
foreach ($User in $UsersToAdd){
#Process all users for license assignment, if not already licensed.
if ((Get-MsolUser -UserPrincipalName $User).IsLicensed -eq $false) { try {
#Assign UsageLocation and License. Set-MsolUser -UserPrincipalName $User -UsageLocation $UsageLocation -ErrorAction Stop -WarningAction Stop Set-MsolUserLicense -UserPrincipalName $User -AddLicenses $AccountSKU.AccountSkuId -ErrorAction Stop -WarningAction Stop Write-Output “SUCCESS: Licensed $User with $license”
} catch {
Write-Warning “Error when licensing $User”
}
}
} }
#Process users for change or deletion if ($UsersToChangeOrDelete -ne $null) { foreach ($User in $UsersToChangeOrDelete) { if ($user -ne $null) {
#Fetch users old license for later usage $OldLicense = ($LicensedUserDetails | Where-Object {$_.UserPrincipalName -eq $User}).License
#Loop through to check if the user group assignment has been changed, and put the old and the new license in a custom object. #Only one license group per user is currently supported. $ChangeLicense = $Licenses.Keys | ForEach-Object { $GroupName = $Licenses[$_].Group if (Get-MsolGroupMember -GroupObjectId (Get-MsolGroup | Where-Object {$_.DisplayName -eq $GroupName}).ObjectId | Where-Object {$_.EmailAddress -eq $User}) { [pscustomobject]@{ OldLicense = $OldLicense NewLicense = $Licenses[$_].LicenseSKU } }
}
if ($ChangeLicense) {
#The user were assigned to another group, switch license to the new one. try {
Set-MsolUserLicense -UserPrincipalName $User -RemoveLicenses $ChangeLicense.OldLicense -AddLicenses $ChangeLicense.NewLicense -ErrorAction Stop -WarningAction Stop Write-Output “SUCCESS: Changed license for user $User from $($ChangeLicense.OldLicense) to $($ChangeLicense.NewLicense)”
} catch {
Write-Warning “Error when changing license on $User`r`n$_”
}
} else {
#The user is no longer a member of any license group, remove license Write-Warning “$User is not a member of any group, license will be removed… “
try {
Set-MsolUserLicense -UserPrincipalName $User -RemoveLicenses $OldLicense -ErrorAction Stop -WarningAction Stop Write-Output “SUCCESS: Removed $OldLicense for $User”
} catch {
Write-Warning “Error when removing license on user`r`n$_”
} } } } } |
Hope this helps you if having this scenario, please let me know if you have features requests or other things that can improve the script!
