PowerShell: Control and Automate the Licensing of Office 365 Users

If you are familiar with my other PowerShell scripts this isn’t as complete or polished as them, but it get’s the job done, and that’s all we can really ask for right? Let’s say it’s in early beta.

The purpose of this script is to automate the process of setting the location and Office 365 license for users, using a local Active Directory to specify the users. You can of course just get all unlicensed users in Office 365 and licensed them, but this script is designed to allow you to control exactly which users are being licensed using your on premises Active Directory. This is not exactly a new topic, but hopefully this post will be of use to someone.

For more information on assigning Office 365 licenses via PowerShell, please check out this post on docs.microsoft.com: Assign licenses to user accounts with Office 365 PowerShell

 

Installing the MSOnline PoweShell Module

We’ll be using the Connect-MsolService, Set-MsolUser and Set-MsolUserLicense cmdlets, so you’ll need to install the MSOnline PowerShell module. You can do this by running the following command in an elevated PowerShell command window:

Install-Module MSOnline

You’ll be asked if you want to install the module, you should choose “yes”. 🙂

Once this is done, you should be able to run Connect-Msol in PowerShell and be prompted for credentials.

Lets get into the PowerShell script.

The first thing to do is connect to Office 365, you can do this by entering the password in the script, or you can create an encrypted file with the password for some actual security…but for the purposes of this post, we’ll be entering the password in plain text.

## Log in to the O365 service
$O365User = "adminuser@contoso.onmicrosoft.com"
$O365Pwd = ConvertTo-SecureString "P@ssw0rd" -AsPlainText -Force
$O365Cred = New-Object System.Management.Automation.PSCredential $O365User, $O365Pwd

## Connect to Azure AD
Connect-MsolService -Credential $O365Cred

Now we’ll query the on-premises Active Directory to get the users we want to license for Office 365. In this example, I’m querying an Organisation Unit, but you could query a group, by an attribute or indeed any way that you can query AD.

## Get Users from local AD to compare to Azure AD
$ADUsers = Get-ADUser -Filter * -SearchBase 'OU=people,DC=contoso,DC=com'

In this example, I’m querying a group for the users.

## Get users from a local AD group
$ADUsers = Get-ADGroupMember -identity "O365_Users" -Recursive | Get-ADUser

Next we’ll count the number of unlicensed users, using our list of users obtained previously.

The script here is going through each of the users from the query of AD above, using the UserPrincipalName attribute from local AD and finding the user in Office 365. If the user is unlicensed, the script outputs some text to the variable $LicNo, which we then count in the next section.

## Count the users who are not licensed
$LicNo = ForEach ($ADUser in $ADUsers)
{
    ## Get Azure AD users by UPN
    $UserLic = Get-MsolUser -UserPrincipalName $ADUser.UserPrincipalName

    ## If user has no license, output something so we can count it
    If ($UserLic.IsLicensed -eq $false)
    {
        Write-output "$($ADUser.UserPrincipalName) is unlicensed"
    }
}

Now the script counts the users which are unlicensed. If the number does not equal zero, it continues. If it does equal zero, the script completes without doing any more tasks.

Once again the user is obtained by using the data from the local AD query. The user in Office 365 is obtained by the UPN and then if the user has no license, the location and license is set.

To find out what your licenses are, run Get-MsolAccountSku in an elevated PowerShell session.

For the Usage Location, Microsoft say that it must be a “valid ISO 3166-1 alpha-2 country code” for example: US for United Sates, FR for France, GB for Great Britain. Source: Assign licenses to user accounts with Office 365 PowerShell

If ($LicNo.count -ne 0)
{
    ## For each user
    ForEach ($ADUser in $ADUsers)
    {
        ## Get Azure AD users by UPN
        $UserLic = Get-MsolUser -UserPrincipalName $ADUser.UserPrincipalName

        ## If user has no license, set one.
        If ($UserLic.IsLicensed -eq $false)
        {
            Set-MsolUser -UserPrincipalName $ADUser.UserPrincipalName –UsageLocation GB
            Set-MsolUserLicense -UserPrincipalName $ADUser.UserPrincipalName -AddLicenses contosocom:ENTERPRISEPACK
        }
    }
}
## End

I have posted the complete script at the end of this post.

Once run, this script should appropriately license the specified users for Office 365. You could set this up as a Scheduled Task to automate the process completely. I have added my standard logging and e-mail features to my own version of this script and will post the final, more complete package in the near future.

Thanks for reading, I hope this helps you out.

 

If you’d like to get in touch with me, please leave a comment or tweet me.

-Mike

Follow Mike on Twitter: @Digressive

 

The Complete Script

## Log in to the O365 service
$O365User = "adminuser@contoso.onmicrosoft.com"
$O365Pwd = ConvertTo-SecureString "P@ssw0rd" -AsPlainText -Force
$O365Cred = New-Object System.Management.Automation.PSCredential $O365User, $O365Pwd
 
## Connect to Azure AD
Connect-MsolService -Credential $O365Cred

## Get Users from local AD to compare to Azure AD
$ADUsers = Get-ADUser -Filter * -SearchBase 'OU=people,DC=contoso,DC=com'

## Count the users who are not licensed
$LicNo = ForEach ($ADUser in $ADUsers)
{
    ## Get Azure AD users by UPN
    $UserLic = Get-MsolUser -UserPrincipalName $ADUser.UserPrincipalName
 
    ## If user has no license, output something so we can count it
    If ($UserLic.IsLicensed -eq $false)
    {
        Write-output "$($ADUser.UserPrincipalName) is unlicensed"
    }
}

If ($LicNo.count -ne 0)
{
    ## For each user
    ForEach ($ADUser in $ADUsers)
    {
        ## Get Azure AD users by UPN
        $UserLic = Get-MsolUser -UserPrincipalName $ADUser.UserPrincipalName
 
        ## If user has no license, set one.
        If ($UserLic.IsLicensed -eq $false)
        {
            Set-MsolUser -UserPrincipalName $ADUser.UserPrincipalName –UsageLocation GB
            Set-MsolUserLicense -UserPrincipalName $ADUser.UserPrincipalName -AddLicenses contosocom:ENTERPRISEPACK
        }
    }
}
## End

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s