So here we are on election day and if you’re like me, you’re probably more than a little bit ready to think about something other than someone else’s political opinion. Well, here I am to help you out with a little diddy on licensing your users in Office 365.
Since managing licenses for thousands of individuals can become a struggle, most organizations will use some kind of automation. Something like the sample below can be scheduled to run and apply licenses with specific features based on a specific scenario. This works great if you don’t have any other options, but group based licensing doesn’t require any kind of on premises (or Azure) automation so if you’ve got licensing for it, definitely use it!
if($_.UserPrincipalName -like “*@domain2.com”) {
# Disabled Plans – Customize to meet the needs of AA
$DisabledPlans= @()
$disabledPlans +=“Stream_O365_E3”
$disabledPlans +=“TEAMS1”
$disabledPlans +=“DESKLESS”
$disabledPlans +=“FLOW_O365_P2”
$disabledPlans +=“POWERAPPS_O365_P2”
$disabledPlans +=“OFFICE_FORMS_PLAN_2”
$disabledPlans +=“PROJECTWORKMANAGEMENT”
$disabledPlans +=“YAMMER_EDU”
$disabledPlans +=“EXCHANGE_S_STANDARD”
$disabledPlans +=“MCOSTANDARD”
Set-MsolUser -UserPrincipalName $_.UserPrincipalName -UsageLocation US
$AccountSkuId = “org:LicenseName”
$Option = New-MsolLicenseOptions -AccountSkuId $AccountSkuId -DisabledPlans $DisabledPlans
Set-MsolUserLicense -UserPrincipalName $_.UserPrincipalName -LicenseOptions $Option -AddLicenses $AccountSkuId
}
Elseif ($_.UserPrincipalName -like “*domain.com”) {
#Disabling only EXO for another business unit
$DisabledPlans= @()
$DisabledPlans +=“EXCHANGE_S_STANDARD”
Set-MsolUser -UserPrincipalName $_.UserPrincipalName -UsageLocation US
$AccountSkuId = “org:LicenseName”
$Option = New-MsolLicenseOptions -AccountSkuId $AccountSkuId -DisabledPlans $DisabledPlans
Set-MsolUserLicense -UserPrincipalName $_.UserPrincipalName -LicenseOptions $Option -AddLicenses $AccountSkuId
}
}
The struggle is that you’ll want to use a dynamic group to do it and it will require a filter to work. If you apply a dynamic group and the filter is wrong you might unlicense your users or overcommit, causing service disruption for those users. The first step is to determine which users will need which licenses. The easy ones that need to be considered are any users with mail hosted in Exchange Online that require licensing (everything but resource, shared, or discovery mailboxes). Those mailboxes will need to be included in the dynamic group we’ll create next, so let’s filter out everything else that needs to be excluded.
$Resources = Get-RemoteMailbox -resultsize unlimited | where {($_.RecipientTypeDetails -ne ‘userMailbox’) -and ($_.recipientTypeDetails -ne ‘DiscoveryMailbox’)}
Now that we’ve gathered what needs to be excluded from the group, let’s update any on premises attribute that’s replicated to Azure and can be filtered . I prefer to use ExtensionAttribute 1-15 if they’re available, but also leverage the ‘info’ attribute on premises so you can be granular with scripting logic later if you have to. In my case I chose to filter out anything with the word ‘Resource’ in ExtensionAttribute1:
$Resources| foreach{
[string]$upn = $_.userprincipalname
$user = Get-ADUser -Properties info,extensionattribute1,distinguishedname -filter {userprincipalname -eq $upn}
Since the info attribute is multivalued we’ll want to make sure we don’t bulldoze what’s already in the attribute before setting it. In this case I’m checking to see if there’s anything there and if there is, we’ll add ‘Resource’ on a new line in the same attribute.
if($user.info -eq $null)
{
Set-ADUser $Sam -Replace @{info=‘Resource’;extensionAttribute1=‘Resource’}
}
Else{
Set-ADUser $Sam -Replace {info=“$($user.info)`r`nresource“;extensionAttribute1=‘Resource’}
Set-ADUser $Sam -Replace @{info=“resource”;extensionAttribute1=‘Resource’}
}
}
Great! Now that we’ve set an attribute to be excluded by the filter, let’s make the dynamic group in Azure to assign those licenses to. Since I’m a Shell kindof guy, here’s a sample to create the group.
New-AzureADMSGroup -DisplayName “Licensing – E3” `
-Description “Dynamic group created to automatically assign licenses to mail enabled users” `
-MailEnabled $False -MailNickName “group” -SecurityEnabled $True -GroupTypes “DynamicMembership” `
-MembershipRule “(user.mail -ne null) -and (user.AccountEnabled -eq True) -and (user.extensionattribute1 -ne ‘Resource’)” `
-MembershipRuleProcessingState “On”
Now that the more complicated portion of creating the dynamic group that fits your users, the last thing left to do is follow the simple documentation to assign licenses and features to that particular group.
Here’s to my favorite kind of people out there, those who know how to stuff the ballot box as well as their faces! #VotePizza #ChicagoStyle #LouMalnatti’s
