Tag Archives: AD

Automatically Assign Licences to New Office 365 Accounts

Here’s the scenario: Users are created in Active Directory, on-premise.  The AD Sync Service then will sync up the user account to Office 365.  However, a license is not assigned.  The rule of thumb when assigning new licenses is that people in the call center get an E1 license and the rest of the employees get an E3 license.  The identifying characteristic for the call center users is that their email address is <someone>@mycallcenter.com and everyone else has a different domain for their email.  For your use case, you may have other specific identifiers to help determine the appropriate license.  If one size fits all, you can eliminate the the lines to change to an E1 license and leave the default.

I chose to use a security group to identify users that need a license assigned.  In this case it’s “ADGroup-UsersNeedingLicenses”  When the script runs it will iterate through all members of that security group  and check to see if the account has synchronized up with Office 365.  If the account is there, it will evaluate which license to assign and then assign it.  It will then get the user’s licenses from Office 365 and display them so you can validate that it was updated.  It then removes the user from the security group and we’re done.

If you like, you can set this on a scheduled task to automatically assign licenses to new users on an interval.  One would need to store credentials in a file in order for it to be automated.  I like it because it’s one less administrative task I need to deal with.  I can create the account in AD then go take care of other things.  I come back after a bit and then the user is synchronized and licensed.

<# Get credentials to connect to Office 365 using PowerShell#>
$Password = Get-Content j:\myscripts\ADCredentials.txt | ConvertTo-SecureString
$credential = New-Object System.Management.Automation.PsCredential("ServiceAccount@company.onmicrosoft.com",$password)

<# Connect to MSOL #>
Connect-MsolService -Credential $credential

<# Get AD Users designated for license assignment #>
$usersNeedingLicense = Get-ADGroupMember -Identity ADGroup-UsersNeedingLicenses

<# Iterate through the collection of AD users designated for license assignment #>
ForEach ($ADUser in $usersNeedingLicense){
 $ADUser = Get-ADUser -Identity $ADUser -Properties *
 "AD UPN: " + $ADUser.UserPrincipalName
 
 Try {
 $o365User = Get-MsolUser -UserPrincipalName $ADUser.UserPrincipalName -ErrorAction Stop
 $licenseType = "mycompany:ENTERPRISEPACK" <# set default to E3 #>
 If ( $ADUser.UserPrincipalName.Contains("@mycallcenter.com")){$licenseType="mycompany:STANDARDPACK"} <# Assign E1 #>

 "Assign: $licenseType"
 <# Locate and assign license using matching UPN #>
 Set-MsolUser -UserPrincipalName $ADUser.UserPrincipalName -UsageLocation "US" <# Set user licensing to Unites States #>
 Set-MsolUserLicense -UserPrincipalName $ADUser.UserPrincipalName -AddLicenses $licenseType
 <# view for validation #>
 Get-MsolUser -UserPrincipalName $ADUser.UserPrincipalName | fl UserPrincipalName, Licenses
 <# Remove AD user from ADGroup-UsersNeedingLicenses #>
 Remove-ADGroupMember -Identity ADGroup-UsersNeedingLicenses -Members $ADUser.SamAccountName -Confirm:$false
 }

 Catch [System.Exception]{
 $ADUser.UserPrincipalName + " is not in Office 365 yet."
 $error
 }
 Finally {$error.Clear() }
}