Editor’s Note: This blog post is the fourth in a four-part blog series from Adaxes.
Azure Active Directory (AAD) is the identity management solution that powers Office 365, and just like on-premises Active Directory (AD), requires careful management to avoid security problems. But management and security are not the only concerns, and a common problem that organizations face is how to automate the assignment and revocation of Office 365 licenses.
Microsoft doesn’t provide a turnkey solution for managing Office 365 licenses through the full lifecycle, but there are ways to automate the assignment of licenses using PowerShell. If you need to ensure that users have the correct licenses assigned, and that they’re automatically revoked as users are deprovisioned, then look to a third-party solution, such as Softerra Adaxes.
PowerShell AAD Module
PowerShell can be used to create new users in the directory associated with your Office 365 tenant, and at the same time you can assign Office 365 licenses, or assign and remove licenses after the fact. Before you can use the cmdlets below, you’ll need to install the AAD PowerShell Module, which can be found here.
Use Connect-MsolService to log in to Office 365, and then run the Get-MsolAccountSku cmdlet to get a list of available licensing plans (AccountSkuId) and licenses accessible from your Office 365 subscription.
The New-MsolUser cmdlet can be used with the -LicenseAssignment parameter to assign licenses when a user is provisioned:
New-MsolUser -UserPrincipalName [email protected] -DisplayName ‘User 2’ -FirstName User -LastName 2 –Password ********* -ForceChangePassword $true –LicenseAssignment rsitc2:LITEPACK
Or Set-MsolUserLicense to assign Office 365 licenses to existing users:
Set-MsolUserLicense -UserPrincipalName [email protected].com -AddLicenses rsitc2:LITEPACK
For more information on using PowerShell to manage Office 365, see Use PowerShell to Create and Assign Licenses to Office 365 Users on the Petri IT Knowledgebase.
Office 365 Gallery Script
The Office 365 gallery contains an unsupported PowerShell script that uses AD attributes to determine whether users should be assigned Office 365 licenses. The script reads attributes stored in AAD by default, or using the -MasterOnPremise switch, can read attribute values in on-premises AD instead.
In the example below, -AdminUser specifies a user account for connecting to AAD, and the AD attribute that should be set before an E3 plan license is assigned to each user that matches the criteria.
ActivateMSOLUser.ps1 -AdminUser [email protected] -Licenses E3 -LicenseAttribute msDS-cloudExtensionAttribute1 -MasterOnPremise
For more information and to download the script, see Assign Office 365 Licenses automatically based on AD Attribute in the Office 365 gallery.
C# Automation Service
Microsoft provides details about how it manages Office 365 licensing in Automating licensing for Office 365 in a hybrid environment. It developed a C# automation service application that runs on Windows Server, and assigns licenses as new users are created in on-premises AD and synchronized to AAD.
Microsoft’s script uses the Graph API to return a list of users based on information provided in an XML config file. PowerShell is then used to create a list of users that have certain attributes, such as an email address in a specific format, and adds users to a group. The automation service then assigns licenses to users according to their group membership.
PowerShell and Microsoft’s automation service both require knowledge of scripting and C#, plus significant effort required to tailor these solutions for your organization’s needs. Implementing a service to manage Office 365 licenses will also require compute resources, and none of the solutions provide a means for revoking licenses.
Adaxes allows system administrators to assign Office 365 licenses automatically based on a set of conditions, such as AD attribute, and automatically removes licenses as users are deprovisioned. And because Adaxes is an integrated solution, modifications made to AD user accounts invoking condition-based automation rules to grant or revoke Office 365 licenses cause changes to Office 365 licenses to be made in real-time without having to wait for scripts to run. To complete the user provisioning process, Adaxes can also create Exchange Online mailboxes for users, and event-driven rules can be set up to configure mailbox features, such as enabling Unified Messaging, archiving, and setting storage limits.
Unlike the disparate management tools provided by Microsoft, Adaxes provides one management pane for managing AD and the additional features provided by Office 365, making management easier for Help Desk and IT staff. And web management consoles let employees keep their personal information up-to-date, and let IT staff work with a streamlined interface that can be customized with company branding, and features added or removed as required.
Role-Based Access Control (RBAC) can be used to grant users access to Office 365 management features based on the principle of least privilege. For example, managers can be given permission to approve license assignment requests without granting access to the entire tenant. It’s also worth mentioning that Adaxes supports management of multiple Office 365 tenants in one administrative environment. An Office 365 tenant can be associated with users in chosen OUs, groups, or one or more AD domains.
For more information about how to use Adaxes to automate Office 365 licensing, see Softerra’s website.