IMPORTANT ANNOUNCEMENT FOR OUR READERS!
AskPFEPlat is in the process of a transformation to the new Core Infrastructure and Security TechCommunity, and will be moving by the end of March 2019 to our new home at https://aka.ms/CISTechComm (hosted at https://techcommunity.microsoft.com). Please bear with us while we are still under construction!
We will continue bringing you the same great content, from the same great contributors, on our new platform. Until then, you can access our new content on either https://aka.ms/askpfeplat as you do today, or at our new site https://aka.ms/CISTechComm. Please feel free to update your bookmarks accordingly!
Why are we doing this? Simple really; we are looking to expand our team internally in order to provide you even more great content, as well as take on a more proactive role in the future with our readers (more to come on that later)! Since our team encompasses many more roles than Premier Field Engineers these days, we felt it was also time we reflected that initial expansion.
If you have never visited the TechCommunity site, it can be found at https://techcommunity.microsoft.com. On the TechCommunity site, you will find numerous technical communities across many topics, which include discussion areas, along with blog content.
NOTE: In addition to the AskPFEPlat-to-Core Infrastructure and Security transformation, Premier Field Engineers from all technology areas will be working together to expand the TechCommunity site even further, joining together in the technology agnostic Premier Field Engineering TechCommunity (along with Core Infrastructure and Security), which can be found at https://aka.ms/PFETechComm!
As always, thank you for continuing to read the Core Infrastructure and Security (AskPFEPlat) blog, and we look forward to providing you more great content well into the future!
Hello World, Daniel Lucas and Eroilton Borges is here, with a special thanks to Rodrigo Fonseca to helping about Hybrid Identity and review and contribute for this one, to talk about how to automatically assign Office 365 licenses in Azure AD, without need to run Powershell commands.
Nowadays, when a new user needs to have Office 365 License, it is necessary run a Powershell command to set a location (Some Microsoft services are not available in all locations. Before a license can be assigned to a user, the administrator should specify the Usage location property on the user.) and assign a license.
But now, it is possible to assign license in Azure AD based on groups, and it´s extremally helpful, because you don´t need to run script for every new user in your organization.
First we need to stop the sync process before change the rules:
Set-ADSyncScheduler -SyncCycleEnabled $false
To complete this task, it´s necessary complete two steps:
1 – Add a AAD Connect Synchronization rule, to populate the attribute UsageLocation in Azure AD.
2 – Select Office 365 Products to assign license based on groups.
AAD Connect Sync Rules:
We´ll create two rules in AAD Connect:
Note: The precedence number cannot conflict with any number in your rules. In our environment we set the numbers below, but you need to ensure that you don´t have any rules with the same precedence number.
1 – If the attribute “UsageLocation” is Null or Empty, we´ll populate with an unique country code (In my example “US”).
2 – Populate the ADDS Attribute with the Country Code
Launch the Synchronization Rules Editor.
Under Rule Types, click Inbound, and create a new rule.
Set the precedence to 108.
In the Transformation tab, Add Transformation “Expression” target Usage Location:
Click in Save.
Launch the Synchronization Rules Editor.
Under Rule Types, click Outbound, and create a new rule.
Set the precedence to 110.
In the Transformations tab, Add Transformation “Direct” target: C – Source: UsageLocation, Merge Type: Update.
Run the Sync Cycle and check if the Attribute is Populated.
Start-ADSyncSyncCycle -PolicyType Delta
Open the Windows Azure Active Directory Module for Windows Powershell
Note: The Delta type will change only for new users. For existing users, you need to run the Full Sync Cycle.
Run the command: Connect-MsolService
Check the user: Get-MsolUser -UserPrincipalName firstname.lastname@example.org | fl UserPrincipalName, UsageLocation
Assign Office 365 License based on Groups:
First, in this example, I created in my on-premises Active Directory, 3 security groups to select different Office 365 products:
1 – Outlook_License
2 – Skype_License
3 – Sharepoint_License
After created, force a new Sync Cycle, and check in the Azure Portal if the Groups are populated.
In the Azure Portal portal.azure.com , select the Azure Active Directory, then select “Licenses“.
Under All Products, select Office 365 Enterprise E3.
Under Licensed Groups, select the Group that you want to assign
Under Assignment Option, select which Products will be available for the Group.
Now, you just need to populate your groups, and wait the Azure AD to assign the Licenses.
Note: When a user is a part of two or more groups, the user will inherit the licenses combined and all products will be available for the user.
If you want to know, how is the correct country code for my user, here is the information:
If you experience an error like “object reference is not set to an object”. Put “anything” in the tag field in the first screen and it will work.
For more examples in how to assign group licenses using Powershell: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-licensing-ps-examples
Hope that this article helps you.