Assigning Office 365 Licenses Automatically

Hello World, Daniel Lucas and Eroilton Borges is here, with a special thanks to Rodrigo Fonseca to helping about Hybrid Identity and review and contribute for this one, to talk about how to automatically assign Office 365 licenses in Azure AD, without need to run Powershell commands.

Nowadays, when a new user needs to have Office 365 License, it is necessary run a Powershell command to set a location (Some Microsoft services are not available in all locations. Before a license can be assigned to a user, the administrator should specify the Usage location property on the user.) and assign a license.

But now, it is possible to assign license in Azure AD based on groups, and it´s extremally helpful, because you don´t need to run script for every new user in your organization.

First we need to stop the sync process before change the rules:

Set-ADSyncScheduler -SyncCycleEnabled $false

To complete this task, it´s necessary complete two steps:

1 – Add a AAD Connect Synchronization rule, to populate the attribute UsageLocation in Azure AD.

2 – Select Office 365 Products to assign license based on groups.

AAD Connect Sync Rules:

We´ll create two rules in AAD Connect:

Note: The precedence number cannot conflict with any number in your rules. In our environment we set the numbers below, but you need to ensure that you don´t have any rules with the same precedence number.

1 – If the attribute “UsageLocation” is Null or Empty, we´ll populate with an unique country code (In my example “US”).

2 – Populate the ADDS Attribute with the Country Code

1st rule:

  1. Launch the Synchronization Rules Editor.
  2. Under Rule Types, click Inbound, and create a new rule.
  3. Set the precedence to 108.

  4. In the Transformation tab, Add Transformation “Expression” target Usage Location:

  5. Click in Save.

2nd rule:

  1. Launch the Synchronization Rules Editor.
  2. Under Rule Types, click Outbound, and create a new rule.
  3. Set the precedence to 110.
  4. In the Transformations tab, Add Transformation “Direct” target: C – Source: UsageLocation, Merge Type: Update.

  5. Run the Sync Cycle and check if the Attribute is Populated.

    Start-ADSyncSyncCycle -PolicyType Delta

  6. Open the Windows Azure Active Directory Module for Windows Powershell

    Note: The Delta type will change only for new users. For existing users, you need to run the Full Sync Cycle.

  7. Run the command: Connect-MsolService
  8. Check the user: Get-MsolUser -UserPrincipalName | fl UserPrincipalName, UsageLocation

Assign Office 365 License based on Groups:

First, in this example, I created in my on-premises Active Directory, 3 security groups to select different Office 365 products:

1 – Outlook_License

2 – Skype_License

3 – Sharepoint_License

After created, force a new Sync Cycle, and check in the Azure Portal if the Groups are populated.

In the Azure Portal , select the Azure Active Directory, then select “Licenses“.

Under All Products, select Office 365 Enterprise E3.

Under Licensed Groups, select the Group that you want to assign

Under Assignment Option, select which Products will be available for the Group.

Now, you just need to populate your groups, and wait the Azure AD to assign the Licenses.

Note: When a user is a part of two or more groups, the user will inherit the licenses combined and all products will be available for the user.

If you want to know, how is the correct country code for my user, here is the information:

If you experience an error like “object reference is not set to an object”.  Put “anything” in the tag field in the first screen and it will work.

For more examples in how to assign group licenses using Powershell:

Hope that this article helps you.

Daniel Lucas.