0 votes

Hi,

I am looking for a solution to create dynamic groups, based on users assigned O365 licenses. For example everyone having Co-Pilot assigned, shout be part of a group.

At the moment I did it this way via scheduled task... but this takes a while ... image.png

I also checked Business units... but no filter available.

We have about 12k objects with remote user or shared mailbox to be checked.

by (1.5k points)

1 Answer

0 votes
by (287k points)
selected by
Best answer

Hello,

Using a scheduled task is the best option as it takes into account license assignments performed outside of Adaxes. Unfortunately, there is no possibility to use rule-based groups or business units.

0

Hi,

scheduled task is running since 4 hours... with PowerShell it was done in <10 seconds... that can't be a solution.

$user = Get-MsolUser -All | Where-Object {($_.licenses).AccountSkuId -match "Microsoft_365_Copilot"}

I tried now to do the same with Adaxes, but connection to MSOL is not working properly. Any updates there?

I tried this https://www.adaxes.com/sdk/ServerSideScripting/#running-the-script-as-a-specific-user

# Get saved credentials.
$username = $Context.RunAs.UserName
$password = $Context.RunAs.Password | ConvertTo-SecureString -AsPlainText -Force
$credential = New-Object System.Management.Automation.PsCredential($username, $password)

# Use credentials.
Connect-MsolService -Credential $credential

Getting image.png

0

Hello,

The behavior is expected as the MSOnline module (Connect-MsolService comes from it) is deprecated since long ago. Also, there is no need to use any scripts at all. There are dedicated actions and conditions exactly as in your screenshot. The timing depends on the number of users you need the scheduled task to process. The recommended approach is to have two separate action sets instead of Else if blocks with each set starting with the group membership condition.

0

So, changing the action to this? image.png

Or split them into two tasks? First running remove, then running add?

The timing depends on the number of users you need the scheduled task to process.

As mentioned earlier ... around 12.000 objects No clue how to trim this - I did already a business unit and included only user with remote user and shared mailboxes. Would be cool if we could set filter "is licensed in O365" or similar.

0

Hello,

So, changing the action to this?

Yes, that is correct. But it is also a good idea to have the conditions checking group membership first. Just select the condition and click the up-arrow on the right at the bottom of the configuration window.

Also, it is a good idea to make sure that only direct membership is checked: image.png

Or split them into two tasks? First running remove, then running add?

This will not have any influence. You will just have more configuration objects to manage.

I did already a business unit and included only user with remote user and shared mailboxes.

If the business unit includes all the objects you need, you can add the unit to the Activity Scope of the task.

0

Hi,

ok, tried everything, but still having 12k objects and task is running a while ...

any solution or workaround how to use MSOL Connection with Adaxes currently?

0

Hello,

As it was mentioned above, the module was deprecated. If you still want to use a script, you need to do it via MgGraph, not MSOnline.

0

Ok, I installed MSGraph module and getting results

One more question, how would it be possible to run this in local PS ISE?

I want to see fata in $user and how to extract them like I need

Import-Module Microsoft.Graph.Users

$token = $Context.CloudServices.GetAzureAuthAccessToken("https://graph.microsoft.com")
$token = $token | ConvertTo-SecureString -AsPlainText -Force
Connect-MgGraph -AccessToken $token

$user = Get-MgUser -Filter "assignedLicenses/any(x:x/skuId eq 639dec6b-bb19-468b-871c-c5c441c4b0cb)"
$userCount = $user.count

$Context.LogMessage("$($userCount)", "Information")
0

Hello,

Unfortunately, there is no such possibility. The $Context variable only works in Adaxes scripts. You will need to use native Microsoft methods and cmdlets in Windows PowerShell ISE.

0

Ok, Adaxes script is working well and it takes <1 minute now to update the group : )

If anyone is looking for a similar script:

Import-Module Microsoft.Graph.Users

[System.Collections.ArrayList]$userAD = @()
[string]$licenseID = "639dec6b-bb19-468b-871c-c5c441c4b0cb" # Microsoft_365_Copilot    https://learn.microsoft.com/en-us/entra/identity/users/licensing-service-plan-reference
[string]$group = "User With Active M365 Co-Pilot License"

$token = $Context.CloudServices.GetAzureAuthAccessToken("https://graph.microsoft.com")
$token = $token | ConvertTo-SecureString -AsPlainText -Force

Connect-MgGraph -AccessToken $token

$user = Get-MgUser -Filter "assignedLicenses/any(x:x/skuId eq $($licenseID))"
$userCount = $user.count
$Context.LogMessage("User count: $($userCount)", "Information")

$groupUser = Get-AdmGroupMember $group -AdaxesService localhost
$groupCount = $groupUser.Count
$Context.LogMessage("Group member count: $($groupCount)", "Information")

$user | %% {
    $userAD.add($(Get-ADMUser -Filter 'UserPrincipalName -like $_.UserPrincipalName' -AdaxesService localhost)) | Out-Null
}

$itemsToAdd = Compare-Object -ReferenceObject $groupUser -DifferenceObject $userAD -PassThru | Where-Object { $_.SideIndicator -eq '=>' }
$itemsToRemove = Compare-Object -ReferenceObject $groupUser -DifferenceObject $userAD -PassThru | Where-Object { $_.SideIndicator -eq '<=' }

$itemsToRemove | %% {
    Remove-AdmGroupMember -Identity $group -Members $_ -Confirm:$false -AdaxesService localhost
    $Context.LogMessage("REMOVE $($_)", "Information")
}

$itemsToAdd | %% {
    Add-AdmGroupMember -Identity $group -Members $_ -Confirm:$false -AdaxesService localhost
    $Context.LogMessage("ADD $($_)", "Information")
}

Related questions

0 votes
1 answer

Hello We have the need to create a home page action for creating groups, security and distribution. We would like to see if this script https://www.adaxes.com/script-repositor . ... 3 (whatever is typed) Thank you for taking the time to look at this. Jay

asked Mar 12, 2018 by willy-wally (3.2k points)
0 votes
1 answer

How do I go about getting an export of users that are assigned to a particular dynamic group? The existing export rules don't seem to do the trick. It only pulls info ... the dynamic group, i would like to also report on those that have been licensed for O365

asked Mar 20, 2017 by cubedit (60 points)
0 votes
1 answer

Is it possible with Adaxes to update a distribution groups membership based on the users in an OU? I know this is exactly what a dynamic distribution group is for, but for certain reasons I need this to be a normal distribution group not dynamic.

asked Mar 16, 2015 by yobhod (150 points)
0 votes
1 answer

Is there any documentation to create &amp; manage DDG's in Adaxes?

asked Jan 17, 2013 by mdeflice (350 points)
0 votes
1 answer

Is there a way to add Microsoft Defender for Office 365 Plan 2 licenses from Adaxes? Currently it is not showing in the list of available licenses to modify. The endpoint ... the E3 license is showing up no problem, just not the standalone one for O365.

asked Aug 20 by Alex23 (50 points)
3,526 questions
3,217 answers
8,197 comments
547,625 users