We use cookies to improve your experience.
By your continued use of this site you accept such use.
For more details please see our privacy policy and cookies policy.

Script repository

Assign/Revoke Microsoft 365 licenses based on user group membership priority

The script assigns a Microsoft 365 (Office 365) license for a user based on which AD group the user is a member of. If a user is a member of multiple groups, the license will be assigned based only on the group that has the highest priority. If group memberships of a user are changed, the script adjusts assigned Microsoft 365 (Office 365) licenses accordingly.

To assign and revoke licenses with the help of the script, create a Business Rule triggered After Adding or removing a member from a Group and include the groups used for Microsoft 365 (Office 365) license assignment in its Activity Scope.

Parameters:

  • $locationProperty - specifies a property of the user account that will be used as the user location in Microsoft 365 (Office 365). Locations of existing Microsoft 365 (Office 365) accounts will not be modified;
  • $groupInfo - specifies the Distinguished Names (DNs) of the groups and the corresponding Microsoft 365 (Office 365) license plans. Group position in the list determines the group priority for license assignment. Groups located higher in the list have priority over groups located lower. The license plans must be represented by the corresponding SKU Part Numbers.
How to get the SKU Part Number of a license plan in Adaxes:
  1. In Adaxes Administration Console, expand the service node that represents your Adaxes service.
  2. Navigate to Configuration\Cloud Services and select Microsoft 365.
  3. Double-click the Microsoft 365 (Office 365) Tenant to which the license belongs.
  4. Click the necessary license plan. The SKU Part Number is displayed below the Display Name field.
Edit Remove
PowerShell
$locationProperty = "c" # TODO: modify me
$groupInfo = @(
    @{"CN=My group 1,OU=Groups,DC=domain,DC=com" = "SHAREPOINTLITE"},
    @{"CN=My group 2,OU=Groups,DC=domain,DC=com" = "SHAREPOINTENTERPRISE"},
    @{"CN=My group 3,OU=Groups,DC=domain,DC=com" = "ENTERPRISEPACK"}
) # TODO: modify me. Example $groupInfo = @(@{"<Group1DN>" = "SkuPartNumber1"},@{<Group2DN>" = "SkuPartNumber2"})

function DisableLicense ($groupInfo, $groupDN, $licenses)
{
    foreach ($info in $groupInfo)
    {
        $items = $info.GetEnumerator()
        $items.MoveNext()
        
        if ($items.Key -ne $groupDN)
        {
            continue
        }

        SetLicenseStatus $licenses $items.Value $False
        return
    }
}

function EnableLicense ($groupInfo, $groupDNs, $licenses)
{
    $enableLicense = $True
    foreach ($info in $groupInfo)
    {
        $items = $info.GetEnumerator()
        $items.MoveNext()
        
        if ($groupDNs -notcontains $items.Key)
        {
            continue
        }
        
        SetLicenseStatus $licenses $items.Value $enableLicense
        $enableLicense = $False
    }
}

function SetLicenseStatus ($licenses, $skuPartNumber, $enableLicense)
{
    foreach ($license in $licenses)
    {
        if ($license.Sku.SkuPartNumber -eq $skuPartNumber)
        {
            $license.Assigned = $enableLicense
            return
        }
    }
}

$member = $Context.BindToObjectEx("Adaxes://%member%", $True)
if ($member.Class -ine "user")
{
    return # The member is not a user
}

# Check whether a user is added or removed
$addToGroup = $Context.Action.IsOperationOfType($Context.TargetObject, "add group members")

# Get Microsoft 365 properties
$microsoft365Properties = $member.GetMicrosoft365Properties()

# Check location
if ([System.String]::IsNullOrEmpty($microsoft365Properties.Location))
{
    # Get location from the specified property
    try
    {
        $location = $member.Get($locationProperty)
    }
    catch
    {
        $Context.LogMessage("Location not specified. Microsoft 365 account will not be activated", "Error")
        return
    }
    
    # Set user location
    $microsoft365Properties.Location = $location
}

# Get current groups memberships of the new member
try
{
    $groupGuidsBytes = $member.GetEx("adm-MemberOfGuid")
}
catch
{
    $groupGuidsBytes = @()
}

$groupDNs = New-Object "System.Collections.ArrayList"
foreach ($guidBytes in $groupGuidsBytes)
{
    # Get group DN
    $guid = [Guid]$guidBytes
    $group = $Context.BindToObject("Adaxes://<GUID=$guid>")
    $groupDN = $group.Get("distinguishedName")

    [void]$groupDNs.Add($groupDN)
}

$licenses = $microsoft365Properties.Licenses
if (-not($addToGroup))
{
    # Disable the license for the removed group membership
    DisableLicense $groupInfo "%distinguishedName%" $licenses
}

# Enable the license for the added group membership, disable other licenses
EnableLicense $groupInfo $groupDNs $licenses

# Save changes
if ($microsoft365Properties.ContainsModifications)
{
    $member.SetMicrosoft365Properties($microsoft365Properties)
    $member.SetInfo()
}

Comments 2
avatar
NicolasL Dec 29, 2022
I've got some issue with this script :nothing seeam to work, i've got error with getoffice365properties
avatar
Support Dec 29, 2022
Hello Nicolas,

Thank you for pointing out the issue. The script was not updated for Adaxes 2023 (methods GetOffice365Properties and SetOffice365Properties no longer exist). We made the corresponding changes. Please, clear browser cache and copy the script from the article again.
Leave a comment
Loading...

Got questions?

Support Questions & Answers