Child pages
  • Manage Azure AD user license assignment
Skip to end of metadata
Go to start of metadata

PowerShell Connector 1.4.3.0

OpenIDM 5.0

Azure AD samples

Introduction

This page shows how the Azure Active Directory Powershell samples for the PowerShell connector can handle user license assignment.

The ability to manage user license assignment offers two key features:

  1. fine grain user provisioning on Azure AD
  2. audit Azure AD license assignment 

The following actions can be performed:

  • list license and services
  • display a user with license information
  • fetch licensed or not licensed users
  • create a user with license assignment
  • add/remove (PATCH) licenses to a user
  • update user license options

If you're not familiar with Azure AD license and service terminology, it is advised to read the following:

View licenses and services with Office 365 PowerShell

Disable access to services with Office 365 PowerShell

Get-MsolAccountSku

Get-MsolSubscription

Set-MsolUserLicense

 

List licenses and subscriptions

The purpose here is not to manage licenses and subscriptions but at least to be able to list them and get their details. The only queries needed are the "query-all-ids" and the exact query based on the objectId.

License

query-all-ids on license:

the __NAME__ attribute is mapped to the AccountSkuId. 

GET http://localhost:8080/openidm/system/aad/license?_queryId=query-all-ids
{
    "result": [
        {
            "_id": "078d2b04-f1bd-4111-bbd4-b4b1b354cef4",
            "AccountSkuId": "example:AAD_PREMIUM"
        },
        {
            "_id": "efccb6f7-5641-4e0e-bd10-b4976e1bf68e",
            "AccountSkuId": "example:EMS"
        }
    ],
    "resultCount": 2,
    "pagedResultsCookie": null,
    "totalPagedResultsPolicy": "NONE",
    "totalPagedResults": -1,
    "remainingPagedResults": -1
}

License details:

"example:EMS" license:

{
    "_id": "efccb6f7-5641-4e0e-bd10-b4976e1bf68e",
    "AccountName": "example",
    "SkuPartNumber": "EMS",
    "TargetClass": "User",
    "ServiceStatus": {
        "RMS_S_ENTERPRISE": "Success",
        "AAD_PREMIUM": "Success",
        "RMS_S_PREMIUM": "Success",
        "INTUNE_A": "Success",
        "MFA_PREMIUM": "Success"
    },
    "AccountSkuId": "example:EMS",
    "ActiveUnits": 25,
    "WarningUnits": 0,
    "SuspendedUnits": 0,
    "ConsumedUnits": 4
}

 

According to https://technet.microsoft.com/en-us/library/dn771773.aspx :

 

  • AccountSkuId   Show the available licensing plans for your organization by using the syntax <CompanyName>:<LicensingPlan><CompanyName> is the value that you provided when you enrolled in Office 365, and is unique for your organization. The <LicensingPlan> value is the same for everyone. For example, in the value litwareinc:ENTERPRISEPACK, the company name is litwareinc, and the licensing plan name ENTERPRISEPACK, which is the system name for Office 365 Enterprise E3.

  • ActiveUnits   Number of licenses that you've purchases for a specific licensing plan.

  • WarningUnits   Number of licenses in a licensing plan that you haven't renewed, and that will expire after the 30-day grace period.

  • ConsumedUnits   Number of licenses that you've assigned to users from a specific licensing plan.

Subscription

query-all-ids on subscription:

{
    "result": [
        {
            "_id": "aa638d41-67fe-465a-a6a0-fda83a2987b5",
            "SkuPartNumber": "AAD_PREMIUM"
        },
        {
            "_id": "547162b1-24d6-46ba-988f-d97dc3a274fa",
            "SkuPartNumber": "EMS"
        }
    ],
    "resultCount": 2,
    "pagedResultsCookie": null,
    "totalPagedResultsPolicy": "NONE",
    "totalPagedResults": -1,
    "remainingPagedResults": -1
}

 

Subscription details:

{
    "_id": "547162b1-24d6-46ba-988f-d97dc3a274fa",
    "SkuId": "efccb6f7-5641-4e0e-bd10-b4976e1bf68e",
    "SkuPartNumber": "EMS",
    "DateCreated": "4/28/2014 9:51:33 PM",
    "OcpSubscriptionId": "fcf58d11-58b6-43da-b8a8-865dc5e19361",
    "Status": "Enabled",
    "ServiceStatus": {
        "RMS_S_ENTERPRISE": "Success",
        "AAD_PREMIUM": "Success",
        "RMS_S_PREMIUM": "Success",
        "INTUNE_A": "Success",
        "MFA_PREMIUM": "Success"
    },
    "NextLifecycleDate": "4/28/2014 9:51:33 PM",
    "TotalLicenses": 25
}

The list of services contained within the EMS (Enterprise Mobility Suite) subscription is the following:

  • INTUNE_A = Intune for Office 365
  • RMS_S_ENTERPRISE = Azure Active Directory Rights Management
  • AAD_PREMIUM = Azure Active Directory Premium
  • MFA_PREMIUM = Azure Multi-Factor Authentication

 

Display a user's license information

Do a GET on the user entry. All the available user attributes are returned. If the user has some license assigned, then the IsLicensed attribute is set to true (we'll see later how to fetch licensed/not licensed users) and Licenses and LicenseOptions attributes contain license details.

The Licenses attribute is a list containing the AccountSkuId assigned to the user.

The LicenseOptions attribute is a Map where keys are AccountSkuId and the value is a Map containing the service name as a key and the service status as a value.

The service status can have three different values:

  1. Success: the service is active for that user
  2. Disabled: the service has been disabled for that user
  3. PendingInput: some validations need to be done to assign the service to the user

 

{
    "_id": "d8b4d65d-7784-404d-8aec-b65a7c177e2e",
    "PreferredLanguage": "en-US",
    "LastName": "Doe",
    "IsLicensed": true,
    "Licenses": [
        "example:EMS",
        "example:AAD_PREMIUM"
    ],
    "LicenseOptions": {
        "example:EMS": {
            "RMS_S_ENTERPRISE": "Success",
            "AAD_PREMIUM": "Disabled",
            "RMS_S_PREMIUM": "Success",
            "INTUNE_A": "Success",
            "MFA_PREMIUM": "Disabled"
        },
        "example:AAD_PREMIUM": {
            "AAD_PREMIUM": "Success",
            "MFA_PREMIUM": "Success"
        }
    },
    "MobilePhone": "+33 666142689",
    "LiveId": "100300009509C423",
    "PasswordNeverExpires": false,
    "UsageLocation": "US",
    "AlternateEmailAddresses": [
        "jo.doe@outlook.com"
    ],
    "DisplayName": "John Doe",
    "UserPrincipalName": "john.doe@example.onmicrosoft.com",
    "FirstName": "John",
    "LastPasswordChangeTimestamp": "2/22/2016 10:10:37 PM"
}

Fetch licensed or not licensed users

A query is available to fetch the licensed and not licensed users. It is based on the IsLicensed attribute value.

Fetch all licensed users:

GET /openidm/system/aad/user?_queryFilter=IsLicensed+eq+"true"

Fetch all unlicensed users:

GET /openidm/system/aad/user?_queryFilter=IsLicensed+eq+"false"

Create a licensed user

The Licenses attributes must contain the list of licenses (AccountSkuId) that need to be assigned to the new user.

POST http://loclalhost:8080/openidm/system/aad/user?_action=create
 
{
	"UserPrincipalName": "bob.fleming@example.onmicrosoft.com",
	"DisplayName": "Bob Fleming",
	"FirstName": "Bob",
	"LastName": "Fleming",
	"__PASSWORD__": "Passw0rd",
	"UsageLocation": "US",
	"AlternateEmailAddresses": ["bob@fast.com","fleming@fast.com"],
	"Licenses": ["example:AAD_PREMIUM", "example:EMS"]
}

 

Patch user's licenses

To add or remove a license to a user after the user has been created, PATCH must be used with the add or remove operation.

Add a license to a user:

PATCH http://localhost:8080/openidm/system/aad/user/3e54cd92-fabd-4891-a5f2-83868bb93611
 
[
  {
  "operation": "add",
  "field" : "Licenses",
  "value" : "example:EMS"
  }
]

Remove a set of licenses:

PATCH http://localhost:8080/openidm/system/aad/user/3e54cd92-fabd-4891-a5f2-83868bb93611
 
[
  {
  "operation": "remove",
  "field" : "Licenses",
  "value" : ["example:EMS", "example:AAD_PREMIUM"]
  }
]
 

 

Update user's license options

Once a license has been assigned to a user, there is a way to disable/enable services for a finer grain control. The PUT call must be used and the attribute LicenseOptions needs to be set. The value of that attribute must be a Map where the key is the license name and the value is a list of services to disable.

For instance, after creation, user has the following plan:

    "LicenseOptions": {
        "example:AAD_PREMIUM": {
            "AAD_PREMIUM": "Success",
            "MFA_PREMIUM": "Success"
        }
    }

 

The following update operation will disable the MFA_PREMIUM (Multi Factor Auth) service:

PUT http://localhost:8080/openidm/system/aad/user/3e54cd92-fabd-4891-a5f2-83868bb93611

{
  "LicenseOptions": {"example:AAD_PREMIUM": ["MFA_PREMIUM"]}
}

The license options are now:

    "LicenseOptions": {
        "example:AAD_PREMIUM": {
            "AAD_PREMIUM": "Success",
            "MFA_PREMIUM": "Disabled"
        }
    }

 

To re-enable a service after it has been disabled, a "reset" is first needed. This reset is achieved by passing an empty list of services to disable. Doing so will set all services back to Success.

PUT http://localhost:8080/openidm/system/aad/user/3e54cd92-fabd-4891-a5f2-83868bb93611
 
{
  "LicenseOptions": {"example:AAD_PREMIUM": []}
}

The license options are now:

 "LicenseOptions": {
        "example:AAD_PREMIUM": {
            "AAD_PREMIUM": "Success",
            "MFA_PREMIUM": "Success"
        }
    }
  • No labels