PowerShell Connector 18.104.22.168
This page shows how the Azure Active Directory Powershell samples for the PowerShell connector can handle user license assignment.
The ability to manage user license assignment offers two key features:
- fine grain user provisioning on Azure AD
- audit Azure AD license assignment
The following actions can be performed:
- list license and services
- display a user with license information
- fetch licensed or not licensed users
- create a user with license assignment
- add/remove (PATCH) licenses to a user
- update user license options
If you're not familiar with Azure AD license and service terminology, it is advised to read the following:
List licenses and subscriptions
The purpose here is not to manage licenses and subscriptions but at least to be able to list them and get their details. The only queries needed are the "query-all-ids" and the exact query based on the objectId.
query-all-ids on license:
the __NAME__ attribute is mapped to the AccountSkuId.
According to https://technet.microsoft.com/en-us/library/dn771773.aspx :
AccountSkuId Show the available licensing plans for your organization by using the syntax
<CompanyName>:<LicensingPlan>. <CompanyName> is the value that you provided when you enrolled in Office 365, and is unique for your organization. The <LicensingPlan> value is the same for everyone. For example, in the value
litwareinc:ENTERPRISEPACK, the company name is
litwareinc, and the licensing plan name
ENTERPRISEPACK, which is the system name for Office 365 Enterprise E3.
ActiveUnits Number of licenses that you've purchases for a specific licensing plan.
WarningUnits Number of licenses in a licensing plan that you haven't renewed, and that will expire after the 30-day grace period.
ConsumedUnits Number of licenses that you've assigned to users from a specific licensing plan.
query-all-ids on subscription:
The list of services contained within the EMS (Enterprise Mobility Suite) subscription is the following:
- INTUNE_A = Intune for Office 365
- RMS_S_ENTERPRISE = Azure Active Directory Rights Management
- AAD_PREMIUM = Azure Active Directory Premium
- MFA_PREMIUM = Azure Multi-Factor Authentication
Display a user's license information
Do a GET on the user entry. All the available user attributes are returned. If the user has some license assigned, then the IsLicensed attribute is set to true (we'll see later how to fetch licensed/not licensed users) and Licenses and LicenseOptions attributes contain license details.
The Licenses attribute is a list containing the AccountSkuId assigned to the user.
The LicenseOptions attribute is a Map where keys are AccountSkuId and the value is a Map containing the service name as a key and the service status as a value.
The service status can have three different values:
- Success: the service is active for that user
- Disabled: the service has been disabled for that user
- PendingInput: some validations need to be done to assign the service to the user
Fetch licensed or not licensed users
A query is available to fetch the licensed and not licensed users. It is based on the IsLicensed attribute value.
Fetch all licensed users:
Fetch all unlicensed users:
Create a licensed user
The Licenses attributes must contain the list of licenses (AccountSkuId) that need to be assigned to the new user.
Patch user's licenses
To add or remove a license to a user after the user has been created, PATCH must be used with the add or remove operation.
Add a license to a user:
Remove a set of licenses:
Update user's license options
Once a license has been assigned to a user, there is a way to disable/enable services for a finer grain control. The PUT call must be used and the attribute LicenseOptions needs to be set. The value of that attribute must be a Map where the key is the license name and the value is a list of services to disable.
For instance, after creation, user has the following plan:
The following update operation will disable the MFA_PREMIUM (Multi Factor Auth) service:
The license options are now:
To re-enable a service after it has been disabled, a "reset" is first needed. This reset is achieved by passing an empty list of services to disable. Doing so will set all services back to Success.
The license options are now: