Can you provision an enterprise Office 365 tenant without a provisioning system?
Can you provision an enterprise Office 365 tenant without a provisioning system?
Normally, provisioning Office 365 users is a pretty easy task. You just add users via a web interface, via PowerShell, or however you like. Azure AD Connect is a popular way to get user accounts into the system. From there, all you need to do is assign licenses. You can do this via web or PowerShell, of course, so in small batches this is pretty easy. But I have a customer that is anything but “small”.
The problem I was given was how to provision additional licenses, for add-ons such as Visio or Power BI, without having a single enterprise provisioning system. So, multiple entities sharing an Office 365 tenant, with each entity having their own provisioning system, or nothing more that AD Users and Computers. Oh, and some of the entities may not even have the Exchange schema extensions, so you can’t use those attributes.
What I really wanted was something that could scale, a multi-valued property. Something that I could use and nobody would miss. So, going down the list of attributes that are available, I came across “other home phone number”. Do you know anyone with three home phones? Me, neither. Just having one home phone number is becoming unusual. This is a mult-valued text property that should be unused!
Here’s what it looks like when you add entries for Visio and Power BI:
So, once you have some entries, what happens next? Azure AD Connect will sync these entries up to Office 365. And we have a PowerShell script to do the magic once that sync happens.
I’m not going to give you the whole script here, but I will give you the key components to plug into your own script. I’ll use Visio as the example.
In the Exchange Online shell, you have access to Get-User. We use that to find all the people who need licenses for Visio.
$VisioClientUsers = Get-User -Filter {(OtherHomePhone -like '*VISIOCLIENT*') -and (SKUAssigned -eq $true)} -ResultSize 'Unlimited' | Select UserPrincipalName
echo "VisioClientUsers"
$VisioClientUsers
echo "-------"
So, now let’s see how we check for and add the licenses. I’m using the setting where the tenant name is “Contoso”.
#Add Visio Licenses
echo "Processing VisioClientUsers"
Foreach ($VisioClientUser in $VisioClientUsers) {
$userlicenses = (Get-MsolUser -UserPrincipalName $VisioClientUser.UserPrincipalName).Licenses
$AccountSkuIds = @()
Foreach ($userlicense in $userlicenses) {$AccountSkuIds += $userlicense.AccountSkuId}
#$AccountSkuIds
If ($AccountSkuIds -notcontains 'contoso:VISIOCLIENT_GOV') {
Echo ($VisioClientUser.UserPrincipalName+" Needs Visio License")
Set-MsolUserLicense -UserPrincipalName `
$VisioClientUser.UserPrincipalName `
-AddLicenses 'contoso:VISIOCLIENT_GOV' -Verbose
}
}
echo "-------"
That’s all there is to it. Just have this run periodically.
If you wanted a way to remove the licenses when no longer needed, you would run though all the users who have that license assigned, and remove that license if they don’t have “VisioClient” in the OtherHomePhone field. But that will be a future post if people are interested in doing this.