다음을 통해 공유


Azure AD, Licensing users in a Security Group

Today I was trying to figure it out how to license a set of users in a Security Group and I came up with a PowerShell function to do it so, the function is based on this article from 365Lab

First you need to install the latest "Windows Azure Active Directory Module for Windows PowerShell".  The commands can be installed from here.

  1. Download the ps1 attached to this article
  2. Run the "Windows Azure Active Directory Module for Windows PowerShell", this should open a PowerShell window
  3. Import-Module <FullPathToAttachedFile>
    1. Example: Import-Module C:\temp\SetLicenseToUsersInSecurityGroup.ps1
  4. Set-LicenseToUsersInSecurityGroup -UserName <TenantAdminUserName> -Password <TenantadminPassword> -GroupName <NameOfTheGroup> -AccountSkuId <accountSkuToAddLicensesTo>
    1. You may get the AccountSkuId by running the following command: Get-MsolAccountSku
  5. After running this command you should get a confirmation of the users that were licensed.

 

Important Notes:

  • Users that were already licensed will not be changed, this is, this script will not remove licenses to users that were removed from the Security Group
  • Further changes on the Security Group will not reflect any changes in licenses
  • You will need PowerShell 3.0

 

References:

 

 Function Set-LicenseToUsersInSecurityGroup
 {
 param (
 [parameter(Mandatory = $true)][string] $UserName,
 [parameter(Mandatory = $true)][string] $Password,
 [parameter(Mandatory = $true)][string] $GroupName,
 [parameter(Mandatory = $true)][string] $AccountSkuId)
 
 Import-Module MSOnline
 
 $securePassword = ConvertTo-SecureString $Password -AsPlainText -Force
 $userCredentials = New-Object System.Management.Automation.PSCredential($UserName, $securePassword)
 Connect-MsolService -Credential $userCredentials
 
 $groupId = (Get-MsolGroup | Where-Object {$_.DisplayName -eq $GroupName}).ObjectId
 $accountSku = Get-MsolAccountSku | Where-Object {$_.AccountSKUID -eq $AccountSkuId}
 
 if($accountSku -eq $null)
 { 
 Write-Error 'Invalid Account Sku, Please get the account information from Get-MsolAccountSku'
 RETURN
 }
 
 Write-Output "Getting unlicensed users for Group Guid: $GroupID"
 
 $usersInGroup = (Get-MsolGroupMember -GroupObjectId $groupId -All).EmailAddress
 
 Write-Output 'Setting license to: ' $usersInGroup.Count
 foreach ($currentUserInGroup in $usersInGroup) 
 {
 try 
 {
 $currentUser = Get-MsolUser -UserPrincipalName $currentUserInGroup
 if($currentUser.UsageLocation -eq $null)
 {
 Write-Warning "Current User $currentUserInGroup does not have Usage Location, please set it using Set-MsolUser commandlet"
 continue;
 }
 
 if(($currentUser).Licenses | Where-Object {$_.AccountSkuId -eq $accountSku.AccountSkuId})
 {
 Write-Warning "Current User $currentUserInGroup is Already Licensed."
 continue;
 }
 
 Set-MsolUserLicense -UserPrincipalName $currentUserInGroup -AddLicenses $accountSku.AccountSkuId -ErrorAction Stop -WarningAction Stop
 Write-Output "Successfully licensed $currentUserInGroup with $AccountSkuId"
 } 
 catch 
 {
 Write-Warning "Error when licensing $currentUserInGroup"
 }
 }
 }

SetLicenseToUsersInSecurityGroup.ps1