Managing Office 365 Licenses in Azure AD with the new Azure AD V2 PowerShell Module

Microsoft recently released a new version of the PowerShell module for administering Azure Active Directory to General Availability.

The previous module used MSOL (Microsoft Online) cmdlets to perform tasks (i.e. Get-MSOLUser).  The new cmdlets use the AzureAD cmdlets (i.e. Get-AzureADUser) which leverage the Graph API.

Because of this, you’ll want to make sure you download the latest version of the modules and update your existing scripts accordingly.

Assigning Office 365 licenses with these new cmdlets can be a bit tricky and confusing at first.  So, I’ll try to explain the process step-by-step so you gain an understanding of what’s going on.

Understanding licenses in Office 365:

Each license in Office 365 has an associated SkuID and SkuPartNumber and a list of one or more associated ServicePlans.

For instance, the E3 license has a SkuID of 6fd2c87f-b296-42f0-b197-1e91e994b900, a SkuPartNumber of ‘ENTERPRISEPACK’, and is comprised of the following Service Plans:

Service plan Description
SWAY Sway
INTUNE_O365 Mobile Device Management for Office 365
YAMMER_ENTERPRISE Yammer
RMS_S_ENTERPRISE Azure Rights Management (RMS)
OFFICESUBSCRIPTION Office Professional Plus
MCOSTANDARD Skype for Business Online
SHAREPOINTWAC Office Online
SHAREPOINTENTERPRISE SharePoint Online
EXCHANGE_S_ENTERPRISE Exchange Online Plan 2

You can get a listing of the friendlier Descriptions for each of the SkuPartNumbers from TechNet here.

When you assign an E3 license to an individual user, you can choose to exclude one or more Service Plans so they don’t get access to those services.

Assigning Licenses in PowerShell

Each Office 365 tenant has a unique TenantID that looks similar to the SkuID or any other GUID.  In our example below, the TenantID is 85b5ff1e-0402-400c-9e3c-0f9e965325d1.

To get a list of the SkuIDs you are subscribed to in your Office 365 tenant, connect to Azure AD using the Connect-AzureAD cmdlet.  Then, run:

C:\> Get-AzureADSubscribedSku

You’ll get returned a list of ObjectIDs, SkuPartNumbersPrepaidUnits and ConsumedUnits, showing how many licenses from each Sku have already been assigned (see example below from the online documentation for Get-AzureADSubscribedSku).  The ObjectID is made up of the TenantID, an underscore, and the SkuID for each subscription you have purchased:

ObjectId                                                                  SkuPartNumber         PrepaidUnits                  ConsumedUnits

--------                                                                  -------------         ------------                  -------------

85b5ff1e-0402-400c-9e3c-0f9e965325d1_078d2b04-f1bd-4111-bbd4-b4b1b354cef4 AAD_PREMIUM           class LicenseUnitsDetail {... 6

85b5ff1e-0402-400c-9e3c-0f9e965325d1_f245ecc8-75af-4f8e-b61f-27d8114de5f3 O365_BUSINESS_PREMIUM class LicenseUnitsDetail {... 24

85b5ff1e-0402-400c-9e3c-0f9e965325d1_6fd2c87f-b296-42f0-b197-1e91e994b900 ENTERPRISEPACK                                      24

Once you know the SkuPartNumber of the license you want to assign, you’ll need to know the SkuID for it.  It’s the second half of the ObjectID for the Subscribed Sku after the underscore (_).

C:\> (Get-AzureADSubscribedSku | ?{$_.SkuPartNumber -eq "ENTERPRISEPACK"}).SkuId

6fd2c87f-b296-42f0-b197-1e91e994b900

If you want to assign an E3 license to a user but exclude, for instance, the SharePoint component, you’ll need to know the ServicePlans assigned to your Sku.

C:\> (Get-AzureADSubscribedSku | ?{$_.SkuPartNumber -eq "ENTERPRISEPACK"}).ServicePlans

 

AppliesTo ProvisioningStatus ServicePlanId                        ServicePlanName

--------- ------------------ -------------                        ---------------

User      Success            76846ad7-7776-4c40-a281-a386362dd1b9 FLOW_O365_P2

User      Success            c68f8d98-5534-41c8-bf36-22fa496fa792 POWERAPPS_O365_P2

User      Success            57ff2da0-773e-42df-b2af-ffb7a2317929 TEAMS1

User      Success            b737dad2-2f6c-4c65-90e3-ca563267e8b9 PROJECTWORKMANAGEMENT

User      Success            a23b959c-7ce8-4e57-9140-b90eb88a9e97 SWAY

Company   PendingActivation  882e1d05-acd1-4ccb-8708-6ee03664b117 INTUNE_O365

User      Success            7547a3fe-08ee-4ccb-b430-5077c5041653 YAMMER_ENTERPRISE

User      Success            bea4c11e-220a-4e6d-8eb8-8ea15d019f90 RMS_S_ENTERPRISE

User      Success            43de0ff5-c92c-492b-9116-175376d08c38 OFFICESUBSCRIPTION

User      Success            0feaeb32-d00e-4d66-bd5a-43b5b83db82c MCOSTANDARD

User      Success            e95bec33-7c88-4a70-8e19-b10bd9d0c014 SHAREPOINTWAC

User      Success            5dbe027f-2339-4123-9542-606e4d348a72 SHAREPOINTENTERPRISE

User      Success            efb87545-963c-4e0d-99df-69c6916d9eb0 EXCHANGE_S_ENTERPRISE

 

Now that we have the SkuID and Service Plans, we are ready to begin preparing to assign these licenses.

To assign the license, we must first create two new objects in our PowerShell session (!!!Yes, notice below that one of them is plural and one of them isn’t – License vs. Licenses!!!).

The Microsoft.Open.AzureAD.Model.AssignedLicense object contains two properties:

  • SkuID – a string of the SkuID to be assigned
  • DisabledPlans – String list of ServicePlanIds to be excluded/disabled

The Microsoft.Open.AzureAD.Model.AssignedLicenses object contains two properties as well:

  • AddLicenses – a list of one or more AssignedLicense objects above
  • RemoveLicenses – String list of one or more SkuIDs to be removed (optional)

Suppose I want to assign an E3 license to a user but exclude the Yammer and Skype for Business components.

First, I’d create the empty AssignedLicense object called $E3.

C:\> $E3 = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicense

Then, since the SkuPartNumber for E3 is ENTERPRISEPACK, I isolate the AzureADSubscribedSku for ENTERPRISEPACK into a new variable called $Sku, then assign its SkuID value to the SkuID property of $E3:

C:\> $Sku = Get-AzureADSubscribedSku | ?{$_.SkuPartNumber -eq "ENTERPRISEPACK"}

C:\> $E3.SkuId = $Sku.SkuId

Next, I add ServicePlanIDs for each of the components I want to exclude (MCOSTANDARD for Skype for Business and YAMMER_ENTERPRISE) into the DisabledPlans property of $E3:

C:\> $E3.DisabledPlans += ($sku.ServicePlans | ?{$_.ServicePlanName -eq "MCOSTANDARD"}).ServicePlanID

C:\> $E3.DisabledPlans += ($sku.ServicePlans | ?{$_.ServicePlanName -eq "YAMMER_ENTERPRISE"}).ServicePlanID

At this point, my $E3 AssignedLicense object looks like this.  A value for SkuID corresponding to E3, and 2 values for DisabledPlans corresponding to Skype for Business and Yammer:

C:\> $E3

DisabledPlans                                                                SkuId

-------------                                                                -----

{0feaeb32-d00e-4d66-bd5a-43b5b83db82c, 7547a3fe-08ee-4ccb-b430-5077c5041653 } 6fd2c87f-b296-42f0-b197-1e91e994b900

We’re not quite ready to begin assigning this license yet, though.  We next create the empty AssignedLicenses (note the extra ‘s’ here) object $AssignedLicenses.

C:\> $AssignedLicenses = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicenses

Then, we add our $E3 object to the AddLicenses property of $AssingedLicenses:

C:\> $AssignedLicenses.AddLicenses += $E3

We must also define the value for RemoveLicenses.  (We’re not removing any licenses, and this property cannot be empty or null.)

C:\> $AssignedLicenses.RemoveLicenses = @()

Now we have an AssignedLicenses object with the following values:

C:\> $AssignedLicenses | FL

AddLicenses    : {class AssignedLicense {

DisabledPlans: System.Collections.Generic.List`1[System.String]

SkuId: 6fd2c87f-b296-42f0-b197-1e91e994b900

}

}

RemoveLicenses :

If we also wanted to assign, for instance, EMS licenses to the user in addition to the E3 license, we’d repeat the process above and create a second AssignedLicense object and add it to the AddLicenses property of $AssingedLicenses.  I’ve done this below for brevity:

C:\> $EMS = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicense

C:\> $Sku = Get-AzureADSubscribedSku | ?{$_.SkuPartNumber -eq "EMS"}

C:\> $EMS.SkuId = $Sku.SkuId

C:\> $EMS.DisabledPlans += ($sku.ServicePlans | ?{$_.ServicePlanName -eq "RMS_S_ENTERPRISE"}).ServicePlanID

C:\> $AssignedLicenses.AddLicenses += $EMS

Now our $AssignedLicenses variable looks like this (note the two SkuIDs under AddLicenses now):

C:\> $AssignedLicenses | FL

AddLicenses    : {class AssignedLicense {

DisabledPlans: System.Collections.Generic.List`1[System.String]

SkuId: 6fd2c87f-b296-42f0-b197-1e91e994b900

}

, class AssignedLicense {

DisabledPlans: System.Collections.Generic.List`1[System.String]

SkuId: efccb6f7-5641-4e0e-bd10-b4976e1bf68e

}

}

RemoveLicenses :

Now that we’ve got an object that contains a list of all the licenses and excluded service plans, we’re ready to actually assign these licenses to your user(s).  To assign the license, simply run the Set-AzureADUserLicense cmdliet, providing the $AssignedLicenses variable:

C:\>Set-AzureADUserLicense -ObjectId "user@domain.com" -AssignedLicenses $AssignedLicenses

 

Simple, huh?

 

Change DirSync Synchronization Frequency

Some organizations need DirSync to synchronize with their Office 365 tenant more frequently than the default 3 hour interval.

Fortunately, this is easy enough to change.

  1. Navigate to the installation directory for the DirSync tool:
    C:Program FilesWindows Azure Active Directory Sync
  2. Edit this file:
    Microsoft.Online.DirSync.Scheduler.exe.config
  3. Search for the line
    <add key=”SyncTimeInterval” value=”3:0:0″ />
  4. Change the value to reflect the interval you’d like to use.  The default is 3:0:0 which is every 3 hours.  Changing it to 0:30:0 would result in a synchronization every 30 minutes.
  5. Save the file
  6. Restart the Forefront Identity Manager Synchronization Service service.

DirSync Now Supports Password Sync

Details here.

​This is great news for new and existing users of Azure Active Directory Authentication including Office 365, InTune, CRM Online, etc.

This feature simulates Single Sign-On by copying the hash data for user passwords from on-premises Active Directory Domain Services Domain Controllers into the Azure Active Directory Authentication Service. It also updates password data into Azure more frequently than it does other metadata such as DisplayName, etc. DirSync will detect when a user changes their password and attempt to synchronize it within minutes.

If you’re running the legacy 32-bit version of DirSync, you must first uninstall the older version, and then install the newer 64-bit version on a differen computer.

Download and Installation Instructions.