Managing Office 365 Licenses in Azure AD with the new Azure AD V2 PowerShell Module

Microsoft recently released a new version of the PowerShell module for administering Azure Active Directory to General Availability.

The previous module used MSOL (Microsoft Online) cmdlets to perform tasks (i.e. Get-MSOLUser).  The new cmdlets use the AzureAD cmdlets (i.e. Get-AzureADUser) which leverage the Graph API.

Because of this, you’ll want to make sure you download the latest version of the modules and update your existing scripts accordingly.

Assigning Office 365 licenses with these new cmdlets can be a bit tricky and confusing at first.  So, I’ll try to explain the process step-by-step so you gain an understanding of what’s going on.

Understanding licenses in Office 365:

Each license in Office 365 has an associated SkuID and SkuPartNumber and a list of one or more associated ServicePlans.

For instance, the E3 license has a SkuID of 6fd2c87f-b296-42f0-b197-1e91e994b900, a SkuPartNumber of ‘ENTERPRISEPACK’, and is comprised of the following Service Plans:

Service plan Description
SWAY Sway
INTUNE_O365 Mobile Device Management for Office 365
YAMMER_ENTERPRISE Yammer
RMS_S_ENTERPRISE Azure Rights Management (RMS)
OFFICESUBSCRIPTION Office Professional Plus
MCOSTANDARD Skype for Business Online
SHAREPOINTWAC Office Online
SHAREPOINTENTERPRISE SharePoint Online
EXCHANGE_S_ENTERPRISE Exchange Online Plan 2

You can get a listing of the friendlier Descriptions for each of the SkuPartNumbers from TechNet here.

When you assign an E3 license to an individual user, you can choose to exclude one or more Service Plans so they don’t get access to those services.

Assigning Licenses in PowerShell

Each Office 365 tenant has a unique TenantID that looks similar to the SkuID or any other GUID.  In our example below, the TenantID is 85b5ff1e-0402-400c-9e3c-0f9e965325d1.

To get a list of the SkuIDs you are subscribed to in your Office 365 tenant, connect to Azure AD using the Connect-AzureAD cmdlet.  Then, run:

C:\> Get-AzureADSubscribedSku

You’ll get returned a list of ObjectIDs, SkuPartNumbersPrepaidUnits and ConsumedUnits, showing how many licenses from each Sku have already been assigned (see example below from the online documentation for Get-AzureADSubscribedSku).  The ObjectID is made up of the TenantID, an underscore, and the SkuID for each subscription you have purchased:

ObjectId                                                                  SkuPartNumber         PrepaidUnits                  ConsumedUnits

--------                                                                  -------------         ------------                  -------------

85b5ff1e-0402-400c-9e3c-0f9e965325d1_078d2b04-f1bd-4111-bbd4-b4b1b354cef4 AAD_PREMIUM           class LicenseUnitsDetail {... 6

85b5ff1e-0402-400c-9e3c-0f9e965325d1_f245ecc8-75af-4f8e-b61f-27d8114de5f3 O365_BUSINESS_PREMIUM class LicenseUnitsDetail {... 24

85b5ff1e-0402-400c-9e3c-0f9e965325d1_6fd2c87f-b296-42f0-b197-1e91e994b900 ENTERPRISEPACK                                      24

Once you know the SkuPartNumber of the license you want to assign, you’ll need to know the SkuID for it.  It’s the second half of the ObjectID for the Subscribed Sku after the underscore (_).

C:\> (Get-AzureADSubscribedSku | ?{$_.SkuPartNumber -eq "ENTERPRISEPACK"}).SkuId

6fd2c87f-b296-42f0-b197-1e91e994b900

If you want to assign an E3 license to a user but exclude, for instance, the SharePoint component, you’ll need to know the ServicePlans assigned to your Sku.

C:\> (Get-AzureADSubscribedSku | ?{$_.SkuPartNumber -eq "ENTERPRISEPACK"}).ServicePlans

 

AppliesTo ProvisioningStatus ServicePlanId                        ServicePlanName

--------- ------------------ -------------                        ---------------

User      Success            76846ad7-7776-4c40-a281-a386362dd1b9 FLOW_O365_P2

User      Success            c68f8d98-5534-41c8-bf36-22fa496fa792 POWERAPPS_O365_P2

User      Success            57ff2da0-773e-42df-b2af-ffb7a2317929 TEAMS1

User      Success            b737dad2-2f6c-4c65-90e3-ca563267e8b9 PROJECTWORKMANAGEMENT

User      Success            a23b959c-7ce8-4e57-9140-b90eb88a9e97 SWAY

Company   PendingActivation  882e1d05-acd1-4ccb-8708-6ee03664b117 INTUNE_O365

User      Success            7547a3fe-08ee-4ccb-b430-5077c5041653 YAMMER_ENTERPRISE

User      Success            bea4c11e-220a-4e6d-8eb8-8ea15d019f90 RMS_S_ENTERPRISE

User      Success            43de0ff5-c92c-492b-9116-175376d08c38 OFFICESUBSCRIPTION

User      Success            0feaeb32-d00e-4d66-bd5a-43b5b83db82c MCOSTANDARD

User      Success            e95bec33-7c88-4a70-8e19-b10bd9d0c014 SHAREPOINTWAC

User      Success            5dbe027f-2339-4123-9542-606e4d348a72 SHAREPOINTENTERPRISE

User      Success            efb87545-963c-4e0d-99df-69c6916d9eb0 EXCHANGE_S_ENTERPRISE

 

Now that we have the SkuID and Service Plans, we are ready to begin preparing to assign these licenses.

To assign the license, we must first create two new objects in our PowerShell session (!!!Yes, notice below that one of them is plural and one of them isn’t – License vs. Licenses!!!).

The Microsoft.Open.AzureAD.Model.AssignedLicense object contains two properties:

  • SkuID – a string of the SkuID to be assigned
  • DisabledPlans – String list of ServicePlanIds to be excluded/disabled

The Microsoft.Open.AzureAD.Model.AssignedLicenses object contains two properties as well:

  • AddLicenses – a list of one or more AssignedLicense objects above
  • RemoveLicenses – String list of one or more SkuIDs to be removed (optional)

Suppose I want to assign an E3 license to a user but exclude the Yammer and Skype for Business components.

First, I’d create the empty AssignedLicense object called $E3.

C:\> $E3 = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicense

Then, since the SkuPartNumber for E3 is ENTERPRISEPACK, I isolate the AzureADSubscribedSku for ENTERPRISEPACK into a new variable called $Sku, then assign its SkuID value to the SkuID property of $E3:

C:\> $Sku = Get-AzureADSubscribedSku | ?{$_.SkuPartNumber -eq "ENTERPRISEPACK"}

C:\> $E3.SkuId = $Sku.SkuId

Next, I add ServicePlanIDs for each of the components I want to exclude (MCOSTANDARD for Skype for Business and YAMMER_ENTERPRISE) into the DisabledPlans property of $E3:

C:\> $E3.DisabledPlans += ($sku.ServicePlans | ?{$_.ServicePlanName -eq "MCOSTANDARD"}).ServicePlanID

C:\> $E3.DisabledPlans += ($sku.ServicePlans | ?{$_.ServicePlanName -eq "YAMMER_ENTERPRISE"}).ServicePlanID

At this point, my $E3 AssignedLicense object looks like this.  A value for SkuID corresponding to E3, and 2 values for DisabledPlans corresponding to Skype for Business and Yammer:

C:\> $E3

DisabledPlans                                                                SkuId

-------------                                                                -----

{0feaeb32-d00e-4d66-bd5a-43b5b83db82c, 7547a3fe-08ee-4ccb-b430-5077c5041653 } 6fd2c87f-b296-42f0-b197-1e91e994b900

We’re not quite ready to begin assigning this license yet, though.  We next create the empty AssignedLicenses (note the extra ‘s’ here) object $AssignedLicenses.

C:\> $AssignedLicenses = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicenses

Then, we add our $E3 object to the AddLicenses property of $AssingedLicenses:

C:\> $AssignedLicenses.AddLicenses += $E3

We must also define the value for RemoveLicenses.  (We’re not removing any licenses, and this property cannot be empty or null.)

C:\> $AssignedLicenses.RemoveLicenses = @()

Now we have an AssignedLicenses object with the following values:

C:\> $AssignedLicenses | FL

AddLicenses    : {class AssignedLicense {

DisabledPlans: System.Collections.Generic.List`1[System.String]

SkuId: 6fd2c87f-b296-42f0-b197-1e91e994b900

}

}

RemoveLicenses :

If we also wanted to assign, for instance, EMS licenses to the user in addition to the E3 license, we’d repeat the process above and create a second AssignedLicense object and add it to the AddLicenses property of $AssingedLicenses.  I’ve done this below for brevity:

C:\> $EMS = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicense

C:\> $Sku = Get-AzureADSubscribedSku | ?{$_.SkuPartNumber -eq "EMS"}

C:\> $EMS.SkuId = $Sku.SkuId

C:\> $EMS.DisabledPlans += ($sku.ServicePlans | ?{$_.ServicePlanName -eq "RMS_S_ENTERPRISE"}).ServicePlanID

C:\> $AssignedLicenses.AddLicenses += $EMS

Now our $AssignedLicenses variable looks like this (note the two SkuIDs under AddLicenses now):

C:\> $AssignedLicenses | FL

AddLicenses    : {class AssignedLicense {

DisabledPlans: System.Collections.Generic.List`1[System.String]

SkuId: 6fd2c87f-b296-42f0-b197-1e91e994b900

}

, class AssignedLicense {

DisabledPlans: System.Collections.Generic.List`1[System.String]

SkuId: efccb6f7-5641-4e0e-bd10-b4976e1bf68e

}

}

RemoveLicenses :

Now that we’ve got an object that contains a list of all the licenses and excluded service plans, we’re ready to actually assign these licenses to your user(s).  To assign the license, simply run the Set-AzureADUserLicense cmdliet, providing the $AssignedLicenses variable:

C:\>Set-AzureADUserLicense -ObjectId "user@domain.com" -AssignedLicenses $AssignedLicenses

 

Simple, huh?

 

Advertisements

Disable Audio/Video functionality for Skype Users via PowerShell

Like my previous post on Exchange Mailbox Protocols, many companies limit the ability of some of their users (but not all of them) to use the audio/video functionality built into Skype for Business Online.  Normally, this occurs in office environments that don’t have the internet bandwidth to support all that A/V traffic for a large number of users, so they limit that use to those who need it or executives, VIPs.

Unfortunately, it’s not possible to create a SIP profile that enables/disables the protocols for any user to which its assigned. Therefore, administrators must disable this functionality for each individual user.  This is easily done for one or two users via the administrative console web page, but doing this in bulk requires PowerShell.

To help alleviate this, I’ve created a script that leverages security groups in Azure AD (and on-premises AD if they are synchronized via DirSync) as a way to indicate which users should be allowed the use of Audio/Video functionality in Skype for Business Online.

By default, the script will assume your group is named Office365-AllowSkypeAV, but you could use any group name you want and feed that to the script via a command-line parameter.

When run, the script will disable AudioVideo functionality for ANY user who is NOT a member of the above referenced groups.

This script also leverages my WriteTo-Log function so that a running log can be generated keeping track of each change made to each user for auditing purposes.

Finally, there are optional command-line parameters (-From, -To, -SMTPServer) that can be used to ensure the log is emailed to an address of your choice after completing.

You can download the script here.

Disable Exchange Mailbox Protocols via PowerShell Script

Many companies limit the ability of some of their users (but not all of them) to leverage all of the default protocols enabled for accessing a mailbox in Office 365/Exchange Online while still allow them to connect with Outlook via MAPI.

Unfortunately, it’s not possible to create an OWA profile or a POP profile, for example, that enables/disables the protocols for any user to which its assigned. Therefore, administrators must disable these protocols for each individual user at the CASMailbox-level.

To help alleviate this, I’ve created a script that leverages security groups in Azure AD (and on-premises AD if they are synchronized via DirSync) as a way to indicate which users should be allowed the use of a certain protocol.

By default, the script will assume your groups are named as listed below, but you could use any group name you want and feed that to the script via a command-line parameter.

  • Office365-AllowActiveSync
  • Office365-AllowOWA-Device
  • Office365-AllowIMAP
  • Office365-AllowPOP

When run, the script will disable the protocols for ANY user who is NOT a member of the above referenced groups.

This script also leverages my WriteTo-Log function so that a running log can be generated keeping track of each change made to each user’s mailbox for auditing purposes.

Finally, there are optional command-line parameters (-From, -To, -SMTPServer) that can be used to ensure the log is emailed to an address of your choice after completing.

You can download the script here.

Update Send Connector SSL Certificate for Hybrid Configuration

​Recently had a customer with an Exchange 2013 Hybrid config require updating an expired SSL certificate.  When they imported the new certificate and assigned it SMTP services, mail flow from on-premises to Office 365 stopped.

This was because the on-premises send connector to Office 365 was still configured to look for that expired certificate (which had also been deleted already).

The fix was to perform the following:

  1. Open Exchange Management Shell on the on-premises Exchange server
  2. Run Get-ExchangeCertificate, and note the Thumbprint of the correct certificate to be used. 
  3. Run $cert = Get-ExchangeCertificate -Thumbprint <thumbprint>
  4. Set a new variable and assign it the concatenated values of the Issuer and Subject values of the certificate (must also include <I> and <S> before each field):
    $TLSCert = (‘<I>’+$cert.issuer+'<S>’+$cert.subject)
  5. Update the send connector with the new values
    Set-SendConnector -Identity “Send Connector Name” -TLSCertificateName $TLSCert

After completing this, any queued mail destined for the Office 365 tenant should begin flowing

Determine Office 365 Public Folder Hierarchy Limit

​Last month, in June 2014, the Exchange Team announced that Office 365 would soon have the public folder hierarchy folder count limit raised from 10,000 folders to 100,000 folders.  This limit increase would begin to take effect in July, 2014.

But how can you tell what your tenant’s current folder count limit is?

  1. Open a remote PowerShell session to your Office 365 tenant
  2. Run the following command:
    Get-Mailbox -PublicFolder | Get-MailboxStatistics | fl FolderHierarchy*

The command will return the following results:

FolderHierarchyChildrenCountWarningQuota : 9000
FolderHierarchyChildrenCountReceiveQuota : 10000

FolderHierarchyDepthWarningQuota         : 250
FolderHierarchyDepthReceiveQuota         : 300

Once the FolderHierarchyChildrenCountReceiveQuota is raised to 100000, you’ll know your tenant has been updated.

If your tenant does not have a public folder mailbox created yet, you can run the command without the -PublicFolder parameter and replace it with any mailbox identity.

Deploying Multi-Factor Authentication for Office 365

Multi-Factor Authentication (MFA) is now included in all O365 SKUs (except Small Business & Dedicated).

MFA enables you to require 2 or more of the following factors for users in your enterprise to authenticate to O365 services:

  • Something you know – a password or PIN
  • Something you have – a phone, smart card, or other token (like an SSL certificate)
  • Something you are – biometric – like fingerprint or retinal scan

Office 365 uses Windows Azure MFA (powered by PhoneFactor, acquired by msft in 2012). (http://blogs.office.com/2014/02/10/multi-factor-authentication-for-office-365/)

In this post, I’ll explain how to enable MFA for use with a smart phone. This gives you 3 options for verification:

  • Mobile Apps
  • Phone Calls
  • Text messages (OTP – one-time passcode)

You can enable MFA for single users or you can enable them for multiple users at a time via a CSV file import. You can also enable via PowerShell.

To enable MFA for O365 for a single user

  1. Log into the portal and navigate to admin center
  2. Select users and groups
  3. Click Set up next to Set Multi-factor authentication requirements
  4. Find the user and check the box next to their name
  5. Clicking enable brings up a pop-up

 
 

After enabling, you’ll need to send each user to this link to register for MFA: http://aka.ms/MFASetup

User must sign-in and then presented with this prompt:

The user should select the contact method they prefer:

  1. Mobile phone: This method allows for either text message verification (a 6-digit code is sent via standard SMS messaging) or phone call (pressing # confirms you are the one logging in)
  2. Office phone: This method only allows for a phone call confirmation, similar to Mobile phone. However, Lync phone numbers are not supported.
  3. Mobile app: This method utilizes a mobile application on your smart phone. The mobile app receives a 6-digit code that is used as the second authentication method – similar to text messages. If selected, click the Configure button and follow the instructions for configuring the app for your mobile device.
    iOS: https://itunes.apple.com/us/app/multi-factor-authentication/id475844606?mt=8
    Android: https://play.google.com/store/apps/details?id=com.phonefactor.phonefactor
    Windows Phone: http://www.windowsphone.com/en-us/store/app/multi-factor-auth/0a9691de-c0a1-44ee-ab96-6807f8322bd1
  4. Once you verify the app it will prompt you to verify each time you log in:

Apple iOS

Google Android

Windows Phone

 

 

 

  1. Once you choose a verification method and complete the verification steps, you’ll need to generate an App password. Office apps and mobile apps (like mail) must use this password instead of your normal password and it’s recommended you generate an app password for each device you intend to use.
  2. Once completed, you can always come back to this URL to make changes to your profile, change your password, or add additional authentication methods. You can also use this portal to access applications like SharePoint Online and Exchange Online (OWA).

 
 

To Enable MFA for users in bulk

After clicking Set-up for Multi-factor authentication from the Users and Groups page, click the Bulk Update button.


This will prompt you to provide a CSV file that contains two column headings: Username & MFA Status. A sample CSV file is displayed below:

Username, MFA Status

chris@contoso.com, Enabled

ben@contoso.com, Disabled

kyle@contoso.com, Disabled

kenny@contoso.com, Enabled

eric@contoso.com, Enabled

After you import the CSV file and complete the update process, you’ll need to notify each user to go to the http://aka.ms/MFASetup web page to configure their multi-authentication verification methods.

To Enable MFA via Remote PowerShell

You can use the following PowerShell commands to enable or enforce multi-factor authentication for a single user, all users, or a bulk list of users via CSV. You must use the Windows Azure Active Directory Module for Windows PowerShell. You can find instructions on downloading and installing this module here.

The commands:

#Establish the StrongAuthenticatonRequirement object with the required RelayingParty settings for Office 365

$mfobject = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement

$mfobject.RelyingParty = "*"

$mfobject.State = "Enabled"

$mfauthenabled = @($mfobject)

$mfauthdisabled = @()

 

 

#Enable MFA for a single user

Set-MsolUser -UserPrincipalName username@contoso.com -StrongAuthenticationRequirements $mfauthenabled

 

 

#Enable MFA for all users (please use with CAUTION!)

Get-MsolUser -All | Set-MsolUser -StrongAuthenticationRequirements $mfauthenabled

 

 

#Enable MFA for bulk list of users in a CSV file

$userlist = Import-Csv .Contoso-MFA.csv

foreach ($user in $userlist) {

    switch ($user."MFA Status") {

        "Enabled"  {Set-MsolUser -UserPrincipalName $user.username -StrongAuthenticationRequirements $mfauthenabled}

        "Disabled" {Set-MsolUser -UserPrincipalName $user.username -StrongAuthenticationRequirements $mfauthdisabled}

    }

}

 

 

#Disable MFA for a single user

Set-MsolUser -UserPrincipalName username@contoso.com -StrongAuthenticationRequirements $mfauthdisabled