JanVidarElven/EMSAssignLicense.ps1

## EMSAssignLicense.ps1
# PowerShell CmdLets for Assigning EMS Licenses with Azure AD v2 PowerShell Module
# Read blog post for details: https://gotoguy.blog/2017/02/17/assign-ems-license-with-azure-ad-v2-powershell-and-dynamic-groups/

# Connect to Azure AD with Global Administrator
Connect-AzureAD

# List Subscriptions
Get-AzureADSubscribedSku | Select SkuId, SkuPartNumber

# EMS E3 license Service Plans
$EMSlicense = Get-AzureADSubscribedSku | Where-Object {$_.SkuPartNumber -eq 'EMS'}

# EMS E5 license Service Plans
$EMSpremiumlicense = Get-AzureADSubscribedSku | Where-Object {$_.SkuPartNumber -eq 'EMSPREMIUM'}

# Create a Dynamic Group for EMS E3 Users to be Licensed
New-AzureADMSGroup  -DisplayName "EMS E3 Licensed Users" -Description "Dynamic group for EMS E3 Users" `
    -SecurityEnabled $true -MailEnabled $false -MailNickname "EMSE3Users" -GroupTypes "DynamicMembership" `
    -MembershipRule "(user.extension_<YourTenantSchemaExtensionAppId>_msDS_cloudExtensionAttribute2 -eq ""EMS"")" `
    -MembershipRuleProcessingState "On"

# Create a Dynamic Group for EMS E5 Users to be Licensed
New-AzureADMSGroup  -DisplayName "EMS E5 Licensed Users" -Description "Dynamic group for EMS E5 Users" `
    -SecurityEnabled $true -MailEnabled $false -MailNickname "EMSE5Users" -GroupTypes "DynamicMembership" `
    -MembershipRule "(user.extension_<YourTenantSchemaExtensionAppId>_msDS_cloudExtensionAttribute2 -eq ""EMSPREMIUM"")" `
    -MembershipRuleProcessingState "On"

# Get Group and members
$EMSE3Group = Get-AzureADMSGroup -SearchString "EMS E3 Licensed Users"
# Check if membership has been processed, wait and try again if not yet
Get-AzureADGroupMember -ObjectId $EMSE3Group.Id
$EMSE5Group = Get-AzureADMSGroup -SearchString "EMS E5 Licensed Users"
# Check if membership has been processed, wait and try again if not yet
Get-AzureADGroupMember -ObjectId $EMSE5Group.Id

# Save members to object variable
$membersEMSE3 = Get-AzureADGroupMember -ObjectId $EMSE3Group.Id
$membersEMSE5 = Get-AzureADGroupMember -ObjectId $EMSE5Group.Id

#region EMS License Management for Dynamic Group Membership

# Get SkuId for EMS E5 (EMSPREMIUM) and EMS
$EmsE3SkuId = (Get-AzureADSubscribedSku | Where { $_.SkuPartNumber -eq 'EMS'}).SkuId
$EmsE5SkuId = (Get-AzureADSubscribedSku | Where { $_.SkuPartNumber -eq 'EMSPREMIUM'}).SkuId

# Loop through EMS E3 Members
ForEach ($member in $membersEMSE3) {
    # Get the user
    $User = Get-AzureADUser -ObjectId $member.ObjectId

    # Create a License Object for assigning the EMS E3 SkuId
    $AddLicense = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicense
    $AddLicense.SkuId = $EmsE3SkuId
    # Create a License Object for removing the EMS E5 SkuId
    $RemoveLicense = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicense
    $RemoveLicense.SkuId = $EmsE5SkuId

    # Create a Licenses Object for Adding and Removing the Licenses
    $Licenses = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicenses
    $Licenses.AddLicenses = $AddLicense
    # Check if the User has license to be removed
    If ($user.AssignedLicenses | Where-Object {$_.SkuId -eq $EmsE5SkuId}) {
        $Licenses.RemoveLicenses = $RemoveLicense.SkuId
    }
    Else { $Licenses.RemoveLicenses = @() }

    # And lastly, update User license with added and removed licenses
    Set-AzureADUserLicense -ObjectId $User.ObjectId -AssignedLicenses $Licenses
}

# Loop through EMS E5 Members
ForEach ($member in $membersEMSE5) {
    # Get the user
    $User = Get-AzureADUser -ObjectId $member.ObjectId

    # Create a License Object for assigning the EMS E5 SkuId
    $AddLicense = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicense
    $AddLicense.SkuId = $EmsE5SkuId
    # Create a License Object for removing the EMS E3 SkuId
    $RemoveLicense = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicense
    $RemoveLicense.SkuId = $EmsE3SkuId

    # Create a Licenses Object for Adding and Removing the Licenses
    $Licenses = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicenses
    $Licenses.AddLicenses = $AddLicense
    # Check if the User has license to be removed
    If ($user.AssignedLicenses | Where-Object {$_.SkuId -eq $EmsE3SkuId}) {
        $Licenses.RemoveLicenses = $RemoveLicense.SkuId
    }
    Else { $Licenses.RemoveLicenses = @() }

    # And lastly, update User license with added and removed licenses
    Set-AzureADUserLicense -ObjectId $User.ObjectId -AssignedLicenses $Licenses
}

#endregion
	# PowerShell CmdLets for Assigning EMS Licenses with Azure AD v2 PowerShell Module
	# Read blog post for details: https://gotoguy.blog/2017/02/17/assign-ems-license-with-azure-ad-v2-powershell-and-dynamic-groups/

	# Connect to Azure AD with Global Administrator
	Connect-AzureAD

	# List Subscriptions
	Get-AzureADSubscribedSku \| Select SkuId, SkuPartNumber

	# EMS E3 license Service Plans
	$EMSlicense = Get-AzureADSubscribedSku \| Where-Object {$_.SkuPartNumber -eq 'EMS'}

	# EMS E5 license Service Plans
	$EMSpremiumlicense = Get-AzureADSubscribedSku \| Where-Object {$_.SkuPartNumber -eq 'EMSPREMIUM'}

	# Create a Dynamic Group for EMS E3 Users to be Licensed
	New-AzureADMSGroup -DisplayName "EMS E3 Licensed Users" -Description "Dynamic group for EMS E3 Users" `
	-SecurityEnabled $true -MailEnabled $false -MailNickname "EMSE3Users" -GroupTypes "DynamicMembership" `
	-MembershipRule "(user.extension_<YourTenantSchemaExtensionAppId>_msDS_cloudExtensionAttribute2 -eq ""EMS"")" `
	-MembershipRuleProcessingState "On"

	# Create a Dynamic Group for EMS E5 Users to be Licensed
	New-AzureADMSGroup -DisplayName "EMS E5 Licensed Users" -Description "Dynamic group for EMS E5 Users" `
	-SecurityEnabled $true -MailEnabled $false -MailNickname "EMSE5Users" -GroupTypes "DynamicMembership" `
	-MembershipRule "(user.extension_<YourTenantSchemaExtensionAppId>_msDS_cloudExtensionAttribute2 -eq ""EMSPREMIUM"")" `
	-MembershipRuleProcessingState "On"

	# Get Group and members
	$EMSE3Group = Get-AzureADMSGroup -SearchString "EMS E3 Licensed Users"
	# Check if membership has been processed, wait and try again if not yet
	Get-AzureADGroupMember -ObjectId $EMSE3Group.Id
	$EMSE5Group = Get-AzureADMSGroup -SearchString "EMS E5 Licensed Users"
	# Check if membership has been processed, wait and try again if not yet
	Get-AzureADGroupMember -ObjectId $EMSE5Group.Id

	# Save members to object variable
	$membersEMSE3 = Get-AzureADGroupMember -ObjectId $EMSE3Group.Id
	$membersEMSE5 = Get-AzureADGroupMember -ObjectId $EMSE5Group.Id

	#region EMS License Management for Dynamic Group Membership

	# Get SkuId for EMS E5 (EMSPREMIUM) and EMS
	$EmsE3SkuId = (Get-AzureADSubscribedSku \| Where { $_.SkuPartNumber -eq 'EMS'}).SkuId
	$EmsE5SkuId = (Get-AzureADSubscribedSku \| Where { $_.SkuPartNumber -eq 'EMSPREMIUM'}).SkuId

	# Loop through EMS E3 Members
	ForEach ($member in $membersEMSE3) {
	# Get the user
	$User = Get-AzureADUser -ObjectId $member.ObjectId

	# Create a License Object for assigning the EMS E3 SkuId
	$AddLicense = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicense
	$AddLicense.SkuId = $EmsE3SkuId
	# Create a License Object for removing the EMS E5 SkuId
	$RemoveLicense = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicense
	$RemoveLicense.SkuId = $EmsE5SkuId

	# Create a Licenses Object for Adding and Removing the Licenses
	$Licenses = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicenses
	$Licenses.AddLicenses = $AddLicense
	# Check if the User has license to be removed
	If ($user.AssignedLicenses \| Where-Object {$_.SkuId -eq $EmsE5SkuId}) {
	$Licenses.RemoveLicenses = $RemoveLicense.SkuId
	}
	Else { $Licenses.RemoveLicenses = @() }

	# And lastly, update User license with added and removed licenses
	Set-AzureADUserLicense -ObjectId $User.ObjectId -AssignedLicenses $Licenses
	}

	# Loop through EMS E5 Members
	ForEach ($member in $membersEMSE5) {
	# Get the user
	$User = Get-AzureADUser -ObjectId $member.ObjectId

	# Create a License Object for assigning the EMS E5 SkuId
	$AddLicense = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicense
	$AddLicense.SkuId = $EmsE5SkuId
	# Create a License Object for removing the EMS E3 SkuId
	$RemoveLicense = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicense
	$RemoveLicense.SkuId = $EmsE3SkuId

	# Create a Licenses Object for Adding and Removing the Licenses
	$Licenses = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicenses
	$Licenses.AddLicenses = $AddLicense
	# Check if the User has license to be removed
	If ($user.AssignedLicenses \| Where-Object {$_.SkuId -eq $EmsE3SkuId}) {
	$Licenses.RemoveLicenses = $RemoveLicense.SkuId
	}
	Else { $Licenses.RemoveLicenses = @() }

	# And lastly, update User license with added and removed licenses
	Set-AzureADUserLicense -ObjectId $User.ObjectId -AssignedLicenses $Licenses
	}

	#endregion