Last active
February 17, 2017 09:40
-
-
Save JanVidarElven/d239329c865b3ea225bf0f194b6889f0 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# PowerShell CmdLets for Assigning EMS Licenses with Azure AD v2 PowerShell Module | |
# Read blog post for details: https://gotoguy.blog/2017/02/17/assign-ems-license-with-azure-ad-v2-powershell-and-dynamic-groups/ | |
# Connect to Azure AD with Global Administrator | |
Connect-AzureAD | |
# List Subscriptions | |
Get-AzureADSubscribedSku | Select SkuId, SkuPartNumber | |
# EMS E3 license Service Plans | |
$EMSlicense = Get-AzureADSubscribedSku | Where-Object {$_.SkuPartNumber -eq 'EMS'} | |
# EMS E5 license Service Plans | |
$EMSpremiumlicense = Get-AzureADSubscribedSku | Where-Object {$_.SkuPartNumber -eq 'EMSPREMIUM'} | |
# Create a Dynamic Group for EMS E3 Users to be Licensed | |
New-AzureADMSGroup -DisplayName "EMS E3 Licensed Users" -Description "Dynamic group for EMS E3 Users" ` | |
-SecurityEnabled $true -MailEnabled $false -MailNickname "EMSE3Users" -GroupTypes "DynamicMembership" ` | |
-MembershipRule "(user.extension_<YourTenantSchemaExtensionAppId>_msDS_cloudExtensionAttribute2 -eq ""EMS"")" ` | |
-MembershipRuleProcessingState "On" | |
# Create a Dynamic Group for EMS E5 Users to be Licensed | |
New-AzureADMSGroup -DisplayName "EMS E5 Licensed Users" -Description "Dynamic group for EMS E5 Users" ` | |
-SecurityEnabled $true -MailEnabled $false -MailNickname "EMSE5Users" -GroupTypes "DynamicMembership" ` | |
-MembershipRule "(user.extension_<YourTenantSchemaExtensionAppId>_msDS_cloudExtensionAttribute2 -eq ""EMSPREMIUM"")" ` | |
-MembershipRuleProcessingState "On" | |
# Get Group and members | |
$EMSE3Group = Get-AzureADMSGroup -SearchString "EMS E3 Licensed Users" | |
# Check if membership has been processed, wait and try again if not yet | |
Get-AzureADGroupMember -ObjectId $EMSE3Group.Id | |
$EMSE5Group = Get-AzureADMSGroup -SearchString "EMS E5 Licensed Users" | |
# Check if membership has been processed, wait and try again if not yet | |
Get-AzureADGroupMember -ObjectId $EMSE5Group.Id | |
# Save members to object variable | |
$membersEMSE3 = Get-AzureADGroupMember -ObjectId $EMSE3Group.Id | |
$membersEMSE5 = Get-AzureADGroupMember -ObjectId $EMSE5Group.Id | |
#region EMS License Management for Dynamic Group Membership | |
# Get SkuId for EMS E5 (EMSPREMIUM) and EMS | |
$EmsE3SkuId = (Get-AzureADSubscribedSku | Where { $_.SkuPartNumber -eq 'EMS'}).SkuId | |
$EmsE5SkuId = (Get-AzureADSubscribedSku | Where { $_.SkuPartNumber -eq 'EMSPREMIUM'}).SkuId | |
# Loop through EMS E3 Members | |
ForEach ($member in $membersEMSE3) { | |
# Get the user | |
$User = Get-AzureADUser -ObjectId $member.ObjectId | |
# Create a License Object for assigning the EMS E3 SkuId | |
$AddLicense = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicense | |
$AddLicense.SkuId = $EmsE3SkuId | |
# Create a License Object for removing the EMS E5 SkuId | |
$RemoveLicense = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicense | |
$RemoveLicense.SkuId = $EmsE5SkuId | |
# Create a Licenses Object for Adding and Removing the Licenses | |
$Licenses = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicenses | |
$Licenses.AddLicenses = $AddLicense | |
# Check if the User has license to be removed | |
If ($user.AssignedLicenses | Where-Object {$_.SkuId -eq $EmsE5SkuId}) { | |
$Licenses.RemoveLicenses = $RemoveLicense.SkuId | |
} | |
Else { $Licenses.RemoveLicenses = @() } | |
# And lastly, update User license with added and removed licenses | |
Set-AzureADUserLicense -ObjectId $User.ObjectId -AssignedLicenses $Licenses | |
} | |
# Loop through EMS E5 Members | |
ForEach ($member in $membersEMSE5) { | |
# Get the user | |
$User = Get-AzureADUser -ObjectId $member.ObjectId | |
# Create a License Object for assigning the EMS E5 SkuId | |
$AddLicense = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicense | |
$AddLicense.SkuId = $EmsE5SkuId | |
# Create a License Object for removing the EMS E3 SkuId | |
$RemoveLicense = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicense | |
$RemoveLicense.SkuId = $EmsE3SkuId | |
# Create a Licenses Object for Adding and Removing the Licenses | |
$Licenses = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicenses | |
$Licenses.AddLicenses = $AddLicense | |
# Check if the User has license to be removed | |
If ($user.AssignedLicenses | Where-Object {$_.SkuId -eq $EmsE3SkuId}) { | |
$Licenses.RemoveLicenses = $RemoveLicense.SkuId | |
} | |
Else { $Licenses.RemoveLicenses = @() } | |
# And lastly, update User license with added and removed licenses | |
Set-AzureADUserLicense -ObjectId $User.ObjectId -AssignedLicenses $Licenses | |
} | |
#endregion |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment