Last active
March 10, 2019 22:15
-
-
Save Windos/03770a1291dcc193c389fe1ccdfaba4f to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Import-Module AzureAD | |
Connect-AzureAD | |
# Need to know the License Sku and Service Plan | |
# It is possible to get this from the module itself | |
Get-AzureADSubscribedSku | select SkuId, SkuPartNumber, ServicePlans | |
# May be easier to get online: https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/licensing-service-plan-reference | |
# Let's say you want to turn off SharePoint Online (Plan 2) (AKA SHAREPOINTENTERPRISE), from Office 365 Enterprise E3 (AKA ENTERPRISEPACK) | |
# The Id for SharePoint is 5dbe027f-2339-4123-9542-606e4d348a72 and for Office 365 E3 is 6fd2c87f-b296-42f0-b197-1e91e994b900 | |
$Sku = '6fd2c87f-b296-42f0-b197-1e91e994b900' # O365 E3 | |
$Plan = '5dbe027f-2339-4123-9542-606e4d348a72' # SharePoint | |
$User = Get-AzureADUser -SearchString 'Joshua King' # Using myself as a test, you may want to get a group of users and loop? | |
# Create assigned licenses object | |
$Licenses = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicenses | |
# Load with my current licenses | |
$Licenses.AddLicenses = $User.AssignedLicenses | |
# Get the license which matches our Sku, and disable the selected plan | |
($Licenses.AddLicenses | where SkuId -eq $Sku).DisabledPlans = $Plan | |
# Try to assign this, but get told other licenses depend on it | |
Set-AzureADUserLicense -ObjectId $User.ObjectId -AssignedLicenses $Licenses | |
# Message: License assignment failed because service plan e95bec33-7c88-4a70-8e19-b10bd9d0c014 depends on the service plan(s) 5dbe027f-2339-4123-9542-606e4d348a72 | |
# This additional plan is Office Online (SHAREPOINTWAC), so if you want to disable SharePoint, have to disable that too... | |
$Sku = '6fd2c87f-b296-42f0-b197-1e91e994b900' | |
$Plan = '5dbe027f-2339-4123-9542-606e4d348a72', 'e95bec33-7c88-4a70-8e19-b10bd9d0c014' | |
$Licenses = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicenses | |
$Licenses.AddLicenses = $User.AssignedLicenses | |
($Licenses.AddLicenses | where SkuId -eq $Sku).DisabledPlans = $Plan | |
Set-AzureADUserLicense -ObjectId $User.ObjectId -AssignedLicenses $Licenses | |
# Give it a couple of minutes, and this will be represented in the Azure Admin Portal |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Import-Module AzureAD | |
Connect-AzureAD | |
# Need to know the License Sku and Service Plan | |
# It is possible to get this from the module itself | |
$Plans = Get-AzureADSubscribedSku | select SkuId, SkuPartNumber, ServicePlans | |
$Plans | where SkuPartNumber -eq EMS | select -ExpandProperty ServicePlans | |
# May be easier to get online: https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/licensing-service-plan-reference | |
$Sku = 'efccb6f7-5641-4e0e-bd10-b4976e1bf68e' # EMS | |
$Plan = 'c1ec4a95-1f05-45b3-a911-aa3fa01094f5' # INTUNE_A | |
$Users = Get-AzureAdUser -All:$true | where { $_.AssignedLicenses.SkuId -contains 'efccb6f7-5641-4e0e-bd10-b4976e1bf68e' } | |
foreach ($User in $Users) { | |
# Create assigned licenses object | |
$Licenses = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicenses | |
# Load with my current licenses | |
$Licenses.AddLicenses = $User.AssignedLicenses | |
# Remove Intune from the "disabled plans" list... has the effect of enabling it. | |
$null = ($Licenses.AddLicenses | where SkuId -EQ $Sku).DisabledPlans.Remove($Plan) | |
# Assign the new license pack | |
Set-AzureADUserLicense -ObjectId $User[0].ObjectId -AssignedLicenses $Licenses | |
} |
@veronicageek Double check the $Licenses
variable before setting them, you'd expect to see everything disabled that you don't want enabled.
I imagine when you look at $User.AssignedLicenses
you should should already see a lot of DisabledPlans and you're looking to add just one more?
That AssignedLicenses
object, basically tells Office 365 "These are the license SKU's I need this user to have, enable all of the features under them unless they're listed under disabledplans"
It should just be a single operation, i.e no need to assign, then remove.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
@Windos - Thank you, I'm getting closer... This is my full scenario:
But when I run your script, it removes Teams, but assign all the rest... And I don't get the logic as to what needs to happen--> Do you need to re-assign all (again) + remove (again) what you don't want anymore? Maybe I spent too much time on it... I'm confused 😅