Last active
December 1, 2018 22:10
-
-
Save darrenjrobinson/0128f59cdb2ac4f188b60f670a581f3a to your computer and use it in GitHub Desktop.
Microsoft Office 365 Add / Remove Licenses using PowerShell and Graph API. Associated blog post can be found here https://blog.darrenjrobinson.com/adding-removing-user-office365-licences-using-powershell-and-the-azure-ad-graph-restapi/
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<# | |
Get the AD AuthN Lib (Requires Windows Mgmt Framework 5 https://www.microsoft.com/en-us/download/details.aspx?id=50395 ) | |
Install-Module -Name AzureADPreview -RequiredVersion 1.1.143.0 | |
Load the Active Directory Authentication Library | |
Microsoft.IdentityModel.Clients.ActiveDirectory.dll | |
#> | |
# the default path to where the Azure AD Preview PS Module puts the Libs | |
Add-Type -Path 'C:\Program Files\WindowsPowerShell\Modules\AzureADPreview\1.1.143.0\Microsoft.IdentityModel.Clients.ActiveDirectory.dll' | |
# TFS Path | |
#Add-Type -Path 'C:\Program Files\Common Files\microsoft shared\Team Foundation Server\14.0\Microsoft.IdentityModel.Clients.ActiveDirectory.dll' | |
# Azure RM Cmdlets | |
#Add-Type -Path 'C:\Program Files\WindowsPowerShell\Modules\AzureRM.ApiManagement\1.1.2\Microsoft.IdentityModel.Clients.ActiveDirectory.dll' | |
# This is the tenant id of you Azure AD. You can use tenant name instead if you want. | |
$tenantID = "my.o365tenant.com" | |
$authString = "https://login.microsoftonline.com/$tenantID" | |
# Here, the username must be MFA disabled user Admin at least, and must not be a live id. | |
$username = "admin@my.o365tenant.com" | |
$password = 'P@$$w0rd!0!' | |
# The resource URI for your token. | |
$resource = "https://graph.windows.net/" | |
# This is the common client id. | |
$client_id = "1950a258-227b-4e31-a9cf-717495945fc2" | |
# Create a client credential with the above common client id, username and password. | |
$creds = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.UserCredential" ` | |
-ArgumentList $username,$password | |
# Create a authentication context with the above authentication string. | |
$authContext = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext" ` | |
-ArgumentList $authString | |
# Acquire access token from server. | |
$authenticationResult = $authContext.AcquireToken($resource,$client_id,$creds) | |
# Use the access token to setup headers for your http request. | |
$authHeader = $authenticationResult.AccessTokenType + " " + $authenticationResult.AccessToken | |
$headers = @{"Authorization"=$authHeader; "Content-Type"="application/json"} | |
# Licenses | |
$Licenses = Invoke-RestMethod -Method Get -Headers @{ | |
Authorization = $authenticationResult.CreateAuthorizationHeader() | |
'Content-Type' = "application/json" | |
} -Uri ("https://graph.windows.net/{0}/subscribedSkus?api-version=1.6" -f $authenticationResult.TenantId) | |
# All Licenses avail | |
$Licenses.value.skuPartNumber | |
# Query to get the skuId for the skuPartNumber of ExchangeStandard_Student | |
$LicenceToAdd = $Licenses.value.skuId | Where-Object{$licenses.value.skuPartNumber -eq 'EXCHANGESTANDARD_STUDENT'} | |
# $LicenceToRemove = $Licenses.value.skuId | Where-Object{$licenses.value.skuPartNumber -eq 'EXCHANGESTANDARD_STUDENT'} | |
<# | |
Get Active Users | |
#> | |
$Search = Invoke-RestMethod -Method Get -Headers @{ | |
Authorization = $authenticationResult.CreateAuthorizationHeader() | |
'Content-Type' = "application/json" | |
} -Uri ('https://graph.windows.net/{0}/users?$filter=accountEnabled eq true &api-version=1.6' -f $authenticationResult.TenantId) | |
# Work out which ones aren't assigned the license we are looking to assign | |
$userlicensed = $false | |
$unlicencedUsers = @() | |
$licensedUsers = @() | |
foreach($user in $search.value){ | |
# check license against users licenses | |
foreach ($license in $user.assignedLicenses) { | |
if ($license.skuId -eq $LicenceToAdd){ | |
$userlicensed = $true | |
$licensedUsers += $user.userPrincipalName | |
} | |
} | |
if (!$userlicensed -or !$user.assignedLicenses ){ | |
#Exclude the AADConnect Account | |
if (!$user.userPrincipalName.StartsWith("Sync_")){ | |
$unlicencedUsers += $user.userPrincipalName | |
} | |
} | |
} | |
# ADD | |
# License Body for RestAPI | |
$body = @{ | |
addLicenses = @(@{"skuId" = $LicenceToAdd}) | |
removeLicenses= @() | |
} | |
# REMOVE | |
# License Body for RestAPI | |
$body = @{ | |
addLicenses = @() | |
removeLicenses= @($LicenceToAdd) | |
} | |
# Convert it to JSON | |
$postbody = $body | ConvertTo-Json | |
# License Users | |
foreach ($usertolicense in $unlicencedUsers){ | |
$AssignLicense = Invoke-RestMethod -Method Post -Headers @{ | |
Authorization = $authenticationResult.CreateAuthorizationHeader() | |
'Content-Type' = "application/json" | |
} -body $postbody -Uri ("https://graph.windows.net/myorganization/users/$usertolicense`/assignLicense?api-version=1.6" -f $authenticationResult.TenantId) | |
} | |
# Remove License from Licenced Users | |
foreach ($usertolicense in $licensedUsers){ | |
$AssignLicense = Invoke-RestMethod -Method Post -Headers @{ | |
Authorization = $authenticationResult.CreateAuthorizationHeader() | |
'Content-Type' = "application/json" | |
} -body $postbody -Uri ("https://graph.windows.net/myorganization/users/$usertolicense`/assignLicense?api-version=1.6" -f $authenticationResult.TenantId) | |
} | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment