Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Microsoft Office 365 Add / Remove Licenses using PowerShell and Graph API. Associated blog post can be found here https://blog.darrenjrobinson.com/adding-removing-user-office365-licences-using-powershell-and-the-azure-ad-graph-restapi/
<#
Get the AD AuthN Lib (Requires Windows Mgmt Framework 5 https://www.microsoft.com/en-us/download/details.aspx?id=50395 )
Install-Module -Name AzureADPreview -RequiredVersion 1.1.143.0
Load the Active Directory Authentication Library
Microsoft.IdentityModel.Clients.ActiveDirectory.dll
#>
# the default path to where the Azure AD Preview PS Module puts the Libs
Add-Type -Path 'C:\Program Files\WindowsPowerShell\Modules\AzureADPreview\1.1.143.0\Microsoft.IdentityModel.Clients.ActiveDirectory.dll'
# TFS Path
#Add-Type -Path 'C:\Program Files\Common Files\microsoft shared\Team Foundation Server\14.0\Microsoft.IdentityModel.Clients.ActiveDirectory.dll'
# Azure RM Cmdlets
#Add-Type -Path 'C:\Program Files\WindowsPowerShell\Modules\AzureRM.ApiManagement\1.1.2\Microsoft.IdentityModel.Clients.ActiveDirectory.dll'
# This is the tenant id of you Azure AD. You can use tenant name instead if you want.
$tenantID = "my.o365tenant.com"
$authString = "https://login.microsoftonline.com/$tenantID"
# Here, the username must be MFA disabled user Admin at least, and must not be a live id.
$username = "admin@my.o365tenant.com"
$password = 'P@$$w0rd!0!'
# The resource URI for your token.
$resource = "https://graph.windows.net/"
# This is the common client id.
$client_id = "1950a258-227b-4e31-a9cf-717495945fc2"
# Create a client credential with the above common client id, username and password.
$creds = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.UserCredential" `
-ArgumentList $username,$password
# Create a authentication context with the above authentication string.
$authContext = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext" `
-ArgumentList $authString
# Acquire access token from server.
$authenticationResult = $authContext.AcquireToken($resource,$client_id,$creds)
# Use the access token to setup headers for your http request.
$authHeader = $authenticationResult.AccessTokenType + " " + $authenticationResult.AccessToken
$headers = @{"Authorization"=$authHeader; "Content-Type"="application/json"}
# Licenses
$Licenses = Invoke-RestMethod -Method Get -Headers @{
Authorization = $authenticationResult.CreateAuthorizationHeader()
'Content-Type' = "application/json"
} -Uri ("https://graph.windows.net/{0}/subscribedSkus?api-version=1.6" -f $authenticationResult.TenantId)
# All Licenses avail
$Licenses.value.skuPartNumber
# Query to get the skuId for the skuPartNumber of ExchangeStandard_Student
$LicenceToAdd = $Licenses.value.skuId | Where-Object{$licenses.value.skuPartNumber -eq 'EXCHANGESTANDARD_STUDENT'}
# $LicenceToRemove = $Licenses.value.skuId | Where-Object{$licenses.value.skuPartNumber -eq 'EXCHANGESTANDARD_STUDENT'}
<#
Get Active Users
#>
$Search = Invoke-RestMethod -Method Get -Headers @{
Authorization = $authenticationResult.CreateAuthorizationHeader()
'Content-Type' = "application/json"
} -Uri ('https://graph.windows.net/{0}/users?$filter=accountEnabled eq true &api-version=1.6' -f $authenticationResult.TenantId)
# Work out which ones aren't assigned the license we are looking to assign
$userlicensed = $false
$unlicencedUsers = @()
$licensedUsers = @()
foreach($user in $search.value){
# check license against users licenses
foreach ($license in $user.assignedLicenses) {
if ($license.skuId -eq $LicenceToAdd){
$userlicensed = $true
$licensedUsers += $user.userPrincipalName
}
}
if (!$userlicensed -or !$user.assignedLicenses ){
#Exclude the AADConnect Account
if (!$user.userPrincipalName.StartsWith("Sync_")){
$unlicencedUsers += $user.userPrincipalName
}
}
}
# ADD
# License Body for RestAPI
$body = @{
addLicenses = @(@{"skuId" = $LicenceToAdd})
removeLicenses= @()
}
# REMOVE
# License Body for RestAPI
$body = @{
addLicenses = @()
removeLicenses= @($LicenceToAdd)
}
# Convert it to JSON
$postbody = $body | ConvertTo-Json
# License Users
foreach ($usertolicense in $unlicencedUsers){
$AssignLicense = Invoke-RestMethod -Method Post -Headers @{
Authorization = $authenticationResult.CreateAuthorizationHeader()
'Content-Type' = "application/json"
} -body $postbody -Uri ("https://graph.windows.net/myorganization/users/$usertolicense`/assignLicense?api-version=1.6" -f $authenticationResult.TenantId)
}
# Remove License from Licenced Users
foreach ($usertolicense in $licensedUsers){
$AssignLicense = Invoke-RestMethod -Method Post -Headers @{
Authorization = $authenticationResult.CreateAuthorizationHeader()
'Content-Type' = "application/json"
} -body $postbody -Uri ("https://graph.windows.net/myorganization/users/$usertolicense`/assignLicense?api-version=1.6" -f $authenticationResult.TenantId)
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.