Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
O365_Licence_Management.ps1
$ErrorActionPreference = "Stop"
$Error.Clear()
#####################################################
# Function to generate mail content for licencing errors
Function MailBody
{
$Exception=$error[0].Exception.Message
$Command=$error[0].InvocationInfo.Line.Trim()
$StrBody="Error: $Exception `r`rUser: $UserPrincipalName `r`rCommand: $Command `r`r##########################################################################################`r`r"
$Error.Clear()
Return $strBody
}
#####################################################
$sig = @"
[StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]
public struct NativeCredential
{
public UInt32 Flags;
public CRED_TYPE Type;
public IntPtr TargetName;
public IntPtr Comment;
public System.Runtime.InteropServices.ComTypes.FILETIME LastWritten;
public UInt32 CredentialBlobSize;
public IntPtr CredentialBlob;
public UInt32 Persist;
public UInt32 AttributeCount;
public IntPtr Attributes;
public IntPtr TargetAlias;
public IntPtr UserName;
internal static NativeCredential GetNativeCredential(Credential cred)
{
NativeCredential ncred = new NativeCredential();
ncred.AttributeCount = 0;
ncred.Attributes = IntPtr.Zero;
ncred.Comment = IntPtr.Zero;
ncred.TargetAlias = IntPtr.Zero;
ncred.Type = CRED_TYPE.GENERIC;
ncred.Persist = (UInt32)1;
ncred.CredentialBlobSize = (UInt32)cred.CredentialBlobSize;
ncred.TargetName = Marshal.StringToCoTaskMemUni(cred.TargetName);
ncred.CredentialBlob = Marshal.StringToCoTaskMemUni(cred.CredentialBlob);
ncred.UserName = Marshal.StringToCoTaskMemUni(System.Environment.UserName);
return ncred;
}
}
[StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]
public struct Credential
{
public UInt32 Flags;
public CRED_TYPE Type;
public string TargetName;
public string Comment;
public System.Runtime.InteropServices.ComTypes.FILETIME LastWritten;
public UInt32 CredentialBlobSize;
public string CredentialBlob;
public UInt32 Persist;
public UInt32 AttributeCount;
public IntPtr Attributes;
public string TargetAlias;
public string UserName;
}
public enum CRED_TYPE : uint
{
GENERIC = 1,
DOMAIN_PASSWORD = 2,
DOMAIN_CERTIFICATE = 3,
DOMAIN_VISIBLE_PASSWORD = 4,
GENERIC_CERTIFICATE = 5,
DOMAIN_EXTENDED = 6,
MAXIMUM = 7, // Maximum supported cred type
MAXIMUM_EX = (MAXIMUM + 1000), // Allow new applications to run on old OSes
}
public class CriticalCredentialHandle : Microsoft.Win32.SafeHandles.CriticalHandleZeroOrMinusOneIsInvalid
{
public CriticalCredentialHandle(IntPtr preexistingHandle)
{
SetHandle(preexistingHandle);
}
public Credential GetCredential()
{
if (!IsInvalid)
{
NativeCredential ncred = (NativeCredential)Marshal.PtrToStructure(handle,
typeof(NativeCredential));
Credential cred = new Credential();
cred.CredentialBlobSize = ncred.CredentialBlobSize;
cred.CredentialBlob = Marshal.PtrToStringUni(ncred.CredentialBlob,
(int)ncred.CredentialBlobSize / 2);
cred.UserName = Marshal.PtrToStringUni(ncred.UserName);
cred.TargetName = Marshal.PtrToStringUni(ncred.TargetName`);
cred.TargetAlias = Marshal.PtrToStringUni(ncred.TargetAlias);
cred.Type = ncred.Type;
cred.Flags = ncred.Flags;
cred.Persist = ncred.Persist;
return cred;
}
else
{
throw new InvalidOperationException("Invalid CriticalHandle!");
}
}
override protected bool ReleaseHandle()
{
if (!IsInvalid)
{
CredFree(handle);
SetHandleAsInvalid();
return true;
}
return false;
}
}
[DllImport("Advapi32.dll", EntryPoint = "CredReadW", CharSet = CharSet.Unicode, SetLastError = true)]
public static extern bool CredRead(string target, CRED_TYPE type, int reservedFlag, out IntPtr CredentialPtr);
[DllImport("Advapi32.dll", EntryPoint = "CredFree", SetLastError = true)]
public static extern bool CredFree([In] IntPtr cred);
"@
Add-Type -MemberDefinition $sig -Namespace "ADVAPI32" -Name 'Util'
$targetName = "LicenceManagment"
$nCredPtr= New-Object IntPtr
$success = [ADVAPI32.Util]::CredRead($targetName,1,0,[ref] $nCredPtr)
if($success){
$critCred = New-Object ADVAPI32.Util+CriticalCredentialHandle $nCredPtr
$cred = $critCred.GetCredential()
$UserName = $cred.UserName;
$Password = $cred.CredentialBlob;
$Password = ConvertTo-SecureString -String $Password -AsPlainText -Force
$objCreds = New-Object Management.Automation.PSCredential $UserName, $Password
}
############ Import modules and login to MSOL ############
If(@(Get-Module | ? { $_.Name -eq "MSOnline"}).Count -eq 0)
{
Import-Module MSOnline;
}
If(@(Get-Module | ? { $_.Name -eq "ActiveDirectory"}).Count -eq 0)
{
Import-Module ActiveDirectory;
}
Try
{
Connect-MsolService -Credential $objCreds
}
Catch [System.Exception]
{
Send-MailMessage -From admin@blah.com -To someadmin@blah.com -cc someotheradmin@blah.com -Subject "ERROR - License management Login Failed!" -Body $_.Exception.Message -SmtpServer smtp.blah.com
Write-Host $_.Exception.Message
Exit
}
############ Setup Variables ############
$dateFormat = "HH:mm:ss dd/MM/yyyy"
############ Setup logging file ############
$Logfile="C:\Office365-Scripts\Licencing\LicenceManagement.txt"
############ AD Groups containing whose users who should have individual Licenses ############
$MEMBERS_CRMSTANDARD=Get-ADGroupMember -Identity CRMSTANDARD_Users
$MEMBERS_INTUNE_A=Get-ADGroupMember -Identity INTUNE_A_Users
$MEMBERS_OFFICESUBSCRIPTION_FACULTY=Get-ADGroupMember -Identity OFFICESUBSCRIPTION_FACULTY_Users
$MEMBERS_OFFICESUBSCRIPTION_STUDENT=Get-ADGroupMember -Identity OFFICESUBSCRIPTION_STUDENT_Users
$MEMBERS_POWER_BI_STANDARD=Get-ADGroupMember -Identity POWER_BI_STANDARD_Users
$MEMBERS_PROJECTONLINE_PLAN_1_FACULTY=Get-ADGroupMember -Identity PROJECTONLINE_PLAN_1_FACULTY_Users
$MEMBERS_PROJECTONLINE_PLAN_1_STUDENT=Get-ADGroupMember -Identity PROJECTONLINE_PLAN_1_STUDENT_Users
######################## Standard Licencing ######################
$POWER_BI_STANDARD = "<YourTenancyName>:POWER_BI_STANDARD"
$CRMSTANDARD = "<YourTenancyName>:CRMSTANDARD"
$INTUNE_A = "<YourTenancyName>:INTUNE_A"
######################## Faculty Licensing #######################
$STANDARDWOFFPACK_FACULTY = "<YourTenancyName>:STANDARDWOFFPACK_FACULTY"
$OFFICESUBSCRIPTION_FACULTY = "<YourTenancyName>:OFFICESUBSCRIPTION_FACULTY"
$STANDARDWOFFPACK_IW_FACULTY = "<YourTenancyName>:STANDARDWOFFPACK_IW_FACULTY"
$PROJECTONLINE_PLAN_1_FACULTY ="<YourTenancyName>:PROJECTONLINE_PLAN_1_FACULTY"
######################## Student Licensing #######################
$STANDARDWOFFPACK_STUDENT = "<YourTenancyName>:STANDARDWOFFPACK_STUDENT"
$STANDARDWOFFPACK_IW_STUDENT = "<YourTenancyName>:STANDARDWOFFPACK_IW_STUDENT"
$PROJECTONLINE_PLAN_1_STUDENT = "<YourTenancyName>:PROJECTONLINE_PLAN_1_STUDENT"
$OFFICESUBSCRIPTION_STUDENT = "<YourTenancyName>:OFFICESUBSCRIPTION_STUDENT"
######################## Generic settings ########################
$DisabledPlans = "EXCHANGE_S_STANDARD"
$UsageLocation = "GB"
############ Define the two types of Licence option - Faculty and Student ############
$FacultyLicenseOptions = New-MsolLicenseOptions -AccountSkuId $STANDARDWOFFPACK_FACULTY -DisabledPlans $DisabledPlans
$StudentLicenseOptions = New-MsolLicenseOptions -AccountSkuId $STANDARDWOFFPACK_STUDENT -DisabledPlans $DisabledPlans
#
############ Get users and apply Licenses ############
#
############ Do the licenced users first ############
ForEach($User in (Get-MsolUser -all | where {$_.isLicensed -eq "True"}))
#ForEach($User in (Get-MsolUser -all | where {$_.UserPrincipalName -eq "someotheradmin@blah.com"}))
{
If($User.UserPrincipalName -notlike "*<YourTenancyName>.onmicrosoft.com" -and $User.UserPrincipalName -ne "DirSync@blah.com")
{
$AdUser=Get-ADUser -Filter {UserPrincipalName -eq $User.UserPrincipalName} -Properties extensionAttribute5, sAMAccountName
Try
{
$date = Get-Date -Format $dateFormat
$LoggingContent=$null
$Licenses=$null
$SKUIDs=$null
$STANDARDWOFFPACK_STUDENT_Applied=$null
$STANDARDWOFFPACK_FACULTY_Applied=$null
$PROJECTONLINE_PLAN_1_FACULTY_Applied=$null
$POWER_BI_STANDARD_Applied=$null
$CRMSTANDARD_Applied=$null
$INTUNE_A_Applied=$null
$OFFICESUBSCRIPTION_FACULTY_Applied=$null
$LicensesAdded=@()
$LicensesRemoved=@()
$Licenses=$User.Licenses
$SKUIDs=$Licenses.AccountSkuId
ForEach ($SKU in $SKUIDs)
{
If ($SKU -eq $STANDARDWOFFPACK_IW_FACULTY)
{
Try
{
##### These should not be used, so remove if found #####
Set-MsolUserLicense -UserPrincipalName $User.UserPrincipalName -RemoveLicenses $STANDARDWOFFPACK_IW_FACULTY
$LicensesRemoved += "STANDARDWOFFPACK_IW_FACULTY"
}
Catch [System.Exception]
{
$strBody=MailBody
$strMailBody=$strMailBody+$strBody
}
##### But then we need to replace that with a "normal" O365 licence, plus Pro Plus #####
If ($AdUser.extensionAttribute5 -eq "Staff")
{
Try
{
Set-MsolUserLicense -UserPrincipalName $User.UserPrincipalName -AddLicenses $STANDARDWOFFPACK_FACULTY -LicenseOptions $FacultyLicenseOptions
$LicensesAdded += "STANDARDWOFFPACK_FACULTY"
##### Add user to the AD group - just for reference.... #####
Add-ADGroupMember -Identity STANDARDWOFFPACK_FACULTY_Users -Members $AdUser.sAMAccountName
}
Catch [System.Exception]
{
$strBody=MailBody
$strMailBody=$strMailBody+$strBody
}
Try
{
Set-MsolUserLicense -UserPrincipalName $User.UserPrincipalName -AddLicenses $OFFICESUBSCRIPTION_FACULTY
$LicensesAdded += "OFFICESUBSCRIPTION_FACULTY"
##### Add user to the AD group to ensure that they licence is not subsequently removed.... #####
Add-ADGroupMember -Identity OFFICESUBSCRIPTION_FACULTY_Users -Members $AdUser.sAMAccountName
}
Catch [System.Exception]
{
$strBody=MailBody
$strMailBody=$strMailBody+$strBody
}
}
Else
{
Try
{
Set-MsolUserLicense -UserPrincipalName $User.UserPrincipalName -AddLicenses $STANDARDWOFFPACK_STUDENT -LicenseOptions $StudentLicenseOptions
$LicensesAdded += "STANDARDWOFFPACK_STUDENT"
##### Add user to the AD group - just for reference.... #####
Add-ADGroupMember -Identity STANDARDWOFFPACK_STUDENT_Users -Members $AdUser.sAMAccountName
}
Catch [System.Exception]
{
$strBody=MailBody
$strMailBody=$strMailBody+$strBody
}
Try
{
Set-MsolUserLicense -UserPrincipalName $User.UserPrincipalName -AddLicenses $OFFICESUBSCRIPTION_STUDENT
$LicensesAdded += "OFFICESUBSCRIPTION_STUDENT"
##### Add user to the AD group to ensure that they licence is not subsequently removed.... #####
Add-ADGroupMember -Identity OFFICESUBSCRIPTION_STUDENT_Users -Members $AdUser.sAMAccountName
}
Catch [System.Exception]
{
$strBody=MailBody
$strMailBody=$strMailBody+$strBody
}
}
}
If ($SKU -eq $STANDARDWOFFPACK_IW_STUDENT)
{
Try
{
##### These should not be used, so remove if found #####
Set-MsolUserLicense -UserPrincipalName $User.UserPrincipalName -RemoveLicenses $STANDARDWOFFPACK_IW_STUDENT
$LicensesRemoved += "STANDARDWOFFPACK_IW_STUDENT"
}
Catch [System.Exception]
{
$strBody=MailBody
$strMailBody=$strMailBody+$strBody
}
##### But then we need to replace that with a "normal" O365 licence, plus Pro Plus #####
If ($AdUser.extensionAttribute5 -ne "Staff")
{
Try
{
Set-MsolUserLicense -UserPrincipalName $User.UserPrincipalName -AddLicenses $STANDARDWOFFPACK_STUDENT -LicenseOptions $StudentLicenseOptions
$LicensesAdded += "STANDARDWOFFPACK_STUDENT"
##### Add user to the AD group - just for reference.... #####
Add-ADGroupMember -Identity STANDARDWOFFPACK_STUDENT_Users -Members $AdUser.sAMAccountName
}
Catch [System.Exception]
{
$strBody=MailBody
$strMailBody=$strMailBody+$strBody
}
Try
{
Set-MsolUserLicense -UserPrincipalName $User.UserPrincipalName -AddLicenses $OFFICESUBSCRIPTION_STUDENT
$LicensesAdded += "OFFICESUBSCRIPTION_STUDENT"
##### Add user to the AD group to ensure that they licence is not subsequently removed.... #####
Add-ADGroupMember -Identity OFFICESUBSCRIPTION_STUDENT_Users -Members $AdUser.sAMAccountName
}
Catch [System.Exception]
{
$strBody=MailBody
$strMailBody=$strMailBody+$strBody
}
}
Else
{
Try
{
Set-MsolUserLicense -UserPrincipalName $User.UserPrincipalName -AddLicenses $STANDARDWOFFPACK_FACULTY -LicenseOptions $FacultyLicenseOptions
$LicensesAdded += "STANDARDWOFFPACK_FACULTY"
##### Add user to the AD group - just for reference.... #####
Add-ADGroupMember -Identity STANDARDWOFFPACK_FACULTY_Users -Members $AdUser.sAMAccountName
}
Catch [System.Exception]
{
$strBody=MailBody
$strMailBody=$strMailBody+$strBody
}
Try
{
Set-MsolUserLicense -UserPrincipalName $User.UserPrincipalName -AddLicenses $OFFICESUBSCRIPTION_FACULTY
$LicensesAdded += "OFFICESUBSCRIPTION_FACULTY"
##### Add user to the AD group to ensure that they licence is not subsequently removed.... #####
Add-ADGroupMember -Identity OFFICESUBSCRIPTION_FACULTY_Users -Members $AdUser.sAMAccountName
}
Catch [System.Exception]
{
$strBody=MailBody
$strMailBody=$strMailBody+$strBody
}
}
}
##### Standard O365 Licenses #####
If ($SKU -eq $STANDARDWOFFPACK_STUDENT)
{
$STANDARDWOFFPACK_STUDENT_Applied="True"
If ($ADUser.extensionAttribute5 -eq "Staff")
{
Try
{
##### Remove Student licence from Staff member #####
Set-MsolUserLicense -UserPrincipalName $User.UserPrincipalName -RemoveLicenses $STANDARDWOFFPACK_STUDENT
$LicensesRemoved += "STANDARDWOFFPACK_STUDENT"
##### Remove user from the AD group #####
Remove-ADGroupMember -Identity STANDARDWOFFPACK_STUDENT_Users -Members $AdUser.sAMAccountName -Confirm:$False
}
Catch [System.Exception]
{
$strBody=MailBody
$strMailBody=$strMailBody+$strBody
}
Try
{
##### Apply Staff licence #####
Set-MsolUserLicense -UserPrincipalName $User.UserPrincipalName -AddLicenses $STANDARDWOFFPACK_FACULTY -LicenseOptions $FacultyLicenseOptions
$LicensesAdded += "STANDARDWOFFPACK_FACULTY"
##### Add user to the AD group - just for reference.... #####
Add-ADGroupMember -Identity STANDARDWOFFPACK_FACULTY_Users -Members $AdUser.sAMAccountName
}
Catch [System.Exception]
{
$strBody=MailBody
$strMailBody=$strMailBody+$strBody
}
}
}
If ($SKU -eq $STANDARDWOFFPACK_FACULTY)
{
$STANDARDWOFFPACK_FACULTY_Applied="True"
If ($ADUser.extensionAttribute5 -ne "Staff")
{
Try
{
##### Remove Staff licence from Student member #####
Set-MsolUserLicense -UserPrincipalName $User.UserPrincipalName -RemoveLicenses $STANDARDWOFFPACK_FACULTY
$LicensesRemoved += "STANDARDWOFFPACK_FACULTY"
##### Remove user from the AD group #####
Remove-ADGroupMember -Identity STANDARDWOFFPACK_FACULTY_Users -Members $AdUser.sAMAccountName -Confirm:$False
}
Catch [System.Exception]
{
$strBody=MailBody
$strMailBody=$strMailBody+$strBody
}
Try
{
##### Apply Student licence #####
Set-MsolUserLicense -UserPrincipalName $User.UserPrincipalName -AddLicenses $STANDARDWOFFPACK_STUDENT -LicenseOptions $StudentLicenseOptions
$LicensesAdded += "STANDARDWOFFPACK_STUDENT"
##### Add user to the AD group - just for reference.... #####
Add-ADGroupMember -Identity STANDARDWOFFPACK_STUDENT_Users -Members $AdUser.sAMAccountName
}
Catch [System.Exception]
{
$strBody=MailBody
$strMailBody=$strMailBody+$strBody
}
}
}
##### Individual Subscriptions #####
If ($SKU -eq $PROJECTONLINE_PLAN_1_FACULTY)
{
$PROJECTONLINE_PLAN_1_FACULTY_Applied="True"
If ($MEMBERS_PROJECTONLINE_PLAN_1_FACULTY.SamAccountName -NotContains $AdUser.sAMAccountName)
{
Try
{
#If the user is not in the group, then simply revoke the licence
Set-MsolUserLicense -UserPrincipalName $User.UserPrincipalName -RemoveLicenses $PROJECTONLINE_PLAN_1_FACULTY
$LicensesRemoved += "PROJECTONLINE_PLAN_1_FACULTY"
}
Catch [System.Exception]
{
$strBody=MailBody
$strMailBody=$strMailBody+$strBody
}
}
ElseIf ($ADUser.extensionAttribute5 -ne "Staff")
{
Try
{
##### Remove Staff licence from Student member #####
Set-MsolUserLicense -UserPrincipalName $User.UserPrincipalName -RemoveLicenses $PROJECTONLINE_PLAN_1_FACULTY
$LicensesRemoved += "PROJECTONLINE_PLAN_1_FACULTY"
##### Remove user from the AD group to ensure that the licence is not subsequently/ mistakenly added again.... #####
Remove-ADGroupMember -Identity PROJECTONLINE_PLAN_1_FACULTY_Users -Members $AdUser.sAMAccountName -Confirm:$False
}
Catch [System.Exception]
{
$strBody=MailBody
$strMailBody=$strMailBody+$strBody
}
Try
{
##### Apply Student licence #####
Set-MsolUserLicense -UserPrincipalName $User.UserPrincipalName -AddLicenses $PROJECTONLINE_PLAN_1_STUDENT
$LicensesAdded += "PROJECTONLINE_PLAN_1_STUDENT"
##### Add user to the AD group to ensure that the licence is not subsequently removed.... #####
Add-ADGroupMember -Identity PROJECTONLINE_PLAN_1_STUDENT_Users -Members $AdUser.sAMAccountName
}
Catch [System.Exception]
{
$strBody=MailBody
$strMailBody=$strMailBody+$strBody
}
}
}
If ($SKU -eq $PROJECTONLINE_PLAN_1_STUDENT)
{
$PROJECTONLINE_PLAN_1_STUDENT_Applied="True"
If ($MEMBERS_PROJECTONLINE_PLAN_1_STUDENT.SamAccountName -NotContains $AdUser.sAMAccountName)
{
Try
{
#If the user is not in the group, then simply revoke the licence
Set-MsolUserLicense -UserPrincipalName $User.UserPrincipalName -RemoveLicenses $PROJECTONLINE_PLAN_1_STUDENT
$LicensesRemoved += "PROJECTONLINE_PLAN_1_STUDENT"
}
Catch [System.Exception]
{
$strBody=MailBody
$strMailBody=$strMailBody+$strBody
}
}
ElseIf ($ADUser.extensionAttribute5 -eq "Staff")
{
Try
{
##### Remove Student licence from Staff member #####
Set-MsolUserLicense -UserPrincipalName $User.UserPrincipalName -RemoveLicenses $PROJECTONLINE_PLAN_1_STUDENT
$LicensesRemoved += "PROJECTONLINE_PLAN_1_STUDENT"
##### Remove user from the AD group to ensure that the licence is not subsequently/ mistakenly added again.... #####
Remove-ADGroupMember -Identity PROJECTONLINE_PLAN_1_STUDENT_Users -Members $AdUser.sAMAccountName -Confirm:$False
}
Catch [System.Exception]
{
$strBody=MailBody
$strMailBody=$strMailBody+$strBody
}
Try
{
##### Apply Staff licence #####
Set-MsolUserLicense -UserPrincipalName $User.UserPrincipalName -AddLicenses $PROJECTONLINE_PLAN_1_FACULTY
$LicensesAdded += "PROJECTONLINE_PLAN_1_FACULTY"
##### Add user to the AD group to ensure that the licence is not subsequently removed.... #####
Add-ADGroupMember -Identity PROJECTONLINE_PLAN_1_FACULTY_Users -Members $AdUser.sAMAccountName
}
Catch [System.Exception]
{
$strBody=MailBody
$strMailBody=$strMailBody+$strBody
}
}
}
If ($SKU -eq $OFFICESUBSCRIPTION_FACULTY)
{
$OFFICESUBSCRIPTION_FACULTY_Applied="True"
If ($MEMBERS_OFFICESUBSCRIPTION_FACULTY.SamAccountName -NotContains $AdUser.sAMAccountName)
{
Try
{
#If the user is not in the group, then simply revoke the licence
Set-MsolUserLicense -UserPrincipalName $User.UserPrincipalName -RemoveLicenses $OFFICESUBSCRIPTION_FACULTY
$LicensesRemoved += "OFFICESUBSCRIPTION_FACULTY"
}
Catch [System.Exception]
{
$strBody=MailBody
$strMailBody=$strMailBody+$strBody
}
}
ElseIf ($ADUser.extensionAttribute5 -ne "Staff")
{
Try
{
##### Remove Staff licence from Student member #####
Set-MsolUserLicense -UserPrincipalName $User.UserPrincipalName -RemoveLicenses $OFFICESUBSCRIPTION_FACULTY
$LicensesRemoved += "OFFICESUBSCRIPTION_FACULTY"
##### Remove user from the AD group to ensure that the licence is not subsequently/ mistakenly added again.... #####
Remove-ADGroupMember -Identity OFFICESUBSCRIPTION_FACULTY_Users -Members $AdUser.sAMAccountName -Confirm:$False
}
Catch [System.Exception]
{
$strBody=MailBody
$strMailBody=$strMailBody+$strBody
}
Try
{
##### Apply Student licence #####
Set-MsolUserLicense -UserPrincipalName $User.UserPrincipalName -AddLicenses $OFFICESUBSCRIPTION_STUDENT
$LicensesAdded += "OFFICESUBSCRIPTION_STUDENT"
##### Add user to the AD group to ensure that the licence is not subsequently removed.... #####
Add-ADGroupMember -Identity OFFICESUBSCRIPTION_STUDENT_Users -Members $AdUser.sAMAccountName
}
Catch [System.Exception]
{
$strBody=MailBody
$strMailBody=$strMailBody+$strBody
}
}
}
If ($SKU -eq $OFFICESUBSCRIPTION_STUDENT)
{
$OFFICESUBSCRIPTION_STUDENT_Applied="True"
If ($MEMBERS_OFFICESUBSCRIPTION_STUDENT.SamAccountName -NotContains $AdUser.sAMAccountName)
{
Try
{
#If the user is not in the group, then simply revoke the licence
Set-MsolUserLicense -UserPrincipalName $User.UserPrincipalName -RemoveLicenses $OFFICESUBSCRIPTION_STUDENT
$LicensesRemoved += "OFFICESUBSCRIPTION_STUDENT"
}
Catch [System.Exception]
{
$strBody=MailBody
$strMailBody=$strMailBody+$strBody
}
}
ElseIf ($ADUser.extensionAttribute5 -eq "Staff")
{
Try
{
##### Remove Student licence from Staff member #####
Set-MsolUserLicense -UserPrincipalName $User.UserPrincipalName -RemoveLicenses $OFFICESUBSCRIPTION_STUDENT
$LicensesRemoved += "OFFICESUBSCRIPTION_STUDENT"
##### Remove user from the AD group to ensure that the licence is not subsequently/ mistakenly added again.... #####
Remove-ADGroupMember -Identity OFFICESUBSCRIPTION_STUDENT_Users -Members $AdUser.sAMAccountName -Confirm:$False
}
Catch [System.Exception]
{
$strBody=MailBody
$strMailBody=$strMailBody+$strBody
}
Try
{
##### Apply Staff licence #####
Set-MsolUserLicense -UserPrincipalName $User.UserPrincipalName -AddLicenses $OFFICESUBSCRIPTION_FACULTY
$LicensesAdded += "OFFICESUBSCRIPTION_FACULTY"
##### Add user to the AD group to ensure that the licence is not subsequently removed.... #####
Add-ADGroupMember -Identity OFFICESUBSCRIPTION_FACULTY_Users -Members $AdUser.sAMAccountName
}
Catch [System.Exception]
{
$strBody=MailBody
$strMailBody=$strMailBody+$strBody
}
}
}
If ($SKU -eq $POWER_BI_STANDARD)
{
$POWER_BI_STANDARD_Applied="True"
If ($MEMBERS_POWER_BI_STANDARD.SamAccountName -NotContains $AdUser.sAMAccountName)
{
Try
{
#If the user is not in the group, then simply revoke the licence
Set-MsolUserLicense -UserPrincipalName $User.UserPrincipalName -RemoveLicenses $POWER_BI_STANDARD
$LicensesRemoved += "POWER_BI_STANDARD"
}
Catch [System.Exception]
{
$strBody=MailBody
$strMailBody=$strMailBody+$strBody
}
}
}
If ($SKU -eq $CRMSTANDARD)
{
$CRMSTANDARD_Applied="True"
If ($MEMBERS_CRMSTANDARD.SamAccountName -NotContains $AdUser.sAMAccountName)
{
Try
{
#If the user is not in the group, then simply revoke the licence
Set-MsolUserLicense -UserPrincipalName $User.UserPrincipalName -RemoveLicenses $CRMSTANDARD
$LicensesRemoved += "CRMSTANDARD"
}
Catch [System.Exception]
{
$strBody=MailBody
$strMailBody=$strMailBody+$strBody
}
}
}
If ($SKU -eq $INTUNE_A)
{
$INTUNE_A_Applied="True"
If ($MEMBERS_INTUNE_A.SamAccountName -NotContains $AdUser.sAMAccountName)
{
Try
{
#If the user is not in the group, then simply revoke the licence
Set-MsolUserLicense -UserPrincipalName $User.UserPrincipalName -RemoveLicenses $INTUNE_A
$LicensesRemoved += "INTUNE_A"
}
Catch [System.Exception]
{
$strBody=MailBody
$strMailBody=$strMailBody+$strBody
}
}
}
}
}
Catch [System.Exception]
{
#Mop up any other errors
Send-MailMessage -From admin@blah.com -To someadmin@blah.com -cc someotheradmin@blah.com -Subject "ERROR - O365 Licence Management" -Body $_.Exception.Message -SmtpServer smtp.blah.com
Write-Host $_.Exception.Message
}
Try
{
##### Apply individual licences if they are not applied already #####
If ($MEMBERS_PROJECTONLINE_PLAN_1_FACULTY.SamAccountName -Contains $AdUser.sAMAccountName -and $PROJECTONLINE_PLAN_1_FACULTY_Applied -ne "True")
{
#Setup the bits that we don't want, because they are already present in the Project license and will cause an error otherwise...
$DisabledPlans=@()
$DisabledPlans+="EXCHANGE_S_STANDARD"
$DisabledPlans+="SHAREPOINTSTANDARD_EDU"
$DisabledPlans+="SHAREPOINTWAC_EDU"
# Define the Licence options
$FacultyLicenseOptions = New-MsolLicenseOptions -AccountSkuId $STANDARDWOFFPACK_FACULTY -DisabledPlans $DisabledPlans
#
#First we need to remove the standard licence..... in order to remove SHAREPOINTSTANDARD_EDU and SHAREPOINTWAC_EDU, we'll add the bits that we want back in a mo'
Try
{
Set-MsolUserLicense -UserPrincipalName $User.UserPrincipalName -RemoveLicenses $STANDARDWOFFPACK_FACULTY
Start-Sleep -s 30
}
Catch [System.Exception]
{
$strBody=MailBody
$strMailBody=$strMailBody+$strBody
}
#Now set the new licence in place
$CheckUser=Get-MSOLUser -UserPrincipalName $User.UserPrincipalName
$CheckLicenses=$CheckUser.Licenses
$CheckSKUIDs=$CheckLicenses.AccountSkuId
If ($CheckSKUIDs -NotContains $STANDARDWOFFPACK_FACULTY)
{
Try
{
Set-MsolUserLicense -UserPrincipalName $User.UserPrincipalName -AddLicenses $STANDARDWOFFPACK_FACULTY -LicenseOptions $FacultyLicenseOptions
}
Catch [System.Exception]
{
$strBody=MailBody
$strMailBody=$strMailBody+$strBody
}
# Then try putting the full Project licence in place
Try
{
Set-MsolUserLicense -UserPrincipalName $User.UserPrincipalName -AddLicenses $PROJECTONLINE_PLAN_1_FACULTY
$LicensesAdded += "PROJECTONLINE_PLAN_1_FACULTY"
}
Catch [System.Exception]
{
$strBody=MailBody
$strMailBody=$strMailBody+$strBody
}
}
}
If ($MEMBERS_PROJECTONLINE_PLAN_1_STUDENT.SamAccountName -Contains $AdUser.sAMAccountName -and $PROJECTONLINE_PLAN_1_STUDENT_Applied -ne "True")
{
#Setup the bits that we don't want, because they are already present in the Project license and will cause an error otherwise...
$DisabledPlans=@()
$DisabledPlans+="EXCHANGE_S_STANDARD"
$DisabledPlans+="SHAREPOINTSTANDARD_EDU"
$DisabledPlans+="SHAREPOINTWAC_EDU"
# Define the Licence options
$StudentLicenseOptions = New-MsolLicenseOptions -AccountSkuId $STANDARDWOFFPACK_STUDENT -DisabledPlans $DisabledPlans
#
#First we need to remove the standard licence..... in order to remove SHAREPOINTSTANDARD_EDU and SHAREPOINTWAC_EDU, we'll add the bits that we want back in a mo'
Try
{
Set-MsolUserLicense -UserPrincipalName $User.UserPrincipalName -RemoveLicenses $STANDARDWOFFPACK_STUDENT
Start-Sleep -s 30
}
Catch [System.Exception]
{
$strBody=MailBody
$strMailBody=$strMailBody+$strBody
}
#Now set the new licence in place
$CheckUser=Get-MSOLUser -UserPrincipalName $User.UserPrincipalName
$CheckLicenses=$CheckUser.Licenses
$CheckSKUIDs=$CheckLicenses.AccountSkuId
If ($CheckSKUIDs -NotContains $STANDARDWOFFPACK_STUDENT)
{
Try
{
Set-MsolUserLicense -UserPrincipalName $User.UserPrincipalName -AddLicenses $STANDARDWOFFPACK_STUDENT -LicenseOptions $StudentLicenseOptions
}
Catch [System.Exception]
{
$strBody=MailBody
$strMailBody=$strMailBody+$strBody
}
# Then try putting the full Project licence in place
Try
{
Set-MsolUserLicense -UserPrincipalName $User.UserPrincipalName -AddLicenses $PROJECTONLINE_PLAN_1_STUDENT
$LicensesAdded += "PROJECTONLINE_PLAN_1_STUDENT"
}
Catch [System.Exception]
{
$strBody=MailBody
$strMailBody=$strMailBody+$strBody
}
}
}
If ($MEMBERS_POWER_BI_STANDARD.SamAccountName -Contains $AdUser.sAMAccountName -and $POWER_BI_STANDARD_Applied -ne "True")
{
Try
{
Set-MsolUserLicense -UserPrincipalName $User.UserPrincipalName -AddLicenses $POWER_BI_STANDARD
$LicensesAdded += "POWER_BI_STANDARD"
}
Catch [System.Exception]
{
$strBody=MailBody
$strMailBody=$strMailBody+$strBody
}
}
If ($MEMBERS_CRMSTANDARD.SamAccountName -Contains $AdUser.sAMAccountName -and $CRMSTANDARD_Applied -ne "True")
{
Try
{
Set-MsolUserLicense -UserPrincipalName $User.UserPrincipalName -AddLicenses $CRMSTANDARD
$LicensesAdded += "CRMSTANDARD"
}
Catch [System.Exception]
{
$strBody=MailBody
$strMailBody=$strMailBody+$strBody
}
}
If ($MEMBERS_INTUNE_A.SamAccountName -Contains $AdUser.sAMAccountName -and $INTUNE_A_Applied -ne "True")
{
Try
{
Set-MsolUserLicense -UserPrincipalName $User.UserPrincipalName -AddLicenses $INTUNE_A
$LicensesAdded += "INTUNE_A"
}
Catch [System.Exception]
{
$strBody=MailBody
$strMailBody=$strMailBody+$strBody
}
}
If ($MEMBERS_OFFICESUBSCRIPTION_FACULTY.SamAccountName -Contains $AdUser.sAMAccountName -and $OFFICESUBSCRIPTION_FACULTY_Applied -ne "True")
{
Try
{
Set-MsolUserLicense -UserPrincipalName $User.UserPrincipalName -AddLicenses $OFFICESUBSCRIPTION_FACULTY
$LicensesAdded += "OFFICESUBSCRIPTION_FACULTY"
}
Catch [System.Exception]
{
$strBody=MailBody
$strMailBody=$strMailBody+$strBody
}
}
If ($MEMBERS_OFFICESUBSCRIPTION_STUDENT.SamAccountName -Contains $AdUser.sAMAccountName -and $OFFICESUBSCRIPTION_STUDENT_Applied -ne "True")
{
Try
{
Set-MsolUserLicense -UserPrincipalName $User.UserPrincipalName -AddLicenses $OFFICESUBSCRIPTION_STUDENT
$LicensesAdded += "OFFICESUBSCRIPTION_STUDENT"
}
Catch [System.Exception]
{
$strBody=MailBody
$strMailBody=$strMailBody+$strBody
}
}
}
Catch [System.Exception]
{
#Mop up any other errors
Send-MailMessage -From admin@blah.com -To someadmin@blah.com -cc someotheradmin@blah.com -Subject "ERROR - O365 Licence Management" -Body $_.Exception.Message -SmtpServer smtp.blah.com
Write-Host $_.Exception.Message
}
#Reporting bits:
If ($LicensesAdded.Count -eq 0 -and $LicensesRemoved.Count -gt 0)
{
$LoggingContent=$Date + ",User," + $User.UserPrincipalName + ",LicensesRemoved," + ($LicensesRemoved -join ',')
}
If ($LicensesAdded.Count -gt 0 -and $LicensesRemoved.Count -eq 0)
{
$LoggingContent=$Date + ",User," + $User.UserPrincipalName + ",Licenses Added," + ($LicensesAdded -join ',')
}
If ($LicensesAdded.Count -gt 0 -and $LicensesRemoved.Count -gt 0)
{
$LoggingContent=$Date + ",User," + $User.UserPrincipalName + ",Licenses Added," + ($LicensesAdded -join ',') + ",LicensesRemoved," + ($LicensesRemoved -join ',')
}
# Write out the log
Add-Content $Logfile $LoggingContent
# If any errors occurred adding or removing icences - the variable $strMailBody will have some content, so send it to admins...
If ($strMailBody -ne $null)
{
Send-MailMessage -From admin@blah.com -To someadmin@blah.com -cc someotheradmin@blah.com -Subject "ERROR - O365 Licence Management" -Body $strMailBody -SmtpServer smtp.blah.com
Write-Host $strMailBody
}
}
}
############ Now mop up the unlicenced users ############
ForEach($User in (Get-MsolUser -all | where{$_.isLicensed -ne "True"}))
{
If($User.UserPrincipalName -notlike "*<YourTenancyName>.onmicrosoft.com" -and $User.UserPrincipalName -ne "DirSync@blah.com")
{
$date = Get-Date -Format $dateFormat
$LoggingContent=$null
$LicensesAdded=@()
$AdUser=Get-ADUser -Filter {UserPrincipalName -eq $User.UserPrincipalName} -Properties extensionAttribute5, sAMAccountName
Try
{
If ($ADUser.extensionAttribute5 -eq "Staff")
{
Try
{
# Set usage location
Set-MsolUser -UserPrincipalName $User.UserPrincipalName -UsageLocation $UsageLocation
}
Catch [System.Exception]
{
$strBody="Error setting UsageLocation for $User.UserPrincipalName"
$strMailBody=$strMailBody+$strBody
}
Try
{
# Set standard O365 licence without Exchange
Set-MsolUserLicense -UserPrincipalName $User.UserPrincipalName -AddLicenses $STANDARDWOFFPACK_FACULTY -LicenseOptions $FacultyLicenseOptions
$LicensesAdded += "STANDARDWOFFPACK_FACULTY"
##### Add user to the AD group - just for reference.... #####
Add-ADGroupMember -Identity STANDARDWOFFPACK_FACULTY_Users -Members $AdUser.sAMAccountName
}
Catch [System.Exception]
{
$strBody=MailBody
$strMailBody=$strMailBody+$strBody
}
}
If ($ADUser.extensionAttribute5 -ne "Staff")
{
Try
{
# Set usage location
Set-MsolUser -UserPrincipalName $User.UserPrincipalName -UsageLocation $UsageLocation
}
Catch [System.Exception]
{
$strBody="Error setting UsageLocation for $User.UserPrincipalName"
$strMailBody=$strMailBody+$strBody
}
Try
{
# Set standard O365 licence without Exchange
Set-MsolUserLicense -UserPrincipalName $User.UserPrincipalName -AddLicenses $STANDARDWOFFPACK_STUDENT -LicenseOptions $StudentLicenseOptions
$LicensesAdded += "STANDARDWOFFPACK_STUDENT"
##### Add user to the AD group - just for reference.... #####
Add-ADGroupMember -Identity STANDARDWOFFPACK_STUDENT_Users -Members $AdUser.sAMAccountName
}
Catch [System.Exception]
{
$strBody=MailBody
$strMailBody=$strMailBody+$strBody
}
}
##### Individual Subscriptions for unlicenced users - unlikely to ever hit here... #####
If ($MEMBERS_PROJECTONLINE_PLAN_1_FACULTY.SamAccountName -Contains $AdUser.sAMAccountName)
{
Try
{
Set-MsolUserLicense -UserPrincipalName $User.UserPrincipalName -AddLicenses $PROJECTONLINE_PLAN_1_FACULTY
$LicensesAdded += "PROJECTONLINE_PLAN_1_FACULTY"
}
Catch [System.Exception]
{
$strBody=MailBody
$strMailBody=$strMailBody+$strBody
}
}
If ($MEMBERS_PROJECTONLINE_PLAN_1_STUDENT.SamAccountName -Contains $AdUser.sAMAccountName)
{
Try
{
Set-MsolUserLicense -UserPrincipalName $User.UserPrincipalName -AddLicenses $PROJECTONLINE_PLAN_1_STUDENT
$LicensesAdded += "PROJECTONLINE_PLAN_1_STUDENT"
}
Catch [System.Exception]
{
$strBody=MailBody
$strMailBody=$strMailBody+$strBody
}
}
If ($MEMBERS_POWER_BI_STANDARD.SamAccountName -Contains $AdUser.sAMAccountName)
{
Try
{
Set-MsolUserLicense -UserPrincipalName $User.UserPrincipalName -AddLicenses $POWER_BI_STANDARD
$LicensesAdded += "POWER_BI_STANDARD"
}
Catch [System.Exception]
{
$strBody=MailBody
$strMailBody=$strMailBody+$strBody
}
}
If ($MEMBERS_CRMSTANDARD.SamAccountName -Contains $AdUser.sAMAccountName)
{
Try
{
Set-MsolUserLicense -UserPrincipalName $User.UserPrincipalName -AddLicenses $CRMSTANDARD
$LicensesAdded += "CRMSTANDARD"
}
Catch [System.Exception]
{
$strBody=MailBody
$strMailBody=$strMailBody+$strBody
}
}
If ($MEMBERS_INTUNE_A.SamAccountName -Contains $AdUser.sAMAccountName)
{
Try
{
Set-MsolUserLicense -UserPrincipalName $User.UserPrincipalName -AddLicenses $INTUNE_A
$LicensesAdded += "INTUNE_A"
}
Catch [System.Exception]
{
$strBody=MailBody
$strMailBody=$strMailBody+$strBody
}
}
If ($MEMBERS_OFFICESUBSCRIPTION_FACULTY.SamAccountName -Contains $AdUser.sAMAccountName)
{
Try
{
Set-MsolUserLicense -UserPrincipalName $User.UserPrincipalName -AddLicenses $OFFICESUBSCRIPTION_FACULTY
$LicensesAdded += "OFFICESUBSCRIPTION_FACULTY"
}
Catch [System.Exception]
{
$strBody=MailBody
$strMailBody=$strMailBody+$strBody
}
}
If ($MEMBERS_OFFICESUBSCRIPTION_STUDENT.SamAccountName -Contains $AdUser.sAMAccountName)
{
Try
{
Set-MsolUserLicense -UserPrincipalName $User.UserPrincipalName -AddLicenses $OFFICESUBSCRIPTION_STUDENT
$LicensesAdded += "OFFICESUBSCRIPTION_STUDENT"
}
Catch [System.Exception]
{
$strBody=MailBody
$strMailBody=$strMailBody+$strBody
}
}
}
Catch [System.Exception]
{
Send-MailMessage -From admin@blah.com -To someadmin@blah.com -cc someotheradmin@blah.com -Subject "ERROR - O365 Licence Management" -Body $_.Exception.Message -SmtpServer smtp.blah.com
Write-Host $_.Exception.Message
}
$LoggingContent=$Date + ",User," + $User.UserPrincipalName + ",Licenses Added," + ($LicensesAdded -join ',')
# Write out the log
Add-Content $Logfile $LoggingContent
# If any errors occurred adding or removing icences - the variable $strMailBody will have some content, so send it to admins...
If ($strMailBody -ne $null)
{
Send-MailMessage -From admin@blah.com -To someadmin@blah.com -cc someotheradmin@blah.com -Subject "ERROR - O365 Licence Management" -Body $strMailBody -SmtpServer smtp.blah.com
Write-Host $strMailBody
}
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.