Licensing for Office365 has always been a moving target for enterprise customers. Over the years I’ve implemented a plethora of solutions to keep licensing consistent with entitlement logic. For some customers this is as simple as everyone gets say, an E3 license. For other institutions there are often a mix of ‘E’ and ‘K’ licenses depending on EmployeeType.
Using the Granfeldt PowerShell Management Agent to import Office365 Licensing info
In this blog post I detail how I’m using Søren Granfeldt’s extremely versatile PowerShell Management Agent yet again. This time to import Office365 licensing information into Microsoft Identity Manager.
I’m bringing in the licenses associated with users as attributes on the user account. I’m also bringing in the licenses from the tenant as their own ObjectType into the Metaverse. This includes the information about each license such as how many licenses have been purchased, how many licenses have been issued etc.
Overview
I’m not showing assigning licenses. In the schema I have included the LicensesToAdd and LicensesToRemove attributes. Check out my Adding/Removing User Office365 Licences using PowerShell and the Azure AD Graph RestAPI post to see how to assign and remove licenses using Powershell. From that you can workout your logic to implement an Export flow to manage Office365 licenses.
Getting Started with the Granfeldt PowerShell Management Agent
If you don’t already have it, what are you waiting for. Go get it from here. Søren’s documentation is pretty good but does assume you have a working knowledge of FIM/MIM and this blog post is no different.
Three items I had to work out that I’ll save you the pain of are;
- You must have a Password.ps1 file. Even though we’re not doing password management on this MA, the PS MA configuration requires a file for this field. The .ps1 doesn’t need to have any logic/script inside it. It just needs to be present
- The credentials you give the MA to run this MA are the credentials for the account that has permissions to the Office365 Tenant. Just a normal account is enough to enumerate it, but you’ll need additional permissions to assign/remove licenses.
- The path to the scripts in the PS MA Config must not contain spaces and be in old-skool 8.3 format. I’ve chosen to store my scripts in an appropriately named subdirectory under the MIM Extensions directory. Tip: from a command shell use dir /x to get the 8.3 directory format name. Mine looks like C:\PROGRA~1\MICROS~2\2010\SYNCHR~1\EXTENS~2\O365Li~1
Schema.ps1
My Schema is based around the core Office365 Licenses function. You’ll need to create a number of corresponding attributes in the Metaverse Schema on the Person ObjectType to flow the attributes into. You will also need to create a new ObjectType in the Metaverse for the O365 Licenses. I named mine LicensePlans. Use the Schema info below for the attributes that will be imported and the attribute object types to make sure what you create in the Metaverse aligns, so you can import the values. Note the attributes that are multi-valued.
Import.ps1
The logic which the Import.ps1 implements I’m not going to document here as this post goes into all the details Enumerating all Users/Groups/Contacts in an Azure tenant using PowerShell and the Azure Graph API ‘odata.nextLink’ paging function
Password Script (password.ps1)
Empty as not implemented
Export.ps1
Empty as not implemented
Management Agent Configuration
As per the tips above, the format for the script paths must be without spaces etc. I’m using 8.3 format and I’m using an Office 365 account to connect to Office365 and import the user and license data.
https://dl.dropboxusercontent.com/u/76015/BlogImages/O365LicMA/O365MA-2.png
https://dl.dropboxusercontent.com/u/76015/BlogImages/O365LicMA/O365MA-3.png
As per the Schema script earlier in this post I’m bringing user licensing metadata as well as the Office365 Tenant Licenses info.
https://dl.dropboxusercontent.com/u/76015/BlogImages/O365LicMA/O365MA-4.png
Attributes to bring through aligned with what is specified in the Schema file.
https://dl.dropboxusercontent.com/u/76015/BlogImages/O365LicMA/O365MA-5.png
Flow through the attributes to the attributes I created in the Metaverse on the Person ObjectType and to the new ObjectType LicensePlans.
https://dl.dropboxusercontent.com/u/76015/BlogImages/O365LicMA/O365MA-6.png
Wiring it up
To finish it up you’ll need to do the usual tasks of creating run profiles, staging the connector space from Office365 and importing into the Metaverse.
Enjoy.
Follow Darren on Twitter @darrenjrobinson
Thank you Darren, it works for me, I had to change to Top objects from 999 to 555.
If I let 999, I get only 2000 objects but with 555 I have the total.
one question, How I can handle the Delta Import ?
Great stuff Mirsa. You’ll need to use Differential Query to Delta’s. This may help you get started. https://blog.kloud.com.au/2016/08/11/getting-users-groups-contacts-via-the-azure-graph-api-using-differential-query-powershell/
Hi Darren, I am trying your above scripts on MIM 2016 using Granfeldt PowerShell Management Agent. I have a Office 365 Developer’s license with just 2 Users. When I run import on Powershell MA I am getting “missing-anchor-attribute” error. Not sure what is the issue. Appreciate if you can help me out with the issue.
Hi Ramesh. The following lines for each Object Class in the Schema.ps1 are the anchors. $obj | Add-Member -Type NoteProperty -Name “Anchor-ID|String” Make sure that you have those attributes selected on the MA Attributes Config and you are importing the values in the Import.ps1 (e.g Line 92)