How to assign and remove user Office365 licenses using the AzureADPreview Powershell Module

A couple of months ago the AzureADPreview module was released. The first cmdlet that I experimented with was Set-AzureADUserLicense. And it didn’t work, there was no working examples and I gave up and used GraphAPI instead.

Since then the AzureADPreview has gone through a number of revisions and I’ve been messing around a little with each update. The Set-AzureADUserLicense cmdlet has been my litmus test. Now that I have both removing and assigning Office 365 licenses working I’ll save others the pain of working it out and give a couple of working examples.

 

If like me you have been experimenting with the AzureADPreview module you’ll need to force the install of the newest one. And for whatever reason I was getting an error informing me that it wasn’t signed. As I’m messing around in my dev sandpit I skipped the publisher check.
Install-Module -Name AzureADPreview -MinimumVersion 2.0.0.7 -Force -SkipPublisherCheck
Import-Module AzureADPreview RequiredVersion 2.0.0.7

Removing an Office 365 License from a User

Removing a license with Set-AzureADUserLicense looks something like this.

What if there are multiple licenses ? Similar concept but just looping through each one to remove.

Assigning an Office 365 License to a User

Now that we have the removal of licenses sorted, how about adding licenses ?

Assigning a license with Set-AzureADUserLicense looks something like this;

Moving forward this AzureAD Powershell Module will replace the older MSOL Module as I wrote about here. If you’re writing new scripts it’s a good time to start using the new modules.

Follow Darren on Twitter @darrenjrobinson

 

Office365 Licensing Management Agent for Microsoft Identity Manager

Licensing for Office365 has always been a moving target for enterprise customers. Over the years I’ve implemented a plethora of solutions to keep licensing consistent with entitlement logic. For some customers this is as simple as everyone gets say, an E3 license. For other institutions there are often a mix of ‘E’ and ‘K’ licenses depending on EmployeeType.

Using the Granfeldt PowerShell Management Agent to import Office365 Licensing info

In this blog post I detail how I’m using Søren Granfeldt’s extremely versatile PowerShell Management Agent yet again. This time to import Office365 licensing information into Microsoft Identity Manager.

I’m bringing in the licenses associated with users as attributes on the user account. I’m also bringing in the licenses from the tenant as their own ObjectType into the Metaverse. This includes the information about each license such as how many licenses have been purchased, how many licenses have been issued etc.

Overview

I’m not showing assigning licenses. In the schema I have included the LicensesToAdd and LicensesToRemove attributes. Check out my Adding/Removing User Office365 Licences using PowerShell and the Azure AD Graph RestAPI post to see how to assign and remove licenses using Powershell. From that you can workout your logic to implement an Export flow to manage Office365 licenses.

Getting Started with the Granfeldt PowerShell Management Agent

If you don’t already have it, what are you waiting for. Go get it from here. Søren’s documentation is pretty good but does assume you have a working knowledge of FIM/MIM and this blog post is no different.

Three items I had to work out that I’ll save you the pain of are;

  • You must have a Password.ps1 file. Even though we’re not doing password management on this MA, the PS MA configuration requires a file for this field. The .ps1 doesn’t need to have any logic/script inside it. It just needs to be present
  • The credentials you give the MA to run this MA are the credentials for the account that has permissions to the Office365 Tenant. Just a normal account is enough to enumerate it, but you’ll need additional permissions to assign/remove licenses.
  • The path to the scripts in the PS MA Config must not contain spaces and be in old-skool 8.3 format. I’ve chosen to store my scripts in an appropriately named subdirectory under the MIM Extensions directory. Tip: from a command shell use dir /x to get the 8.3 directory format name. Mine looks like C:\PROGRA~1\MICROS~2\2010\SYNCHR~1\EXTENS~2\O365Li~1

Schema.ps1

My Schema is based around the core Office365 Licenses function. You’ll need to create a number of corresponding attributes in the Metaverse Schema on the Person ObjectType to flow the attributes into. You will also need to create a new ObjectType in the Metaverse for the O365 Licenses. I named mine LicensePlans. Use the Schema info below for the attributes that will be imported and the attribute object types to make sure what you create in the Metaverse aligns, so you can import the values. Note the attributes that are multi-valued.

Import.ps1

The logic which the Import.ps1 implements I’m not going to document here as this post goes into all the details Enumerating all Users/Groups/Contacts in an Azure tenant using PowerShell and the Azure Graph API ‘odata.nextLink’ paging function

Password Script (password.ps1)

Empty as not implemented

Export.ps1

Empty as not implemented

Management Agent Configuration

As per the tips above, the format for the script paths must be without spaces etc. I’m using 8.3 format and I’m using an Office 365 account to connect to Office365 and import the user and license data.

As per the Schema script earlier in this post I’m bringing user licensing metadata as well as the Office365 Tenant Licenses info.

Attributes to bring through aligned with what is specified in the Schema file.

Flow through the attributes to the attributes I created in the Metaverse on the Person ObjectType and to the new ObjectType LicensePlans.

Wiring it up

To finish it up you’ll need to do the usual tasks of creating run profiles, staging the connector space from Office365 and importing into the Metaverse.

Enjoy.

Follow Darren on Twitter @darrenjrobinson

Yammer Activation in All Eligible Tenants

In an effort to drive the collaboration experience and further the adoption of Yammer, Microsoft announced on the 2nd of February that Yammer now meets all of Office 365’s security and compliance requirements and Yammer will be activated across all Office 365 tenants that contain a Yammer subscription. This will be a retrospective activation as well as being enabled by default for any new tenants. The rollout will be in three stages:

  • Wave 1 has commenced as of February 1, 2016 and includes Office 365 customers with a business subscription who purchased fewer than 150 licenses that includes Yammer and who have zero or one custom domain for Yammer.
  • Wave 2 starts on March 1, 2016 and includes Office 365 customers with a business subscription who purchased fewer than 5,000 licenses that includes Yammer. This does not include customers with an education subscription.
  • Wave 3 starts on April 1, 2016 and includes all remaining customers with a business subscription and all customers with an education subscription.

As Yammer is automatically activated, users with a license that includes Yammer can immediately start accessing the service through Office 365 and Yammer features will be available from within other Office 365 apps. The activation process will either create a new Yammer network or connect to an existing Yammer network that has all or a subset of domains managed within the Office 365 tenant.

Microsoft are continuing to work towards deeper integration between Yammer and Office 365 and this change will lay the ground work for new features. One of the exciting new capabilities coming in the first half of this year is integration with Office 365 Groups adding  the ability to initiate Skype for Business calls, access OneDrive for Business files, schedule Outlook calendar meetings and create tasks within Planner, all from within a Yammer group.

I’ve had a number of customers choose not to deploy Yammer to their user bases for one reason of another and it is possible to block this from occurring. As of February 2016, the Yammer license is an option that can be disabled. Previously the Yammer license was embedded and enabled by default into E plans; provisioning of the Yammer service is what activated a users’ ability to get into Yammer. If your business is not yet ready to adopt Yammer, it will now be necessary to revoke the Yammer license via PowerShell for individual users.

For more information, see https://blogs.office.com/2016/02/02/get-ready-for-yammer/

Purchasing Additional SharePoint Online Storage for Office 365

There are a number of different options for customers to purchase Office 365.  In the U.S.A. and the majority of markets, customers can purchase Office 365 directly from Microsoft via MOSP (Microsoft Online Subscription Program).  This is the most common way for small businesses to purchase Office 365.  Customers can purchase licenses using a credit card.  There is no minimum license quantity for MOSP.  Customers pay for Office 365 via an automatic monthly subscription.

In Australia, Telstra has a syndication agreement with Microsoft.  This means that customers who want to purchase Office 365 in Australia transact the purchase with Telstra.  This service is known as T-Suite.  Billing for T-Suite can be via a monthly credit card payment or the customer’s existing Telstra account.  After purchasing the licenses from Telstra, customers are provided with an Office 365 Org ID and password to access the new tenant.

Another option for customers to purchase Office 365 is via a volume license (VL) agreement.  For large enterprises that require 250 licenses and above, customers can purchase via an Enterprise Agreement (EA) or Enterprise Subscription Agreement (EAS).  Smaller customers that require between 5 – 249 licenses can purchase Office 365 via an Open Agreement.  VL agreements require a commitment of 1 – 3 years, depending on the agreement.  VL agreements are billed annually.  Customers who are based in Australia and wish to buy Office 365 directly from Microsoft can do so with a VL agreement.

There are many differences between Office 365 purchases via MOSP vs. VL.  The differences include:

1) The prices of the licenses

2) The frequency of the payments

3) The length of commitment

4) The types of SKUs which are available

It is important to consider all of these factors before making a decision on the best way to purchase Office 365 for your organization.

This blog will focus on one of the major differences between the Office 365 SKUs offered via MOSP vs. an Open agreement.

When customers purchase Office 365 and SharePoint Online, they are provided with 10 GB of storage by default.  This storage can be used to provision a number of different SharePoint Online websites including public and internal websites.  For each Office 365 and SharePoint Online user license purchased, the tenant is provided with an additional 500 MB of storage.  For example, a customer who purchases 10 E3 licenses will receive 10 GB + (10 users) * (500 MB) = 10 GB + 5 GB = 15 GB.  Please note that this pool of SharePoint Online storage is separate from the storage used by OneDrive for Business. Each users who runs OneDrive for Business is now given 1 TB of storage for personal files.

In some instances, customers may want to increase the amount of storage available for SharePoint Online.  Kloud Solutions works with many customers who would like to move their corporate file shares from an on-premises server to SharePoint Online.  The storage required for your file shares may exceed the default storage allocation in SharePoint Online.  Therefore, Microsoft has introduced the option for customers to purchase additional SharePoint storage on a per GB basis.

There are many different types of Office 365 plans that can be purchased.  You will first need to determine if your existing Office 365 subscription is eligible for additional storage.  SharePoint Online storage is available for the following subscriptions:

  • Office 365 Enterprise E1
  • Office 365 Enterprise E2
  • Office 365 Enterprise E3
  • Office 365 Enterprise E3 for Symphony
  • Office 365 Enterprise E4
  • Office 365 Midsize Business
  • Office Online with SharePoint Plan 1
  • Office Online with SharePoint Plan 2
  • SharePoint Online (Plan 1)
  • SharePoint Online (Plan 2)

SharePoint Online Storage for Small Business is available for the following subscriptions:

  • Office 365 (Plan P1)
  • Office 365 Small Business Premium
  • Office 365 Small Business

If your subscription is one of the above eligible plans, you can purchase Office 365 via MOSP or the T-Suite portal for customers in Australia.

One of the key limitations to consider is that Microsoft does NOT offer the option to purchase additional SharePoint Online storage via an Open Agreement for small and medium businesses.  For instance, you can purchase 10 E3 licenses via an Open Agreement. This would provide 15 GB of SharePoint Online storage using the example above.  However, you would NOT be able to purchase additional GB of storage as the SKU is not available on the Open price list.

You can mix Open and MOSP licensing in the same Office 365 tenant.  For example, you could buy 10 E3 license via an Open agreement and then apply them to a tenant using an Office 365 product key.  If you wanted to buy an additional 3 GB of storage, you could do so via a credit card in the same tenant.  However, SharePoint Online storage must be tied to another license.  It cannot be purchased by itself.  So you would have to buy at least 1 additional E3 license via MOSP in order to add the additional 3 GB of storage.  This is something to consider when you are pricing an Office 365 solution.

For reasons of both simplicity and flexibility, Kloud Solutions recommends purchasing Office 365 via MOSP or T-Suite if you need additional SharePoint Online storage today, or if you think you may need it in the future.  Purchasing via MOSP or T-Suite allows you to keep your options open and plan for future storage growth.  Buying Office 365 via Open means that you are locked in to a certain storage allocation as determined by Microsoft.   There is no guarantee that Microsoft’s default storage allocation will meet your requirements.

It is very likely that Microsoft will increase the default storage allocation for SharePoint Online in the future.  The cost of storage is always declining according to Moore’s Law.  For example, Microsoft recently increased the amount of storage available in OneDrive from 25 GB to 1 TB.  Here is a blog post which references this change:

https://blog.kloud.com.au/2014/05/04/sharepoint-online-storage-improvements-in-office-365/

However, there have been no announcements from Microsoft to date indicating that they plan to increase the default storage for SharePoint Online beyond 10 GB per tenant or 500 MB per user.  There will be future posts to this blog about this topic if there are any relevant updates in the future.

If you have any questions about the different options for purchasing Office 365 from Microsoft or Telstra, please contact Kloud  Solutions using the following URL:

http://www.kloud.com.au/

Switching Between Office 365 Plans

​One of the challenges with earlier versions of Office 365 was the inability to switch plans.  Once you set up a tenant, there were certain aspects of the tenant which could not be changed.  For example, if you set up a small business tenant with 10 users, you could not increase the size of the tenant beyond the 25 user limit.  There was no way to convert a small business tenant into an enterprise tenant.  This meant that a small business growing rapidly might exceed the capacity of its Office 365 tenant.

The good news is that it is now possible to switch between Office 365 plans to accommodate customer’s needs.  You can switch from one Office 365 subscription to another in the same service family or in a different service family.  

There are two ways to switch Office 365 plans:

1) Manual switch

2) Using the Switch Plan Wizard

You cannot use the Switch plans wizard if your subscription has more than 300 users. To access the Switch plans wizard, you need to be a global admin for Office 365.

 

 Plans eligible for the Switch plans wizard

​FROM PLAN ​TO PLAN
​Office 365 Small Business

Office 365 Small Business Premium

Office 365 Midsize Business

Office 365 Enterprise E1

Office 365 Enterprise E3

Office 365 Enterprise E4

​Office 365 Small Business Premium

​Office 365 Midsize Business

Office 365 Enterprise E1

Office 365 Enterprise E3

Office 365 Enterprise E4

​Office 365 Midsize Business

​Office 365 Enterprise E1

Office 365 Enterprise E3

Office 365 Enterprise E4

​Office 365 Enterprise K1

Office 365 Enterprise K2

​Office 365 Enterprise E1

Office 365 Enterprise E3

Office 365 Enterprise E4

​Office 365 Enterprise E1

​Office 365 Enterprise E3

Office 365 Enterprise E4

​Office 365 Enterprise E3 ​Office 365 Enterprise E4

​Lync Online (Plan 1)

Lync Online (Plan 2)

​Office 365 Enterprise E1

Office 365 Enterprise E3

Office 365 Enterprise E4

​Lync Online (Plan 3) ​Office 365 Enterprise E4
​SharePoint Online (Plan 1)

​Office 365 Enterprise E1

Office 365 Enterprise E3

Office 365 Enterprise E4

​SharePoint Online (Plan 2)

​Office 365 Enterprise E3

Office 365 Enterprise E4

​Exchange Online (Plan 1)

​Office 365 Enterprise E1

Office 365 Enterprise E3

Office 365 Enterprise E4

​Exchange Online (Plan 2)

​Office 365 Enterprise E3

Office 365 Enterprise E4

​Office 365 Education A1

​Office 365 Education A2

Office 365 Education A3

​Office 365 Education A2 ​Office 365 Education A3
​Office Online with SharePoint Online Plan 1 or Plan 2

​Office 365 Education A1

Office 365 Education A2

Office 365 Education A3

Office 365 Education A4

​Exchange Online Kiosk

​Office 365 Enterprise E1

Office 365 Enterprise E3

Office 365 Enterprise E4

Office 365 Enterprise K1

Exchange Online Plan 1

Exchange Online Plan 2

 

Any plan that isn’t in the Plans eligible for the Switch plans wizard list can be switched “manually.”

Switching plans manually involves purchasing a new plan, reassigning the licenses, and then cancelling your old plan.  You cannot switch back to your old plan after you switch to a plan in a different service family.

If you are interested in switching your Office 365 plan, please contact Kloud Solutions using the following URL:

http://www.kloud.com.au/contact-us/

 

Exchange Online Inactive Mailboxes

In an enterprise deployment of Office 365 Wave 14, one of the recurring pain points was how to handle mailbox data retention once a user left the business and the data is required for compliance purposes. There were a number of options available to handle this:

  • Leave the mailbox in-situ and disable the user account
  • Change the license SKU to Kiosk Plan 2 as it’s a cheaper license cost and disable the user account
  • Migrate the departed user mailbox back to the on-premises hybrid Exchange platform
  • Use a 3rd party cloud archive solution

While all of these will work, on an enterprise scale they’re quite clunky and even with an identity management solution in place, they’re not particularly practical or cost effective. Aside from the high administrative overhead, there’s a high cost to license most of these options or maintain on-premises infrastructure. And if you’re going to these lengths to preserve this data, you want it to be searchable through eDiscovery, in which case it should stay where the bulk of the mail already is: in the cloud.

With Office 365 Wave 15 and Exchange 2013, the Legal Hold functionality (now called In-Place Hold) has been enhanced to include the “inactive mailboxes” feature to cover a departed user scenario. When a user leaves the business, it is now possible to place the mailbox into In-Place Hold, then delete the corresponding user account. The mailbox will then be available to eDiscovery indefinitely and the mailbox license can be released back into the pool.

Once the retention requirements have been met, it is possible to remove the In-Place Hold and allow the mailbox to be deleted in accordance with the default deleted mailbox retention policy. Inactive mailboxes do not require any Office 365 or Exchange Online licensing.

The benefits of using the Inactive Mailbox feature are:

  • Visible in eDiscovery searches
  • Preserves the mailbox indefinitely
  • Hidden from users so no longer available in the GAL
  • Cannot send or receive email
  • No Active Directory / Office 365 account required
  • No license required

How to Create an Inactive Mailbox

  1. In-Place Hold
    When a mailbox is placed in In-Place hold, the content is preserved as is and cannot be changed. The mailbox can be on hold for a specified time or indefinitely. The mailbox is still subject to the standard Exchange Online deleted mailbox retention policy of 30 days, meaning that if the mailbox has been inactive for over 30 days and is taken out of In-Place Hold, it will be deleted permanently

    To create a new In-Place Hold that will be active for seven years, execute the following PowerShell command

    New-MailboxSearch “Joel-Test-Hold” –SourceMailboxes “joel.neff@showcase.kloud.com.au” –InPlaceHoldEnabled $True –ItemHoldPeriod 2557
  2. Delete Source Account
    With In-Place Hold activated on the mailbox, the associated account can be deleted from Active Directory or from Office 365. Once the seven year period has expired, the mailbox will be automatically deleted.

Accessing an Inactive Mailbox

As the associated account has been deleted, the mailbox cannot be opened in Outlook or OWA. The only way to access the content of the mailbox is to use the eDiscovery console from with the Exchange Admin Centre. The contents of the entire mailbox can be shown, or specific items related to a search query. All results can be exported to a PST file.

To run an eDiscovery search from PowerShell, I’m going to search for all email items in a particular mailbox that contain either the word “Kloud” or “Office 365” between the 1st of January and today:

New-MailboxSearch “Test-Search” -StartDate “1/1/2013” -EndDate “20/6/2013” -SourceMailboxes “Joel-Test-Hold” -TargetMailbox “Discovery Search Mailbox” -SearchQuery “Kloud” AND “Office 365” -MessageTypes Email -IncludeUnsearchableItems -LogLevel Basic

Manually Remove an Inactive Mailbox

Once the compliance requirements have been met, or the mailbox is no longer needed, it is possible to remove the hold placed on the mailbox and allow it to delete. As mentioned earlier, if the mailbox has been on hold for over 30 days, it will be permanently deleted once the hold is removed. If it has been on hold for less than 30 days the mailbox will be available for the remainder of the 30 day period since the hold was activated.

Set-MailboxSearch “Joel-Test-Hold” –InPlaceHoldEnabled $False
Remove-MailboxSearch “Joel-Test-Hold”

A complete list of the available Set-MailboxSearch parameters can be found at http://technet.microsoft.com/en-us/library/dd298064(v=exchg.150).aspx

Office 365 Licensing with Powershell

The Basics

Recently I’ve had to explore the dark art of license assignment using Powershell. It’s not particularly well documented so this might help you…

Displaying a list of the current licensing assignment is pretty straightforward. Get-MsolUser can be used to return information on an individual or a list of users.

Get-MsolUser -All run on its own will return all of the users available in the tenant along with whether or not there is a user license assigned.

To make this a bit more usable, you could pipe this output to a CSV file and work with it from there

Get-MsolUser | Export-Csv c:\path\AllUsers.CSV

If you want to filter it a bit more you can user the “TRUE” or “FALSE” options

Get-MsolUser | Where-Object {$_.isLicensed -eq “TRUE”} | Export-Csv c:\path\AllUsersWithLicenses.CSV

First Time License Assignment

The next step from here is to know what licensing SKU you have available before you can apply it. The first thing you will need to do is obtain the AccountSkuId values that have been setup for your tenant.

In my case, I have an E3 tenant which is an ENTERPRISEPACK AccountSkuId that is prefixed with the name of my tenant. You need to display your SKU:

Get-MsolAccountSku | Format-Table AccountSkuId, SkuPartNumber

If you have an E4 subscription, the AccountSkuId is ENTERPRISEPACKWITHCAL

The available service plans in each of these are

  • OFFICESUBSCRIPTION (Office Pro Plus)
  • MCOSTANDARD (Lync Online)
  • SHAREPOINTWAC (Office Web Apps)
  • SHAREPOINTENTERPRISE (Sharepoint Online)
  • EXCHANGE_S_ENTERPRISE (Exchange Online)

In the Kiosk plans the AccountSkuId is DESKLESSWOFFPACK and this contains:

  • SHAREPOINTWAC
  • SHAREPOINTDESKLESS
  • EXCHANGE_S_DESKLESS

The Exchange Online Archiving SKU contains:

  • EXCHANGE_S_ARCHIVE

Doing bulk license assignments you’ll need to create a CSV file containing the UPN for each batch you want to license. I’ve names the column in my CSV “UPN”

Then you’ll need to set the licenses you would like to disable, in my example I only want to assign a license for Office Pro Plus so I need to set a variable which contains my assignment:

$Step1 = New-MsolLicenseOptions -AccountSkuId klouds:ENTERPRISEPACK -DisabledPlans MCOSTANDARD,SHAREPOINTWAC,SHAREPOINTENTERPRISE,EXCHANGE_S_ENTERPRISE

When assigning a license for the first time you also need to specify the country of use

Import-Csv .\Sample.CSV | foreach {set-MsolUser -UserPrincipalName $_.UPN -UsageLocation AU}

The next step is to assign the license:

Import-Csv .\Sample.CSV | foreach {Set-MsolUserLicense -UserPrincipalName $_.UPN -AddLicenses klouds:ENTERPRISEPACK -verbose -LicenseOptions $Step1}

You can check the license assignment with:

(Get-MSOLUser –UserPrincipalName “Your UPN”).Licenses[0].ServiceStatus

Modifying Subscriptions within a License

As with the first time license assignment, you will need to set a variable containing the license subscriptions you want to activate. In my example I am going to remove the Office Pro Plus subscription and activate Exchange Online:

$Step2 = New-MsolLicenseOptions -AccountSkuId klouds:ENTERPRISEPACK -DisabledPlans OFFICESUBSCRIPTION,MCOSTANDARD,SHAREPOINTWAC,SHAREPOINTENTERPRISE

The next step is to assign remove the Office Pro Plus subscription and assign Exchange Online

Import-Csv .\Sample.CSV | ForEach {Set-MsolUserLicense -UserPrincipalName $_.UPN -LicenseOptions $Step2}

Again using (Get-MSOLUser –UserPrincipalName “Your UPN”).Licenses[0].ServiceStatus you can see that the change to the subscription was successful:

If you try to modify the subscription using the same commands used for first time license allocation, you will get an error stating that the license is invalid