Bulk Assigning Customized licenses in Office 365 using Powershell

Introduction

Bulk assigning customized licenses in office 365 using PowerShell is one of those rare asked that customer can ask you to do based on their business and technical requirements. I have been working with many enterprise customers and many of them come up with the same request to only assign the license for specific workloads in Office 365 as they do not prefer to assign the license of any workload for which they haven’t done the planning and implementation according to their business angod security requirements. I do support and highly recommend this approach and it’s a best practice to make your services highly secure and controlled. If you have a customer with few thousand licenses than it’s not feasible to assign them a license via office 365 GI and bulk assigning customized license in office 365 using PowerShell is the optimal method to achieve your goal.

This blog post is focused on customizing the E3 license to only assign Exchange online, Skype for Business, Azure Rights Management and Office ProPlus license to user population

Bulk Assigning Customized licenses in Office 365 using PowerShell

Bulk assigning customized licenses in Office 365 using PowerShell requires you to perform the following steps in PowerShell.

  • Login to a machine that has Windows Azure PowerShell module installed and launch the powershell console
  • Run the following cmdlet and enter your Office 365 Global Admin credentials in the prompt

$creds = Get-Credential

Bulk Assigning Customized licenses in Office 365 using Powershell

  • Enter the following cmdlet to connect to Office 365 PowerShell

Connect-MsolService -Credential $creds

Bulk Assigning Customized licenses in Office 365 using Powershell

  • Once you are connected with Microsoft Online Services, run the following cmdlet to get the AccountSkuId and SkuPartNumber

Get-MsolAccountSku |ft AccountSkuId,SkuPartNumber

Bulk Assigning Customized licenses in Office 365 using Powershell

  • Make a note of AccountSkuId and SkuPartNumber as we need these for our next step
  • Run the following cmdlet to get the status of your services provisioned. Use the SkuPartNumber that you received in previous cmdlet. As we are only working on E3 license, our SkuPartNumber is “EnterprisePack”

$ServicePlan = Get-MsolAccountSku | Where {$_.SkuPartNumber -eq “EnterprisePack”}

Bulk Assigning Customized licenses in Office 365 using Powershell

 

  • Run the following cmdlet to check the status of service provisioning

$ServicePlan.ServiceStatus

Bulk Assigning Customized licenses in Office 365 using Powershell

Ignore the status of PendingActivation for Intune_O365 as we are not leveraging Intune in our infrastructure.

All service plans that are available as part of your EnterprisePack will be returned that comes with E3 license. As you can see, we have received the following services as part of our E3 license

  • FLOW_O365_P2
  • POWERAPPS_O365_P2
  • TEAMS1
  • PROJECTWORKMANAGEMENT
  • SWAY
  • INTUNE_0365
  • YAMMER_ENTERPRISE
  • RMS_S_ENTERPRISE
  • OFFICESUBSCRIPTION
  • MCOSTANDARD
  • SHAREPOINTWAC
  • SHAREPOINTENTERPRISE
  • EXCHANGE_S_ENTERPRISE
  • Now we have all the services plans available as part of our E3 license, next step is to create a custom license SKU based on your requirements. In our current scenario, i was required to only allow Exchange, Azure Rights Management, Skype and Office ProPlus to end users. This is done by disabling the plans that we do not want to make available to end users. Run the following cmdlet to disable the undesired plans

$LicOptions = New-MsolLicenseOptions -AccountSkuId “365talk:ENTERPRISEPACK” -DisabledPlans FLOW_O365_P2,POWERAPPS_O365_P2,TEAMS1,PROJECTWORKMANAGEMENT,SWAY,YAMMER_ENTERPRISE,SHAREPOINTWAC,SHAREPOINTENTERPRISE

Bulk Assigning Customized licenses in Office 365 using Powershell

  • Once the license options are customized, you can proceed to apply the licenses to users

$AccountSkuId = “365talk:ENTERPRISEPACK”

$UsageLocation = “PK”

$Users = Import-Csv “C:\Temp\users.csv”$Users | ForEach-Object {
Set-MsolUser -UserPrincipalName $_.UserPrincipalName -UsageLocation $UsageLocation
Set-MsolUserLicense -UserPrincipalName $_.UserPrincipalName -AddLicenses $AccountSkuId -LicenseOptions $LicOptions
}

Bulk Assigning Customized licenses in Office 365 using Powershell

  • Once the license is assigned, login to Office 365 and navigate to users > User active users and search for the user account to which you have assigned a custom license. You will see a customized E3 license with desired workloads is being assigned to the user with the usage location set to Pakistan

Bulk Assigning Customized licenses in Office 365 using Powershell

This script and the sample CSV file is being uploaded to TechNet Gallery. You can download the script and modified the workloads based on your need to bulk assign licenses users leveraging PowerShell.

 

Mystery of Office 365 UsageLocation

Office 365 Features Limitations/Restrictions by Location

Many of the people might get confused or probably never focused on why we need to specify usage location while assigning a license to end user in Office 365? What’s the purpose of UsageLocation? Is it same as of Country field populated in Active Directory?

If you look at a cloud user via PowerShell, you’ll also notice that there is a separate “UsageLocation” attribute. This attribute is the one used while assigning a license to a user in office 365. Some features in Office 365 are not allowed in certain countries and “Microsoft” determines this with the help of UsageLocation attribute. When you assign a license to a user and specify the usage location of Office 365 services, Microsoft apply usage restriction to those particular users based on their usage location. e.g. Hosted Voice Mail and Lync audio/video is not allowed in Brunei and if you try to enable Hosted voice Mail for a user with “UsageLocation” of Brunei, you’ll get an error message  stating that “This feature is not available in the location indicated in this user’s UsageLocation“.  Now we understand the reason behind this attribute, there are a couple of ways to set usage location for users in Office 365.

  • Office 365 Portal
  • Local Active Directory

When you assign a license to a user in Office 365 portal using PS or GUI you specify a UsageLocation. We can specify UsageLocation in local active directory and Dir Sync or AAD Sync can sync the usage location to office 365 and override the information. If you look at the connectors in DirSync and AADSync, you’ll see that “UsageLocation” in the Azure Active Directory is mapped to “msExchUsageLocation” on-premises. You can populate the attribute either in the cloud or on-premises. Mostly attributes are only writable on one side or the other. Based on the flow rules, the on-premises value will take precedence and overwrite existing data in the cloud.

Valid values for “msExchUsageLocation” appear to be the same as those for the “Country” field (attribute name = “c”); basically it’s the 2-letter ISO code for the country.

Usage Restriction details can be found here.