Script repository
The script assigns/revokes Microsoft 365 licenses from a user based on their AD group membership. If a user is a member of multiple groups, the license will be assigned based only on the group that has the highest priority. To execute the script, create a business rule triggering After adding or removing a member from a group.
Parameters
$locationProperty- the name of the user property whose value will be used as the user location in Microsoft 365. The value of the property must be represented by a two-letter country code per ISO 3166-1 (e.g. US or DE). Locations of existing Microsoft 365 accounts will remain unchanged.$groupInfo- maps the distinguished names (DNs) of the groups with the corresponding Microsoft 365 licenses. Group position in the list determines the group priority for license assignment. The licenses must be represented by the corresponding SKU Part Numbers.
$locationProperty = "c" # TODO: modify me
$groupInfo = @(
@{"CN=My group 1,OU=Groups,DC=domain,DC=com" = "SHAREPOINTLITE"},
@{"CN=My group 2,OU=Groups,DC=domain,DC=com" = "SHAREPOINTENTERPRISE"},
@{"CN=My group 3,OU=Groups,DC=domain,DC=com" = "ENTERPRISEPACK"}
) # TODO: modify me. Example $groupInfo = @(@{"<Group1DN>" = "SkuPartNumber1"},@{<Group2DN>" = "SkuPartNumber2"})
function DisableLicense ($groupInfo, $groupDN, $licenses)
{
foreach ($info in $groupInfo)
{
$items = $info.GetEnumerator()
$items.MoveNext()
if ($items.Key -ne $groupDN)
{
continue
}
SetLicenseStatus $licenses $items.Value $False
return
}
}
function EnableLicense ($groupInfo, $groupDNs, $licenses)
{
$enableLicense = $True
foreach ($info in $groupInfo)
{
$items = $info.GetEnumerator()
$items.MoveNext()
if ($groupDNs -notcontains $items.Key)
{
continue
}
SetLicenseStatus $licenses $items.Value $enableLicense
$enableLicense = $False
}
}
function SetLicenseStatus ($licenses, $skuPartNumber, $enableLicense)
{
foreach ($license in $licenses)
{
if ($license.Sku.SkuPartNumber -eq $skuPartNumber)
{
$license.Assigned = $enableLicense
return
}
}
}
$member = $Context.BindToObjectEx("Adaxes://%member%", $True)
if ($member.Class -ine "user")
{
return
}
# Check whether a user is added or removed.
$addToGroup = $Context.Action.IsOperationOfType($Context.TargetObject, "add group members")
# Get Microsoft 365 properties.
$microsoft365Properties = $member.GetMicrosoft365Properties()
# Check location
if ([System.String]::IsNullOrEmpty($microsoft365Properties.Location))
{
# Get location from the specified property.
try
{
$location = $member.Get($locationProperty)
}
catch
{
$Context.LogMessage("Location not specified. Microsoft 365 account will not be activated", "Error")
return
}
# Set user location
$microsoft365Properties.Location = $location
}
# Get current groups memberships of the new member.
try
{
$groupGuidsBytes = $member.GetEx("adm-MemberOfGuid")
}
catch
{
$groupGuidsBytes = @()
}
$groupDNs = New-Object "System.Collections.ArrayList"
foreach ($guidBytes in $groupGuidsBytes)
{
# Get group DN
$guid = [Guid]$guidBytes
$group = $Context.BindToObject("Adaxes://<GUID=$guid>")
$groupDN = $group.Get("distinguishedName")
[void]$groupDNs.Add($groupDN)
}
$licenses = $microsoft365Properties.Licenses
if (-not($addToGroup))
{
# Disable the license for the removed group membership.
DisableLicense $groupInfo "%distinguishedName%" $licenses
}
# Enable the license for the added group membership, disable other licenses.
EnableLicense $groupInfo $groupDNs $licenses
# Save changes
if ($microsoft365Properties.ContainsModifications)
{
$member.SetMicrosoft365Properties($microsoft365Properties)
$member.SetInfo()
}
Comments 2
You must be signed in to comment.
NicolasL
I've got some issue with this script :nothing seeam to work, i've got error with getoffice365properties
Support
Hello Nicolas,
Thank you for pointing out the issue. The script was not updated for Adaxes 2023 (methods GetOffice365Properties and SetOffice365Properties no longer exist). We made the corresponding changes. Please, clear browser cache and copy the script from the article again.