locked
Help with an Office365 license cleanup script RRS feed

  • Question

  • Ultimately I want this script to

    1. find all users who have been disabled but still have any license assigned
    2. Disable MFA on those users
    3. Place users in Litigation Hold

    Its runs fine until it gets to Removing additional Licenses ...

    ## Define licenses
    $exch1 = "contoso:EXCHANGESTANDARD"
    $exch2 = "contoso:EXCHANGEENTERPRISE"
    $bizprem = "contoso:O365_BUSINESS_PREMIUM"
    $visio = "contoso:VISIOCLIENT"
    $e3 = "contoso:ENTERPRISEPACK"
    $e5 = "contoso:ENTERPRISEPREMIUM"
    $1drive = "contoso:WACONEDRIVESTANDARD"
    $arm = "contoso:RIGHTSMANAGEMENT"
    $aad = "contoso:AAD_PREMIUM_P2"
    $sharepoint = "contoso:SHAREPOINTENTERPRISE"
    $pwrbi = "contoso:POWER_BI_STANDARD"
    $intune = "contoso:INTUNE_A"
    $skype = "contoso:MCOSTANDARD"
    $atp = "contoso:ATP_ENTERPRISE"
    $flow = "contoso:FLOW_FREE"
    
    ## Get all Users who have disabled account but still have a license assigned
    Write-Host "Getting all users who are disabled and have a license assigned......"
    $disabledButLicensed = Get-MsolUser -All | where {$_.BlockCredential -eq $true -and $_.IsLicensed -eq $true}
    
    ## Disable MFA
    Write-Host "Disabling MFA......"
    $St = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement
    $St.RelyingParty = "*"
    $Sta = @()
    $disabledButLicensed | foreach { Set-MsolUser -UserPrincipalName $_.UserPrincipalName -StrongAuthenticationRequirements $Sta }
    
    ## Remove any additional licenses
    Write-Host "Removing additional licenses......"
    $disabledButLicensed | foreach { Set-MsolUserLicense -UserPrincipalName $_.UserPrincipalName -RemoveLicenses 'contoso:ATP_ENTERPRISE','contoso:AAD_PREMIUM_P2','contoso:EXCHANGESTANDARD','contoso:O365_BUSINESS_PREMIUM','contoso:VISIOCLIENT','contoso:ENTERPRISEPACK','contoso:ENTERPRISEPREMIUM','contoso:WACONEDRIVESTANDARD','contoso:RIGHTSMANAGEMENT','contoso:SHAREPOINTENTERPRISE','contoso:POWER_BI_STANDARD','contoso:INTUNE_A','contoso:MCOSTANDARD','contoso:FLOW_FREE'}
    
    ## Add Exchange Plan 2 Licenses
    Write-Host "Adding Exchange Plan 2 licenses...."
    $disabledButLicensed | foreach { Set-MsolUserLicense -UserPrincipalName $_.UserPrincipalName -AddLicenses $exch2}
    
    ## Pause for 5 minutes so that licenses replicate
    Write-Host "Pausing for 5 minutes to allow replication......"
    Start-Sleep -s 300
    
    ## Put Accounts in Litigation Hold
    Write-Host "Putting accounts in litigation hold......"
    $disabledButLicensed | foreach { Set-Mailbox -Identity $_.UserPrincipalName -LitigationHoldEnabled $True }
    
    ## Remove Exchange Plan 2 and all other licenses
    Write-Host "Removing Exchange Plan 2 licenses......"
    $disabledButLicensed | foreach { Set-MsolUserLicense -UserPrincipalName $_.UserPrincipalName -RemoveLicenses $exch2 }
    


    Monday, November 26, 2018 2:02 PM

All replies

  • You fail to post the error message.


    \_(ツ)_/

    Monday, November 26, 2018 3:09 PM
  • ahh sorry!  Here is the error message:

    Set-MsolUserLicense : Unable to assign this license because it is invalid. Use the Get-MsolAccountSku cmdlet to retrieve a list of
    valid licenses.
    At line:1 char:34
    + ... | foreach { Set-MsolUserLicense -UserPrincipalName $_.UserPrincipalNa ...
    +                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : OperationStopped: (:) [Set-MsolUserLicense], MicrosoftOnlineException
        + FullyQualifiedErrorId : Microsoft.Online.Administration.Automation.InvalidUserLicenseException,Microsoft.Online.Administration.
       Automation.SetUserLicense
    FYI for the sake of privacy I've replaced my tenant ID with contoso in the script I posted originally.  I mention this since the error message points to an "invalid" license.


    Monday, November 26, 2018 5:09 PM
  • Hi, 

    This may occur because the current user already is without (anyone at the licenses array) the license. Try put -ErrorAction SilentlyContinue

    at the end of command:

    ...oso:FLOW_FREE'} -ErrorAction SilentlyContinue


    Monday, November 26, 2018 5:33 PM
  • ahh sorry!  Here is the error message:

    Set-MsolUserLicense : Unable to assign this license because it is invalid. Use the Get-MsolAccountSku cmdlet to retrieve a list of
    valid licenses.
    At line:1 char:34
    + ... | foreach { Set-MsolUserLicense -UserPrincipalName $_.UserPrincipalNa ...
    +                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : OperationStopped: (:) [Set-MsolUserLicense], MicrosoftOnlineException
        + FullyQualifiedErrorId : Microsoft.Online.Administration.Automation.InvalidUserLicenseException,Microsoft.Online.Administration.
       Automation.SetUserLicense
    FYI for the sake of privacy I've replaced my tenant ID with contoso in the script I posted originally.  I mention this since the error message points to an "invalid" license.


    Please read the error message as it tells you exactly what to do to fix this.

    "Unableto assign thislicense because it isinvalid. Usethe Get-MsolAccountSkucmdlet to retrieve a list of valid licenses."
     


    \_(ツ)_/

    Monday, November 26, 2018 7:01 PM
  • Hi,

    Was your issue resolved?

    If you resolved it using our solution, please "mark it as answer" to help other community members find the helpful reply quickly.

    If you resolve it using your own solution, please share your experience and solution here. It will be very beneficial for other community members who have similar questions.

    If no, please reply and tell us the current situation in order to provide further help.

    Best Regards,

    Lee


    Just do it.

    Tuesday, December 4, 2018 7:53 AM