none
windows AAD connector for FIM - Licensing Office365 RRS feed

  • Question

  • We are using Windows AAD connector from FIM sync for provisioning Office365 user. How do I handle the Office365 licensing part? We really don't have a customised licensing for our users. Just one license type for all users. What are the ways I can handle the licensing?
    Monday, June 29, 2015 3:54 PM

Answers

  • You can leave blank as far I remember (I use Soren's MA more often). It would use localhost then - as either way you would need to run powershell locally to connect to O365 and invoke some commands in cloud.

    If you found my post helpful, please give it a Helpful vote. If it answered your question, remember to mark it as an Answer.

    • Marked as answer by fim_sc Monday, June 29, 2015 7:40 PM
    Monday, June 29, 2015 7:12 PM
  • Hello,

    at one customer with a simple solution I ran a PowerShell Script right after the confirming Import which sets a license for all users in that Domain which dont have a license.

    This Script goes like:

    # Import Azure PowerShell Module
    Import-Module MSOnline
     
    # Build Credential Object for Authentication
    $secpasswd = ConvertTo-SecureString "MyAzurePW" -AsPlainText -Force
    $mycreds = New-Object System.Management.Automation.PSCredential ("Account@MyDomain.onmicrosoft.com", $secpasswd)
     
    # connect to MSOL-Service.
    Connect-MSOLService -cred $mycreds
     
    # Get all synchronized Azure Users without License and assign Intune License to them.
    $UserList=Get-MsolUser -All -Synchronized -UnlicensedUsersOnly
     
    Write-output "Starting Intune Licencse Activation PowerShell Script."
    foreach ($user in $UserList)
    {
        Set-MsolUserLicense -UserPrincipalName $user.UserPrincipalName -AddLicenses "MyOrga:INTUNE_A"
        $username=$user.UserPrincipalName
        write-output "Add License for user: $username"
    }

    This is from my simple WAAD Connector sample on my blog: https://justidm.wordpress.com/2014/10/27/a-minimalistic-fim-aad-sync-connector-solution-for-windows-intune/

    Script is for Intune License but you can easily modify it for O365

    /Peter


    Peter Stapf - ExpertCircle GmbH - My blog: JustIDM.wordpress.com



    • Edited by Peter_Stapf Monday, June 29, 2015 7:14 PM
    • Marked as answer by fim_sc Monday, June 29, 2015 7:40 PM
    Monday, June 29, 2015 7:12 PM
  • Hello,

    I have written my own PowerShell MA RunProfile Scheduler which can call Script before and after any run profile. So after exporting (and delta import for confirm) data to Azure AD I run the above script.

    This script searches Azure AD for synchronized users only which dont currently have a license and apply a lic. to those users. Simple but effective, and it dont touch other "azure only" account like the sync service account.

    Other Azure licenses can also be attached to users via group membership, I've done this with AD Premium, EMS and ECS but I remember that is not possible for O365.

    The above script works fine in my customers productive env. for month now. The password part should be more secure I now and I'm on the way to save credentials as a encypted file. But it works like expected.

    /Peter


    Peter Stapf - ExpertCircle GmbH - My blog: JustIDM.wordpress.com

    • Marked as answer by fim_sc Monday, June 29, 2015 9:32 PM
    Monday, June 29, 2015 9:15 PM
  • Hello,

    never had that issue.

    As you can see from my blog post I metioned above I set the sourceAnchor to DN on provisioning objects to azure, not the UPN. After that I simple let flow AccountEnabled as a direct flow.

    It doesn't matter if you use syncrules or code extension.

    I assume you use outbound scope filter based OSR (not Set/MPR/Workflow), so there is no IsPresent instead you can use: sourceAnchor starts with %

    This should do the trick.

    /Peter


    Peter Stapf - ExpertCircle GmbH - My blog: JustIDM.wordpress.com

    • Marked as answer by fim_sc Wednesday, July 8, 2015 1:30 PM
    Wednesday, July 8, 2015 8:04 AM

All replies

  • It is not possible with Windows AAD connector for FIM, but as you use FIM anyway - use PowerShell Management Agent (Microsoft's or Soren's one) to license user in the cloud :)

    We have a couple of deployments where we manage O365 licenses such way :)


    If you found my post helpful, please give it a Helpful vote. If it answered your question, remember to mark it as an Answer.

    Monday, June 29, 2015 6:33 PM
  • Thank you! I installed the Microsoft powershell connector. What is it I have to enter in the server name in Connectivity tab? It is office365 in cloud.
    Monday, June 29, 2015 6:56 PM
  • You can leave blank as far I remember (I use Soren's MA more often). It would use localhost then - as either way you would need to run powershell locally to connect to O365 and invoke some commands in cloud.

    If you found my post helpful, please give it a Helpful vote. If it answered your question, remember to mark it as an Answer.

    • Marked as answer by fim_sc Monday, June 29, 2015 7:40 PM
    Monday, June 29, 2015 7:12 PM
  • Hello,

    at one customer with a simple solution I ran a PowerShell Script right after the confirming Import which sets a license for all users in that Domain which dont have a license.

    This Script goes like:

    # Import Azure PowerShell Module
    Import-Module MSOnline
     
    # Build Credential Object for Authentication
    $secpasswd = ConvertTo-SecureString "MyAzurePW" -AsPlainText -Force
    $mycreds = New-Object System.Management.Automation.PSCredential ("Account@MyDomain.onmicrosoft.com", $secpasswd)
     
    # connect to MSOL-Service.
    Connect-MSOLService -cred $mycreds
     
    # Get all synchronized Azure Users without License and assign Intune License to them.
    $UserList=Get-MsolUser -All -Synchronized -UnlicensedUsersOnly
     
    Write-output "Starting Intune Licencse Activation PowerShell Script."
    foreach ($user in $UserList)
    {
        Set-MsolUserLicense -UserPrincipalName $user.UserPrincipalName -AddLicenses "MyOrga:INTUNE_A"
        $username=$user.UserPrincipalName
        write-output "Add License for user: $username"
    }

    This is from my simple WAAD Connector sample on my blog: https://justidm.wordpress.com/2014/10/27/a-minimalistic-fim-aad-sync-connector-solution-for-windows-intune/

    Script is for Intune License but you can easily modify it for O365

    /Peter


    Peter Stapf - ExpertCircle GmbH - My blog: JustIDM.wordpress.com



    • Edited by Peter_Stapf Monday, June 29, 2015 7:14 PM
    • Marked as answer by fim_sc Monday, June 29, 2015 7:40 PM
    Monday, June 29, 2015 7:12 PM
  • Peter,

    How/ Where do you  call this script? You blog says 'call the script after the confirming import of the run'. Could you please explain it please?

    Monday, June 29, 2015 7:43 PM
  • Hello,

    I have written my own PowerShell MA RunProfile Scheduler which can call Script before and after any run profile. So after exporting (and delta import for confirm) data to Azure AD I run the above script.

    This script searches Azure AD for synchronized users only which dont currently have a license and apply a lic. to those users. Simple but effective, and it dont touch other "azure only" account like the sync service account.

    Other Azure licenses can also be attached to users via group membership, I've done this with AD Premium, EMS and ECS but I remember that is not possible for O365.

    The above script works fine in my customers productive env. for month now. The password part should be more secure I now and I'm on the way to save credentials as a encypted file. But it works like expected.

    /Peter


    Peter Stapf - ExpertCircle GmbH - My blog: JustIDM.wordpress.com

    • Marked as answer by fim_sc Monday, June 29, 2015 9:32 PM
    Monday, June 29, 2015 9:15 PM
  • That's awesome. I got the script working but dont know how can I call it using the microsoft connector. I am very new to the powershell connector. I am trying to get past the connectivity tab.There are many script tabs. Common Module script, validation script, schema script....Any idea where would I call the script?

    I read this article.

    https://technet.microsoft.com/en-us/library/dn640417%28v=ws.10%29.aspx

    All I need to do is run the script to set O365 licensing. It looks like schema script is mandatory. How would I import the schema?

    • Edited by fim_sc Monday, June 29, 2015 10:00 PM
    Monday, June 29, 2015 9:35 PM
  • Hello,

    I never used the Microsoft PowerShell MA, I mostly use Soren's PS MA, but in General you Need a Schema script which defines the objects you will have in this MA.

    In this Case Users and I think you only Need a very limited amount of attributes like an ID, accountname.

    Then you will Need PS Script to Import the users from Azure AD, in the Export script you can then user my PS licene script and modify it to act only on one user at a time.

    So you will call this script multiple times (for each user) on Export.

    If the above script works fine for you, I would not call it from am PS MA, instead let it run right after the Export of the WAAD MA, like I do.

    /Peter


    Peter Stapf - ExpertCircle GmbH - My blog: JustIDM.wordpress.com

    Tuesday, June 30, 2015 7:33 AM
  • I am using FIM portal outbound sync rule to office365 account. What should be the dn value? Should it be the sourceAnchor (objectguid from AD) or accountname@domainname. I had accountname@domainname as dn. After the export runs of AD and Azure, AD synced the objectguid and it renamed the dn in Azure. It stopped working all of a sudden.

    Object is created to Azure at first export. When source anchor is exported in the next sync cycle (after AD sync), I am getting "useraccountEnabledMissing" error. AccountEnabled is set already when the object is created. Any idea why it is throwing this error?


    Also, How to validate the presence of source Anchor before triggering the export through fimportal OSR? I could see Equal, no starts with, contains, etc but not ispresent.
    • Edited by fim_sc Tuesday, July 7, 2015 7:46 PM
    Tuesday, July 7, 2015 7:41 PM
  • Hello,

    never had that issue.

    As you can see from my blog post I metioned above I set the sourceAnchor to DN on provisioning objects to azure, not the UPN. After that I simple let flow AccountEnabled as a direct flow.

    It doesn't matter if you use syncrules or code extension.

    I assume you use outbound scope filter based OSR (not Set/MPR/Workflow), so there is no IsPresent instead you can use: sourceAnchor starts with %

    This should do the trick.

    /Peter


    Peter Stapf - ExpertCircle GmbH - My blog: JustIDM.wordpress.com

    • Marked as answer by fim_sc Wednesday, July 8, 2015 1:30 PM
    Wednesday, July 8, 2015 8:04 AM
  • yes. it worked. thank you!
    Wednesday, July 8, 2015 1:30 PM