<!-- WP QUADS Content Ad Plugin v. 2.0.92 -->
<div class="quads-location quads-ad2526 " id="quads-ad2526" style="float:none;margin:0px 3px 3px 3px;padding:0px 0px 0px 0px;" data-lazydelay="0">

</div>
<h2>The Story</h2>
<p>I got a request to place users into Security Groups for management purposes, The client have already users active but many of those users have left the work place and still have E3 or E1 Licenses which they should not have since this is pricey licenses and backing up users details is the easiest and most cost effective way of handling this.</p>
<!-- WP QUADS Content Ad Plugin v. 2.0.92 -->
<div class="quads-location quads-ad2528 " id="quads-ad2528" style="float:none;margin:0px 3px 3px 3px;padding:0px 0px 0px 0px;" data-lazydelay="0">

</div>

<!-- WP QUADS Content Ad Plugin v. 2.0.92 -->
<div class="quads-location quads-ad2529 " id="quads-ad2529" style="float:none;margin:0px 3px 3px 3px;padding:0px 0px 0px 0px;" data-lazydelay="0">

</div>

<!-- WP QUADS Content Ad Plugin v. 2.0.92 -->
<div class="quads-location quads-ad2525 " id="quads-ad2525" style="float:none;margin:0px 3px 3px 3px;padding:0px 0px 0px 0px;" data-lazydelay="0">

</div>

<h2>So, To start (Prerequisites):</h2>
<p>The Group based licensing management is a new feature, Was introduced in 2019 and not many people know that it is there however, This feature doesn’t come for free as you know (Since it’s Microsoft) and you must have a license for it or at least have users with E3 licensing model. So the requirements are:</p>
<ul>
<li>&#8211; Azure AD Premium P1 or Higher</li>
<li>&#8211; Office 365 E3 or Higher.</li>
<li>&#8211; EMS or Higher.</li>
</ul>
<h2>How does it work?</h2>
<p>In order for you to get this to work you need to make sure you have planned from where you want to manage those groups and their licenses, Online? Or On-Premises?</p>
<h2>IF Online</h2>
<p>If you’re going to do this online, then you need to create a group for each Licensing Model which represents the intended License and its users e.g. Office365-E1 is going to be created as a security group and dedicated to E1 License users.</p>
<p>Office365-E3 will also be created the same way and users of License type E3 will be added to it.</p>
<h2>If On-Premises</h2>
<p>If you’re going to manage those groups on-premises, Then you must have ADConnect (Azure AD Sync) tool to sync those groups after creating them.</p>
<p>In my case I have created those groups in the following manner:</p>
<p><a href="https://www.moh10ly.com/wp-content/uploads/2019/12/image-22.png"><img style="display: inline; background-image: none;" title="image" src="https://www.moh10ly.com/wp-content/uploads/2019/12/image_thumb-22.png" alt="image" width="1028" height="200" border="0" /></a> 

<!-- WP QUADS Content Ad Plugin v. 2.0.92 -->
<div class="quads-location quads-ad2531 " id="quads-ad2531" style="float:none;margin:0px 3px 3px 3px;padding:0px 0px 0px 0px;" data-lazydelay="0">

</div>
 
</p>
<p>After creating those groups, You will need to sync them to Office 365 using ADConnect. To force this to sync immediately fire up Powershell on Azure Connect Server and type</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic">Start-ADSyncSyncCycle -PolicyType delta</pre>
<p><a href="https://www.moh10ly.com/wp-content/uploads/2019/12/image-24.png"><img style="display: inline; background-image: none;" title="image" src="https://www.moh10ly.com/wp-content/uploads/2019/12/image_thumb-23.png" alt="image" width="419" height="150" border="0" /></a></p>
<p><a href="https://www.moh10ly.com/wp-content/uploads/2019/12/image-23.png"><img style="display: inline; background-image: none;" title="image" src="https://www.moh10ly.com/wp-content/uploads/2019/12/image_thumb-24.png" alt="image" width="110" height="147" border="0" /></a></p>
<h2>What If I have users already assigned with License?</h2>
<p>If you have users already assigned licenses and want to manage them using Group Based licensing then you’re going to have to get a list of all your users with their Licenses information into a CSV file and Import those users to the groups you created base on the license they have.</p>
<p>I created a PowerShell that would match user’s names and based on the license mentioned in the CSV file would add them to the relevant group but first you need to export Users from Office 365.</p>
<h2>Export Users and their license from Office 365</h2>
<p>First of all we’ll connect to Office 365 MSOL Service using Online Powershell</p>
<p><a href="https://www.moh10ly.com/wp-content/uploads/2019/12/image-25.png"><img style="margin: 0px; display: inline; background-image: none;" title="image" src="https://www.moh10ly.com/wp-content/uploads/2019/12/image_thumb-25.png" alt="image" width="1028" height="220" border="0" /></a></p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic">Get-MsolUser -All |Where {$_.IsLicensed -eq $true } |Select DisplayName,UsageLocation,@{n="Licenses Type";e={$_.Licenses.AccountSKUid}},SignInName,UserPrincipalName,@{n="ProxyAddresses";e={$_.ProxyAddresses}}| Export-csv -Path C:ExportlicenseUsage.csv -notype</pre>
<p><a href="https://www.moh10ly.com/wp-content/uploads/2019/12/image-26.png"><img style="margin: 0px; display: inline; background-image: none;" title="image" src="https://www.moh10ly.com/wp-content/uploads/2019/12/image_thumb-26.png" alt="image" width="1028" height="55" border="0" /></a></p>
<p>So this is how my CSV look right after I exported the users, We need to do some tuning on this CSV file to clean it and get it ready for our PowerShell.</p>
<p><a href="https://www.moh10ly.com/wp-content/uploads/2019/12/image-27.png"><img style="margin: 0px; display: inline; background-image: none;" title="image" src="https://www.moh10ly.com/wp-content/uploads/2019/12/image_thumb-27.png" alt="image" width="1028" height="114" border="0" /></a></p>
<p>There are total of 6 columns in this folder, If for whatever reason you wanted to use the ProxyAddress to distinguish users feel free to keep them in the script but in my case I didn’t need them so I deleted the entire column.</p>
<h2>So I will keep the following (Remove Spacing between License Type)</h2>
<ul>
<li>DisplayName</li>
<li>UsageLocation</li>
<li>LicenseType</li>
<li>SignInName</li>
<li>UserPrincipalName</li>
</ul>
<p>The Value of the License Type is usually formatted like this “TenantName: License” and in order to make this column useful I am going to remove the Tenant name from all the cells.</p>
<p>Find and Replace can easily remove and clean these values for you.</p>
<p><a href="https://www.moh10ly.com/wp-content/uploads/2019/12/image-28.png"><img style="margin: 0px; display: inline; background-image: none;" title="image" src="https://www.moh10ly.com/wp-content/uploads/2019/12/image_thumb-28.png" alt="image" width="659" height="418" border="0" /></a></p>
<p>After cleaning the column, this is how it looks</p>
<p><a href="https://www.moh10ly.com/wp-content/uploads/2019/12/image-29.png"><img style="margin: 0px; display: inline; background-image: none;" title="image" src="https://www.moh10ly.com/wp-content/uploads/2019/12/image_thumb-29.png" alt="image" width="302" height="772" border="0" /></a></p>
<!-- WP QUADS Content Ad Plugin v. 2.0.92 -->
<div class="quads-location quads-ad2524 " id="quads-ad2524" style="float:none;margin:0px 3px 3px 3px;padding:0px 0px 0px 0px;" data-lazydelay="0">

</div>

<p>This should be useful for us now along with the PowerShell to add the users to their relevant groups.</p>
<h2>On Active Directory from an elevated PowerShell</h2>
<p>Run PowerShell ISE from a privileged account and copy + paste this script in ISE,</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic">$ImportedUsers = Import-csv "C:\Users\AD\Desktop\ExportlicenseUsage.csv"

Foreach ($ImportedUser in $ImportedUsers){
$License = $ImportedUser.LicensesType
$E3 = "E3-Office365"
$E1 = "E1-Office365"
$EMS = "EMS-Office365"
$Sam = $ImportedUser.SamAccountName
$ImportedUPN = $ImportedUser.UserPrincipalName

$AllUsers = Get-ADUser -Filter * -Properties *
Foreach ($User in $AllUsers)
{
$UPN = $User.UserPrincipalName

if($user.UserPrincipalName -eq $ImportedUPN -and $License -match "EMS")
{
Add-ADGroupMember -Identity $EMS -Members $Sam
Write-Host $($UPN) "User has EMS License and has been added to the Group EMS" -ForegroundColor DarkGreen -BackgroundColor White
}
ElseIf ($user.UserPrincipalName -eq $ImportedUPN -and $License -Contains "STANDARDPACK")
{
Add-ADGroupMember -Identity $E1 -Members $Sam
Write-Host $($UPN) "User has E1 License and has been added to the Group E1" -ForegroundColor black -BackgroundColor green
}
ElseIf ($user.UserPrincipalName -eq $ImportedUPN -and $License -Contains "ENTERPRISEPACK")
{
Add-ADGroupMember -Identity $E3 -Members $Sam
Write-Host $($UPN) "User has E3 License and has been added to the Group E3" -ForegroundColor Blue -BackgroundColor White
}
}
}</pre>
<p><a href="https://www.moh10ly.com/wp-content/uploads/2019/12/image-30.png"><img style="margin: 0px; display: inline; background-image: none;" title="image" src="https://www.moh10ly.com/wp-content/uploads/2019/12/image_thumb-30.png" alt="image" width="682" height="108" border="0" /></a></p>
<h2>Enabling Group Based License from Azure Portal</h2>
<p>After this script finishes, I can open Azure Portal</p>
<p>From Azure Active Directory >; Licenses >; All Products</p>
<p><a href="https://www.moh10ly.com/wp-content/uploads/2019/12/image-31.png"><img style="display: inline; background-image: none;" title="image" src="https://www.moh10ly.com/wp-content/uploads/2019/12/image_thumb-31.png" alt="image" width="163" height="499" border="0" /></a> <a href="https://www.moh10ly.com/wp-content/uploads/2019/12/image-32.png"><img style="display: inline; background-image: none;" title="image" src="https://www.moh10ly.com/wp-content/uploads/2019/12/image_thumb-32.png" alt="image" width="170" height="292" border="0" /></a> <a href="https://www.moh10ly.com/wp-content/uploads/2019/12/image-33.png"><img style="display: inline; background-image: none;" title="image" src="https://www.moh10ly.com/wp-content/uploads/2019/12/image_thumb-33.png" alt="image" width="118" height="161" border="0" /></a></p>
<p>I will choose the license which I want to assign to a group of which I have created on my on-premises AD</p>
<p><a href="https://www.moh10ly.com/wp-content/uploads/2019/12/image-34.png"><img style="margin: 0px; display: inline; background-image: none;" title="image" src="https://www.moh10ly.com/wp-content/uploads/2019/12/image_thumb-34.png" alt="image" width="1028" height="282" border="0" /></a></p>
<p>Click on the License (Office 365 E1) and choose Assign from top menu</p>
<p><a href="https://www.moh10ly.com/wp-content/uploads/2019/12/image-35.png"><img style="margin: 0px; display: inline; background-image: none;" title="image" src="https://www.moh10ly.com/wp-content/uploads/2019/12/image_thumb-35.png" alt="image" width="1021" height="315" border="0" /></a></p>
<p>Make sure you select assignment options and customize the license according to the products you want your group members to use then click on Users and Groups and select the relevant Group which you’ve created (In my case it’s E1-Office365)</p>
<p><a href="https://www.moh10ly.com/wp-content/uploads/2019/12/image-36.png"><img style="display: inline; background-image: none;" title="image" src="https://www.moh10ly.com/wp-content/uploads/2019/12/image_thumb-36.png" alt="image" width="1028" height="153" border="0" /></a></p>
<p>Here, The group has been assigned</p>
<p><a href="https://www.moh10ly.com/wp-content/uploads/2019/12/image-37.png"><img style="margin: 0px; display: inline; background-image: none;" title="image" src="https://www.moh10ly.com/wp-content/uploads/2019/12/image_thumb-37.png" alt="image" width="1028" height="256" border="0" /></a></p>
<p>Click assign and you should be done</p>
<p><a href="https://www.moh10ly.com/wp-content/uploads/2019/12/image-38.png"><img style="margin: 0px; display: inline; background-image: none;" title="image" src="https://www.moh10ly.com/wp-content/uploads/2019/12/image_thumb-38.png" alt="image" width="560" height="492" border="0" /></a></p>
<p>We will do the same for E3 Users</p>
<p><a href="https://www.moh10ly.com/wp-content/uploads/2019/12/image-39.png"><img style="margin: 0px; display: inline; background-image: none;" title="image" src="https://www.moh10ly.com/wp-content/uploads/2019/12/image_thumb-39.png" alt="image" width="1028" height="246" border="0" /></a></p>
<p><a href="https://www.moh10ly.com/wp-content/uploads/2019/12/image-40.png"><img style="margin: 0px; display: inline; background-image: none;" title="image" src="https://www.moh10ly.com/wp-content/uploads/2019/12/image_thumb-40.png" alt="image" width="1028" height="302" border="0" /></a></p>
<h2>NOTE</h2>
<p>From now on, Removing any user from this group will revoke their license and any service connected to it, You must be very careful when removing users from this group.</p>
<p>Microsoft has done great job covering this thoroughly and in a great detail including Scripts to be able to do many things like grabbing users who have an inherited license from a group or manually assigned. I am writing down the references if you’re more curious into these.</p>
<h2>References:</h2>
<p><a href="https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/licensing-groups-assign">https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/licensing-groups-assign</a></p>
<!-- WP QUADS Content Ad Plugin v. 2.0.92 -->
<div class="quads-location quads-ad2522 " id="quads-ad2522" style="float:none;margin:0px 3px 3px 3px;padding:0px 0px 0px 0px;" data-lazydelay="0">

</div>

<p><a href="https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/licensing-ps-examples">https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/licensing-ps-examples</a></p>

<!-- WP QUADS Content Ad Plugin v. 2.0.92 -->
<div class="quads-location quads-ad2530 " id="quads-ad2530" style="float:none;margin:0px 3px 3px 3px;padding:0px 0px 0px 0px;" data-lazydelay="0">

</div>


Reset and manage your Active Directory users' Passwords Active Directory is one of the most…
Finding Exchange Database hidden mailboxes. Story:Maybe you have been in this situation before, trying to…
If you're using a Proxy server in your firewall or in your network and have…
Story:I got some clients that have reported some of their users being locked out and…
Delegate Permissions This is a code that I have wrote recently to check if an…
Story: I got a request from a client who constantly gets CVs and have to…