Step by Step Directions for Techs

Tag Archives: o365

How to automatically assign licenses in Office 365

Well, you can’t.  Have a great day!

Aside from this being super helpful, I have a workaround for you based on this post from Microsoft (it has a few minor errors) – 

This file (rename it to ZIP) has the Powershell files: O365LicenseScripts

This assumes that you have the MS Online Services Sign-In Assistant (you already have this if DirSync is installed) and Microsoft Online Services Module for PowerShell (found here

How to get it working:

  • Unzip the files to C:\O365LicenseScripts (or where you keep your scripts).  You can also recreate the scripts from the MSFT post, but there are a few issues with spaces, file names, and it doesn’t set a location for the users before assigning the license.
  • Open Powershell
  • CD to C:\O365LicenseScripts
  • Run .\SetupScript.ps1
    • [Office 365 directory sync account – using the address]
    • [Password for account]
    • Y
    • Y
    • extensionAttribute14
      This is the attribute in AD you are using to identify which users get licenses
    • Office365
      Value that the users will have if in AD they are supposed to have the license
    • extensionAttribute15
      The attribute in AD that has the license name, like OFFICESUBSCRIPTION for Office.
  • This will create several scripts from the TMP files and some text files.

If you run Get-LicensingInputFromAD.ps1, you will see what the system thinks the users should be and their corresponding licenses.

If you run AssignLicense.ps1, it will assign the licenses based on what the Get-LicensingInputFromAD.ps1 script output was (stored in the queuedLicense folder created during setup).

If you want to schedule it, you can use the Schedule.ps1 script.  I won’t go too  far into the weeds, but the command is “powershell.exe” (without the quotes) and the arguement is “-file C:\O365LicenseScripts\Schedule.ps1” (without the quotes).

There is one difference in my scripts.  You will find 2 lines that are commented out in case you don’t want to set the license type in Active Directory.  I often find that most customers only use one license type, so I put in an attribute to say which accounts get the license and then hard set the license in the script (set it in the TMP file otherwise the setup script will delete your work!).

Good luck!


Limit what DirSync… um… syncs

Who really wants to see all those pesky accounts and groups up in Office 365?  Not me (and probably not you if you are reading this).  I want to see accounts that I need to give licenses to.

Disclaimer – you can really mess up Office 365.  Be careful!

  1. In Windows Explorer, navigate to “C:\Program Files\Windows Azure Active Directory Sync\SYNCBUS\Synchronization Service\UIShell7”.
  2. Double click miisclient.exe to open this window
  3. Click on “Management Agents” on the toolbar.
  4. This is where the magic happens.  Right click the “Active Directory” agent and choose properties.
  5. Select “Configure Connector Filter”.
  6. Select “user” by scrolling down in the right pane to view the filters for this object.
  7. Add your filters!

But wait!

These filters are for things you don’t want.  As you can see in the image above, I am filtering for users that DO NOT contain “365” in the ExtensionAttribute15 (you can edit that in Active Directory).  By using this, I will only get users that have it.  Consider it a “negative filter”.

Now, before you work on this too long, let me give you some hints:

  1. You can’t filter users based on their group membership.  It has to be an attribute that is in their user account (think about what you can see in Active Directory).
  2. You cannot see attributes that you put in by extending the schema, so you can’t filter on those either.
  3. If you don’t want to sync other objects, like groups, don’t uncheck the object types or delete the joins or anything else like that.  It breaks the sync with Office 365.  Instead filter all the objects out by choosing something that you know every object has.  In this situation, I didn’t want to replicate the groups to O365, so I filtered for every group object that had a GUID:
  4. If you really mess something up, delete the Azure agent and the AD agent and re-run the DirSync configuration.  It will recreate the agents in their vanilla form.  If you messed up Office 365, this may or may not fix it.

That should get you going.  Good luck!