SOLVED
Home

Azure AD group-based license management for Office 365 and more

%3CLINGO-SUB%20id%3D%22lingo-sub-47761%22%20slang%3D%22en-US%22%3EAzure%20AD%20group-based%20license%20management%20for%20Office%20365%20and%20more%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-47761%22%20slang%3D%22en-US%22%3E%3CP%3EThis%20looks%20awesome%20-%20simplify%20licence%20management%20for%20Office%20365%2C%20EMS%2C%20Dynamics%20365%20and%20more%20with%20the%20%3CA%20href%3D%22https%3A%2F%2Fblogs.technet.microsoft.com%2Fenterprisemobility%2F2017%2F02%2F22%2Fannouncing-the-public-preview-of-azure-ad-group-based-license-management-for-office-365-and-more%2F%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Enew%20group-based%20licensing%20preview%20in%20Azure%26nbsp%3BAD%3C%2FA%3E%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EMicrosoft%20cloud%20services%20such%20as%20Office%20365%2C%20Enterprise%20Mobility%20%2B%20Security%2C%20Dynamics%20CRM%2C%20and%20other%20similar%20products%20require%20licenses%20to%20be%20assigned%20to%20each%20user%20who%20needs%20access%20to%20these%20services.%26nbsp%3BUntil%20now%2C%20licenses%20could%20only%20be%20assigned%20at%20individual%20user%20level%2C%20which%20can%20male%20large-scale%20management%20difficult%20for%20our%20customers.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F11100iDE7F18387744EC01%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22all-products-assign.png%22%20title%3D%22all-products-assign.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EWe%20have%20introduced%20a%20new%20capability%20of%20the%20Azure%20AD%20license%20management%20system%3A%20group-based%20licensing.%20It%20is%20now%20possible%20to%20assign%20one%20or%20more%20product%20licenses%20to%20a%20group.%20Azure%20AD%20will%20make%20sure%20that%20the%20licenses%20are%20assigned%20to%20all%20members%20of%20the%20group.%20Any%20new%20members%20joining%20the%20group%20will%20be%20assigned%20the%20appropriate%20licenses%20and%20when%20they%20leave%20the%20group%20those%20licenses%20will%20be%20removed.%20This%20eliminates%20the%20need%20for%20automating%20license%20management%20via%20PowerShell%20to%20reflect%20changes%20in%20the%20organization%20and%20departmental%20structure%20on%20a%20per-user%20basis.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F11101i89638781135E871B%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22select-a-group2.png%22%20title%3D%22select-a-group2.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EHere%20is%20the%20documentation%20with%20the%20steps%20to%20get%20started%20-%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Factive-directory-licensing-whatis-azure-portal%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3EWhat%20is%20group-based%20licensing%20in%20Azure%20Active%20Directory%3F%3C%2FA%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-47761%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EEMS%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-204422%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20group-based%20license%20management%20for%20Office%20365%20and%20more%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-204422%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F46%22%20target%3D%22_blank%22%3E%40Paul%20Hunt%20-%20Cimares%3C%2FA%3E%26nbsp%3BI%20like%20your%20quantifier%20%22%3CSPAN%3E(Note%20I%20said%20viable..%20not%20sensible!)%22%20%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EThe%20problem%2C%20of%20course%20is%2C%20if%20a%20thing%20is%20not%20sensible%2C%20someone%20will%20still%20try%20to%20do%20it%20at%20the%20expense%20of%20others%20around%20them.%20%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EI%20do%20understand%20what%20you%20are%20saying%20though.%20%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EWe%20-%20large%20scale%20corporate%20implementation%20-%26nbsp%3Bwill%20need%20a%20reasonable%20way%20of%20reporting%20on%20it%20or%20preventing%20it.%20%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EPulling%20the%20data%20per%20user%20per%20license%20per%20service%20down%20from%20the%20tenant%20via%20PowerShell%20then%20republishing%20it%20via%20PowerBI%20is%20also%20viable%20but%20not%20sensible.%20%3B)%3C%2Fimg%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EMy%20tests%20of%20the%20group-based%20license%20management%20is%20going%20well.%20Its%20value%20is%20clear%20especially%20given%20Microsoft's%20gross%20propensity%20to%20force%26nbsp%3Bservice%20plans%20out%20as%20%22Enabled%20by%20default%22.%20(another%20viable%20not%20sensible%20example)%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-203165%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20group-based%20license%20management%20for%20Office%20365%20and%20more%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-203165%22%20slang%3D%22en-US%22%3E%3CP%3EThe%20problem%20here%20isn't%20the%20AD%20Group%20based%20implementation.%20it%20honours%20whatever%20licensing%20rules%20are%20applied%20by%20the%20platform.%20Therefore%20if%20you%20can%20apply%20the%20two%20license%20templates%20in%20the%20Office%20365%20UI%2C%20then%20you%20can%20do%20the%20same%20in%20the%20Group%20Based%20templates.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIn%20this%20instance%2C%20it's%20a%20viable%20solution%20to%20apply%20elements%20from%20both%20E3%20and%20E5%20to%20a%20single%20user%20(Note%20I%20said%20viable..%20not%20sensible!).%20You'll%20find%20that%20you%20can%20tick%20both%20E3%20and%20E5%20in%20the%20Office%20365%20UI.%20If%20you%20tried%20to%20do%20the%20same%20using%20and%20F1%20and%20E3%20or%20F1%20and%20E5%20it%20would%20throw%20an%20error%20in%20the%20UI%20and%20also%20in%20the%20Group%20Based%20licensing%20interfaces.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-203066%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20group-based%20license%20management%20for%20Office%20365%20and%20more%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-203066%22%20slang%3D%22en-US%22%3E%3CP%3E%40Deleted%2C%20here's%20where%20you%20could%20add%20in%20to%20Azure%20AD%20ideas%20on%20UserVoice%3A%20%3CA%20href%3D%22https%3A%2F%2Ffeedback.azure.com%2Fforums%2F169401-azure-active-directory%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Ffeedback.azure.com%2Fforums%2F169401-azure-active-directory%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThere's%20some%20Group%20Based%20Licensing%20requests%20in%20there%20already.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-202980%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20group-based%20license%20management%20for%20Office%20365%20and%20more%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-202980%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%3EWe%20found%20that%20the%20%E2%80%9CAzure%20AD%20group-based%20license%20management%E2%80%9D%20(in%20public%20preview)%20is%20not%20currently%20smart%20enough%20to%20recognize%20a%20single%20user%20license%20between%20E3%20and%20E5.%20It%20%E2%80%9Cdouble%20dips%E2%80%9D%2C%20so%20a%20user%20who%20has%20an%20E5%20license%20(direct%20or%20inherited)%20and%20an%20E3%20license%20(direct%20or%20inherited)%20takes%20up%20two%20license%3B%20one%20E3%20and%20one%20E5.%20This%20scenario%20did%20not%20create%20any%20warning%20or%20alert%20from%20the%20system.%20Is%20there%20a%20UserVoice%20style%20area%20to%20communicate%20with%20folks%20evaluating%20what%20will%20be%20GA%3F%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-199941%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20group-based%20license%20management%20for%20Office%20365%20and%20more%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-199941%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%3EWhen%20is%20this%20going%20GA%3F%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-189226%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20group-based%20license%20management%20for%20Office%20365%20and%20more%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-189226%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20have%20just%20changed%20our%20licensing%20to%20Office%20365%20E3%20to%20Office%20365%20E5.%26nbsp%3B%3C%2FP%3E%3CP%3EAnd%20Kiosk%20to%20F1%20licensing%20is%20there%20any%20reason%20not%20to%20use%20group%20based%20licensing%3F%3C%2FP%3E%3CP%3EThis%20would%20help%20flip%20all%20my%20users%20properly%20and%20also%20remove%20the%20services%20that%20we%20didn't%20want%20to%20go%20live%20quite%20yet.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-145214%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20group-based%20license%20management%20for%20Office%20365%20and%20more%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-145214%22%20slang%3D%22en-US%22%3E%3CP%3EI%20concur%2C%20when%20is%20this%20going%20GA%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-143493%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20group-based%20license%20management%20for%20Office%20365%20and%20more%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-143493%22%20slang%3D%22en-US%22%3EI'm%20keen%20to%20understand%20when%20this%20is%20going%20GA%20as%20well.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-122058%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20group-based%20license%20management%20for%20Office%20365%20and%20more%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-122058%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%26nbsp%3B%3C%2FP%3E%3CP%3Eas%20I%20understand%20it%20is%20still%20in%20public%20preview.%20So%20my%20question%2C%20do%20you%20have%20a%20timeline%20when%20group-based%20license%20management%20will%20be%20GA%3F%20And%20how%20quick%20will%20it%20be%20available%20(GA)%20in%20the%20German%20Cloud%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERegards%20Thomas%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-109249%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20group-based%20license%20management%20for%20Office%20365%20and%20more%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-109249%22%20slang%3D%22en-US%22%3E%3CDIV%20class%3D%22lia-spoiler-container%22%3E%3CA%20class%3D%22lia-spoiler-link%22%20href%3D%22%23%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%20target%3D%22_blank%22%3ESpoiler%3C%2FA%3E%3CNOSCRIPT%3E(Highlight%20to%20read)%3C%2FNOSCRIPT%3E%3CDIV%20class%3D%22lia-spoiler-border%22%3E%3CDIV%20class%3D%22lia-spoiler-content%22%3E%26nbsp%3B%3C%2FDIV%3E%3CNOSCRIPT%3E%3CDIV%20class%3D%22lia-spoiler-noscript-container%22%3E%3CDIV%20class%3D%22lia-spoiler-noscript-content%22%3E%26nbsp%3B%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FNOSCRIPT%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CP%3EIs%20it%20also%20possible%20to%20get%20an%20export%20from%20for%20example%20all%20the%20users%20with%20the%20E3%20license%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-77767%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20group-based%20license%20management%20for%20Office%20365%20and%20more%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-77767%22%20slang%3D%22en-US%22%3EWow!%20Thank%20you!!%20I'm%20going%20to%20dig%20into%20this%20and%20see%20what%20I%20can%20re-use%20for%20my%20environment%2C%20which%20looks%20like%20it%20will%20end%20up%20saving%20us%20more%20time%20here%20too.%20I%20really%20appreciate%20your%20post!!%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-77758%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20group-based%20license%20management%20for%20Office%20365%20and%20more%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-77758%22%20slang%3D%22en-US%22%3E%3CP%3EGlad%20to%20share.%20%26nbsp%3BBelow%20is%20a%20sanitized%20version%2C%20the%20only%20thing%20you%20really%20have%20to%20do%20is%20set%20your%20AD%20domain%20(line%207)%2C%20and%20then%20create%20your%20Groups%20as%20necessary.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMay%20take%20a%20bit%20to%20disect%20the%20different%20scenarios%20I%20had%20to%20account%20for.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20main%20workhorse%20is%20the%20%3CSTRONG%3EdeltaSync%3C%2FSTRONG%3E%20function%20which%20adds%20and%20removes%20users%20as%20needed%20(instead%20of%20repopulating%20the%20license%20groups).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20%3CSTRONG%3EgetADGroupMembers%3C%2FSTRONG%3E%20function%20gets%20all%20users%20in%20an%20AD%20group%20and%20adds%20them%20to%20an%20array%20variable%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhat%20I%20am%20doing%20is%20basically%20building%20arrays%20of%20users%3A%3C%2FP%3E%3COL%3E%3CLI%3EIterate%20through%20all%20users%20(I%20am%20looking%20for%20users%20that%20have%20an%20Employee%20ID%20attribute%20which%20is%20connected%20to%20our%20HR%20system)%3C%2FLI%3E%3CLI%3EBouncing%20that%20list%20of%20users%20off%20of%20different%20Groups%20which%20will%20determine%20if%20they%20get%20E3's%20versus%20E5's.%20%26nbsp%3B%3C%2FLI%3E%3CLI%3EAlso%20bouncing%20that%20list%20of%20users%20of%20a%20few%20other%20license%20groups%3C%2FLI%3E%3CLI%3EThen%20use%20the%20deltaSync%20functions%20to%20update%20O365%20License%20Groups%20which%20are%20used%20directly%20in%20AAD%20License%20Templates.%3C%2FLI%3E%3C%2FOL%3E%3CP%3EI%20have%20one%20OU%20with%20Groups%20that%20our%20ID%20Administrators%20can%26nbsp%3Bupdate%20to%20account%20for%20specific%20scenarios.%3C%2FP%3E%3CP%3EThen%20I%20have%20another%20OU%20with%20Groups%20that%20are%20specifically%20for%20licenses%20(that%20will%20be%20used%20in%20AAD).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20are%20specifically%20applying%20licenses%20for%20E3's%2C%20E5's%20(with%20S4B%20phone)%2C%20E5's%20(without%20S4B%20phone)%2C%20Advanced%20Threat%20Protection%20(to%20E3%20users)%2C%20Project%20Online%2C%20Project%20Pro%2C%20Visio%2C%20PSTN%20Conferencing%2C%20EMS%2C%20Exchange%20Plan%202%2C%20and%20maybe%20one%20or%20two%20others.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOur%20AADConnect%20runs%20every%2030%20minutes%2C%20and%20this%20script%20runs%20every%2030%20minutes%20offset%20by%2015%20minutes%20from%20the%20AADConnect%20sync%20job.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%3E%24ScriptStart%20%3D%20(Get-Date)%0AAdd-Type%20-AssemblyName%20System.DirectoryServices.AccountManagement%0A%0Afunction%20getADGroupMembers(%24adGroupName)%7B%0A%20%20%20%20%24adGroupArray%20%3D%20%40()%0A%0A%20%20%20%20%24domain%3D''%20%23Enter%20your%20AD%20domain%20here%0A%20%20%20%20%24pc%20%3D%20New-Object%20System.DirectoryServices.AccountManagement.PrincipalContext(%5BSystem.DirectoryServices.AccountManagement.ContextType%5D%3A%3ADomain%2C%20%24domain)%0A%20%20%20%20%24group2%20%3D%20%5BSystem.DirectoryServices.AccountManagement.GroupPrincipal%5D%3A%3AFindByIdentity(%24pc%2C%20%5BSystem.DirectoryServices.AccountManagement.IdentityType%5D%3A%3AName%2C%20%24adGroupName)%0A%20%20%20%20%24group2.Members.GetEnumerator()%20%7C%20%25%20%7B%20%0A%20%20%20%20%20%20%20%20%23Write-Host%20%24_.DistinguishedName%0A%20%20%20%20%20%20%20%20if(%24adGroupName%20-like%20%22O365%20License*%22)%7B%20%20%20%20%20%20%20%20%0A%20%20%20%20%20%20%20%20%20%20%20%20%24adGroupArray%20%2B%3D%20%22%24(%24_.DistinguishedName)%22%0A%20%20%20%20%20%20%20%20%7D%20else%20%7B%0A%20%20%20%20%20%20%20%20%20%20%20%20if(%24_.DistinguishedName%20-notlike%20%22*Disabled%20Objects*%22)%7B%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%24adGroupArray%20%2B%3D%20%22%24(%24_.DistinguishedName)%22%0A%20%20%20%20%20%20%20%20%20%20%20%20%7D%0A%20%20%20%20%20%20%20%20%7D%20%20%20%20%0A%20%20%20%20%7D%0A%0A%20%20%20%20if(%24adGroupArray.Length%20-gt%200)%7B%0A%20%20%20%20%20%20%20%20return%20%24adGroupArray%0A%20%20%20%20%7D%20else%20%7B%0A%20%20%20%20%20%20%20%20return%20%24null%0A%20%20%20%20%7D%0A%0A%7D%0A%0Afunction%20checkMembership(%24user%2C%20%24array)%7B%0A%20%20%20%20return%20%24array.contains(%24user)%0A%7D%0A%0Afunction%20checkMembershipCount(%24checkGroup%2C%20%24checkName)%7B%0A%20%20%20%20%24count%20%3D%200%0A%20%20%20%20foreach(%24checkGroupItem%20in%20%24checkGroup)%7B%0A%20%20%20%20%20%20%20%20if(%24checkGroupItem.contains(%24checkName))%7B%0A%20%20%20%20%20%20%20%20%20%20%20%20%24count%20%2B%3D%201%0A%20%20%20%20%20%20%20%20%7D%0A%0A%20%20%20%20%7D%20%20%20%20%0A%20%20%20%20return%20%24count%0A%7D%0A%0Afunction%20removeArray(%24array1%2C%20%24array2)%7B%0A%20%20%20%20if(%24array2)%7B%0A%20%20%20%20%20%20%20%20%24array3%20%3D%20%40()%0A%20%20%20%20%20%20%20%20foreach(%24item%20in%20%24array1)%7B%0A%20%20%20%20%20%20%20%20%20%20%20%20if(!%24array2.Contains(%24item))%7B%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%24array3%20%2B%3D%20%24item%0A%20%20%20%20%20%20%20%20%20%20%20%20%7D%0A%20%20%20%20%20%20%20%20%7D%0A%20%20%20%20%20%20%20%20return%20%24array3%0A%20%20%20%20%7D%20else%20%7B%0A%20%20%20%20%20%20%20%20return%20%24array1%0A%20%20%20%20%7D%0A%7D%0A%0Afunction%20deltaSync(%24adGroupName%2C%20%24replaceWith)%7B%0A%0A%20%20%20%20%24replaceWith%20%3D%20%24replaceWith%20%7C%20select%20-uniq%0A%0A%20%20%20%20Write-Host%20%22%60nProcessing%20Target%20Group%3A%22%20%24adGroupName%20-ForegroundColor%20Cyan%0A%20%20%20%20%24adGroupArray%20%3D%20getADGroupMembers%20-adGroupName%20%22%24adGroupName%22%0A%0A%20%20%20%20if(%24replaceWith.Length%20-eq%200%20-and%20%24adGroupArray.Length%20-eq%200)%7B%0A%20%20%20%20%20%20%20%20return%20%24false%0A%20%20%20%20%7D%0A%0A%20%20%20%20if(%24replaceWith.Length%20-eq%200%20-and%20%24adGroupArray.Length%20-ne%200)%7B%0A%20%20%20%20%20%20%20%20Write-Host%20%22Removing%20all%20users%22%0A%20%20%20%20%20%20%20%20Remove-ADGroupMember%20%22%24adGroupName%22%20-Members%20%24adGroupArray%20-Confirm%3A%24false%0A%20%20%20%20%20%20%20%20return%20%24false%0A%20%20%20%20%7D%0A%0A%20%20%20%20if(%24replaceWith.Length%20-ne%200%20-and%20%24adGroupArray.Length%20-eq%200)%7B%0A%20%20%20%20%20%20%20%20Write-Host%20%22Adding%20all%20users%22%0A%20%20%20%20%20%20%20%20Add-ADGroupMember%20%22%24adGroupName%22%20-Members%20%24replaceWith%20-Confirm%3A%24false%0A%20%20%20%20%20%20%20%20return%20%24false%0A%20%20%20%20%7D%0A%0A%20%20%20%20%23%20Compare%20the%20differences%20between%20the%20two%20groups%0A%20%20%20%20%24arrayDiff%20%3D%20Compare-Object%20-ReferenceObject%20%24adGroupArray%20-DifferenceObject%20%24replaceWith%20%0A%0A%20%20%20%20%23%20Iterate%20the%20differences%20and%20determine%20Adds%20%2F%20Removes%0A%20%20%20%20%24usersToAdd%20%3D%20%40()%0A%20%20%20%20%24usersToRemove%20%3D%20%40()%0A%20%20%20%20foreach(%24arrayItem%20in%20%24arrayDiff)%7B%20%20%20%20%20%20%0A%20%20%20%20%20%20%20%20if(%24arrayItem.SideIndicator%20-eq%20%22%3D%26gt%3B%22)%7B%0A%20%20%20%20%20%20%20%20%20%20%20%20Write-Host%20%22Add%20to%20Array%22%20%24arrayItem.InputObject%20-ForegroundColor%20Yellow%0A%20%20%20%20%20%20%20%20%20%20%20%20%24usersToAdd%20%2B%3D%20%22%24(%24arrayItem.InputObject)%22%0A%20%20%20%20%20%20%20%20%7D%20else%20%7B%0A%20%20%20%20%20%20%20%20%20%20%20%20Write-Host%20%22Remove%20from%20Group%22%20%24arrayItem.InputObject%20-ForegroundColor%20Red%0A%20%20%20%20%20%20%20%20%20%20%20%20%24usersToRemove%20%2B%3D%20%22%24(%24arrayItem.InputObject)%22%20%20%20%20%20%20%20%20%20%20%20%20%0A%20%20%20%20%20%20%20%20%7D%0A%20%20%20%20%7D%0A%0A%20%20%20%20%23%20Add%20users%20to%20target%20Group%0A%20%20%20%20if(%24usersToAdd.Length%20-gt%200)%7B%0A%20%20%20%20%20%20%20%20Write-Host%20%22%60nAdd%20Users%20Now%22%20-ForegroundColor%20Yellow%0A%20%20%20%20%20%20%20%20Add-ADGroupMember%20%22%24adGroupName%22%20-Members%20%24usersToAdd%20-Confirm%3A%24false%0A%20%20%20%20%7D%0A%0A%20%20%20%20%23%20Remove%20users%20from%20target%20Group%0A%20%20%20%20if(%24usersToRemove.Length%20-gt%200)%7B%0A%20%20%20%20%20%20%20%20Write-Host%20%22%60nRemove%20Users%20Now%22%20-ForegroundColor%20Yellow%0A%20%20%20%20%20%20%20%20Remove-ADGroupMember%20%22%24adGroupName%22%20-Members%20%24usersToRemove%20-Confirm%3A%24false%0A%20%20%20%20%7D%0A%0A%20%20%20%20return%20%24true%0A%0A%7D%0A%0A%23%20Define%20E5%20Groups%20to%20Check%0A%24groups%20%3D%20getADGroupMembers%20-adGroupName%20%22Groups%20with%20E5%20Licenses%20(O365%20Groups)%22%0A%0A%23%20Build%20array%20of%20Users%20that%20get%20E5's%20based%20on%20Group%20Membership%0A%24E5UserArray%20%3D%20%40()%0Aforeach(%24group%20in%20%24groups)%7B%0A%20%20%20%20%23%24group%20%7C%20get-member%0A%20%20%20%20%24adGroup%20%3D%20Get-ADGroup%20%24group%20%20%20%20%0A%20%20%20%20%23%24zzz%20%3D%20Get-ADGroup%20%24adGroup%20-Properties%20*%0A%20%20%20%20%23%24zzz.DisplayName%0A%20%20%20%20%23Write-Host%20%22Processing%20%24(%24adGroup.DisplayName)%22%0A%20%20%20%20%24members%20%3D%20getADGroupMembers%20-adGroupName%20%22%24(%24adGroup.Name)%22%0A%20%20%20%20foreach(%24member%20in%20%24members)%7B%0A%20%20%20%20%20%20%20%20%23Write-Host%20%22%20%20%24member%22%0A%20%20%20%20%20%20%20%20%24E5UserArray%20%2B%3D%20%22%24(%24member)%22%20%0A%20%20%20%20%7D%0A%7D%0A%0A%0A%24Users_S4BCloud%20%3D%20getADGroupMembers%20-adGroupName%20%22Users%20with%20S4B%20Phone%20-%20Cloud%22%0A%24Users_S4BOnPrem%20%3D%20getADGroupMembers%20-adGroupName%20%22Users%20with%20S4B%20Phone%20-%20On%20Prem%22%0A%24Devices_S4B%20%3D%20getADGroupMembers%20-adGroupName%20%22Devices%20with%20S4B%20Conferencing%22%0A%0A%0A%23%20Get%20all%20Users%20from%20AD%0A%24Users%20%3D%20Get-ADUser%20-Filter%20*%20-Properties%20userprincipalname%2CmsRTCSIP-PrimaryUserAddress%2CCompany%2CCreated%2CdisplayName%2CemployeeNumber%2Cc%2CproxyAddresses%2Cmail%2CsAMAccountType%2CuserAccountControl%2Cenabled%0A%0A%24Users_E5%20%3D%20%40()%0A%24Users_E5_CloudPBX%20%3D%20%40()%0A%24Users_E3%20%3D%20%40()%0A%24Users_EMS%20%3D%20%40()%0A%24count%20%3D%200%0A%0Aforeach(%24user%20in%20%24users)%7B%0A%20%20%20%20if((%24User.EmployeeNumber)%20-and%20(%24User.DistinguishedName%20-like%20%22*OU%3DUsers*%22)%20-and%20(%24User.DistinguishedName%20-notlike%20%22*OU%3D_Disabled%20Objects*%22))%7B%0A%0A%20%20%20%20%20%20%20%20%24count%20%2B%3D%201%0A%0A%20%20%20%20%20%20%20%20if(checkMembership%20-array%20%24E5UserArray%20-user%20%22%24user%22)%7B%20%0A%20%20%20%20%20%20%20%20%20%20%20%20if(checkMembership%20-array%20%24Users_S4BCloud%20-user%20%22%24user%22)%7B%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%24Users_E5_CloudPBX%20%2B%3D%20%22%24(%24user.DistinguishedName)%22%0A%20%20%20%20%20%20%20%20%20%20%20%20%7D%20else%20%7B%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%24Users_E5%20%2B%3D%20%22%24(%24user.DistinguishedName)%22%0A%20%20%20%20%20%20%20%20%20%20%20%20%7D%0A%20%20%20%20%20%20%20%20%7D%20else%20%7B%0A%20%20%20%20%20%20%20%20%20%20%20%20%24Users_E3%20%2B%3D%20%22%24(%24user.DistinguishedName)%22%0A%20%20%20%20%20%20%20%20%7D%0A%20%20%20%20%20%20%20%20%24Users_EMS%20%2B%3D%20%22%24(%24user.DistinguishedName)%22%0A%20%20%20%20%7D%0A%7D%0A%0AWrite-Host%20%22%60nFound%20%24count%20Users%60n%22%0A%0A%0A%23%20Build%20array%20of%20Users%20that%20will%20receive%20no%20license%0AWrite-Host%20%22%60n****%60nExclusion%20List%20%20%60n****%22%20-ForegroundColor%20Green%0A%24ExclusionList%20%3D%20getADGroupMembers%20-adGroupName%20%22Users%20with%20No%20License%22%0AWrite-Host%20%24ExclusionList%0A%0AWrite-Host%20%22%60n****%60nDevices%20with%20S4B%20Conferencing%20%20%60n****%22%20-ForegroundColor%20Green%0A%24Devices_S4B%20%3D%20getADGroupMembers%20-adGroupName%20%22Devices%20with%20S4B%20Conferencing%22%0AdeltaSync%20-adGroup%20%22O365%20License%20Users%20with%20E5%20(Devices)%22%20-replaceWith%20%24Devices_S4B%0A%0AWrite-Host%20%22%60n****%60nUsers%20with%20Visio%20%20%60n****%22%20-ForegroundColor%20Green%0A%24Users_Visio%20%3D%20getADGroupMembers%20-adGroupName%20%22Users%20with%20Visio%22%0A%24Users_Visio%20%3D%20removeArray%20-array1%20%24Users_Visio%20-array2%20%24ExclusionList%0AdeltaSync%20-adGroup%20%22O365%20License%20Users%20with%20Visio%22%20-replaceWith%20%24Users_Visio%0A%0AWrite-Host%20%22%60n****%60nUsers%20and%20Devices%20with%20Exchange%20Only%20%20%60n****%22%20-ForegroundColor%20Green%0A%24Users_ExchangeOnly%20%3D%20getADGroupMembers%20-adGroupName%20%22Service%20Accounts%20with%20Email%20Only%22%0A%24Users_VM%20%3D%20getADGroupMembers%20-adGroupName%20%22Devices%20with%20Voicemail%22%0A%24Users_ExchangeOnly%20%3D%20%24Users_ExchangeOnly%20%2B%20%24Users_VM%0A%24Users_ExchangeOnly%20%3D%20removeArray%20-array1%20%24Users_ExchangeOnly%20-array2%20%24ExclusionList%0AdeltaSync%20-adGroup%20%22O365%20License%20Users%20with%20Exchange%20Only%22%20-replaceWith%20%24Users_ExchangeOnly%0A%0AWrite-Host%20%22%60n****%60nE5%20(Regular)%20%20%60n****%22%20-ForegroundColor%20Green%0A%24Users_E5%20%3D%20removeArray%20-array1%20%24Users_E5%20-array2%20%24ExclusionList%0AdeltaSync%20-adGroup%20%22O365%20License%20Users%20with%20E5%20(Regular)%22%20-replaceWith%20%24Users_E5%0A%0AWrite-Host%20%22%60n****%60nE5%20(Phone)%20%20%60n****%22%20-ForegroundColor%20Green%0A%24Users_E5_CloudPBX%20%3D%20%24Users_E5_CloudPBX%0A%24Users_E5_CloudPBX%20%3D%20removeArray%20-array1%20%24Users_E5_CloudPBX%20-array2%20%24ExclusionList%0AdeltaSync%20-adGroup%20%22O365%20License%20Users%20with%20E5%20(Phone)%22%20-replaceWith%20%24Users_E5_CloudPBX%0A%0AWrite-Host%20%22%60n****%60nE3%20(Temporary)%20%20%60n****%22%20-ForegroundColor%20Green%0A%24Users_E3_Temporary%20%3D%20getADGroupMembers%20-adGroupName%20%22Users%20with%20E3%20Limited%20Licenses%22%0AdeltaSync%20-adGroup%20%22O365%20License%20Users%20with%20E3%20(Temporary)%22%20-replaceWith%20%24Users_E3_Temporary%0A%0AWrite-Host%20%22%60n****%60nE3%20(Service%20Accounts)%20%20%60n****%22%20-ForegroundColor%20Green%0A%24Users_E3_ServiceAccounts%20%3D%20getADGroupMembers%20-adGroupName%20%22Service%20Accounts%20with%20E3%20Licenses%22%0AdeltaSync%20-adGroup%20%22O365%20License%20Users%20with%20E3%20(Service%20Accounts)%22%20-replaceWith%20%24Users_E3_ServiceAccounts%0A%0A%24Users_E3_Manual%20%3D%20getADGroupMembers%20-adGroupName%20%22Users%20(Non-Buckman)%20with%20E3%20Licenses%22%0A%24Users_E3%20%3D%20%24Users_E3%20%2B%20%24Users_E3_Manual%0A%24Users_E3%20%3D%20removeArray%20-array1%20%24Users_E3%20-array2%20%24ExclusionList%0A%24Users_E3%20%3D%20removeArray%20-array1%20%24Users_E3%20-array2%20%24Users_E3_Temporary%0AWrite-Host%20%22%60n****%60nE3%20%2F%20ATP%20%20%60n****%22%20-ForegroundColor%20Green%0AdeltaSync%20-adGroup%20%22O365%20License%20Users%20with%20E3%22%20-replaceWith%20%24Users_E3%0A%0AWrite-Host%20%22%60n****%60nATP%20%20%60n****%22%20-ForegroundColor%20Green%0A%24Users_ATP%20%3D%20%24Users_E3%20%2B%20%24Users_E3_Temporary%0AdeltaSync%20-adGroup%20%22O365%20License%20Users%20with%20ATP%22%20-replaceWith%20%24Users_ATP%0A%0AWrite-Host%20%22%60n****%60nEMS%20%20%60n****%22%20-ForegroundColor%20Green%0A%24Users_EMS%20%3D%20%24Users_E3%20%2B%20%24Users_E5_CloudPBX%20%2B%20%24Users_E5%0A%24Users_EMS%20%3D%20removeArray%20-array1%20%24Users_EMS%20-array2%20%24Devices_S4B%0A%24Users_EMS%20%3D%20removeArray%20-array1%20%24Users_EMS%20-array2%20%24ExclusionList%0AdeltaSync%20-adGroup%20%22O365%20License%20Users%20with%20EMS%22%20-replaceWith%20%24Users_EMS%0A%0AWrite-Host%20%22%60n****%60nProject%20Pro%20%20%60n****%22%20-ForegroundColor%20Green%0A%24Users_ProjectPro%20%3D%20getADGroupMembers%20-adGroupName%20%22Users%20with%20Project%20Pro%22%0AdeltaSync%20-adGroup%20%22O365%20License%20Users%20with%20Project%20Pro%22%20-replaceWith%20%24Users_ProjectPro%0A%0AWrite-Host%20%22%60n****%60nProject%20Online%20%20%60n****%22%20-ForegroundColor%20Green%0A%24Users_ProjectOnline%20%3D%20getADGroupMembers%20-adGroupName%20%22Users%20with%20Project%20Online%22%0AdeltaSync%20-adGroup%20%22O365%20License%20Users%20with%20Project%20Online%22%20-replaceWith%20%24Users_ProjectOnline%0A%0AWrite-Host%20%22%60n****%60nUsers%20with%20PSTN%20Conferencing%20%20%60n****%22%20-ForegroundColor%20Green%0A%24Users_PSTN%20%3D%20getADGroupMembers%20-adGroupName%20%22Users%20with%20PSTN%20Conferencing%22%0A%24Users_PSTN%20%3D%20removeArray%20-array1%20%24Users_PSTN%20-array2%20%24ExclusionList%0AdeltaSync%20-adGroup%20%22O365%20License%20Users%20with%20PSTN%20Conferencing%22%20-replaceWith%20%24Users_PSTN%0A%0A%24ALL_E5_1%20%3D%20getADGroupMembers%20-adGroupName%20%22O365%20License%20Users%20with%20E5%20(Phone)%22%0A%24ALL_E5_2%20%3D%20getADGroupMembers%20-adGroupName%20%22O365%20License%20Users%20with%20E5%20(Regular)%22%0A%24ALL_E5%20%3D%20%24ALL_E5_2%20%2B%20%24ALL_E5_1%20%0A%24ALL_E3%20%3D%20getADGroupMembers%20-adGroupName%20%22O365%20License%20Users%20with%20E3%22%0A%24Users_PSTN_E3%20%3D%20removeArray%20-array1%20%24Users_PSTN%20-array2%20%24ALL_E5%0A%24Users_PSTN_E3%20%3D%20removeArray%20-array1%20%24Users_PSTN_E3%20-array2%20%24ExclusionList%0AdeltaSync%20-adGroup%20%22O365%20License%20Users%20with%20PSTN%20Conferencing%20(E3)%22%20-replaceWith%20%24Users_PSTN_E3%0A%24Users_PSTN_E5%20%3D%20removeArray%20-array1%20%24Users_PSTN%20-array2%20%24ALL_E3%0A%24Users_PSTN_E5%20%3D%20removeArray%20-array1%20%24Users_PSTN_E5%20-array2%20%24ExclusionList%0AdeltaSync%20-adGroup%20%22O365%20License%20Users%20with%20PSTN%20Conferencing%20(E5)%22%20-replaceWith%20%24Users_PSTN_E5%0A%0A%0A%24ScriptEnd%20%3D%20(Get-Date)%0A%24RunTime%20%3D%20New-Timespan%20-Start%20%24ScriptStart%20-End%20%24ScriptEnd%0A%22%60nElapsed%20Time%3A%20%7B0%7D%3A%7B1%7D%3A%7B2%7D%22%20-f%20%24RunTime.Hours%2C%24Runtime.Minutes%2C%24RunTime.Seconds%0A%20%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-77745%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20group-based%20license%20management%20for%20Office%20365%20and%20more%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-77745%22%20slang%3D%22en-US%22%3E%3CP%3EWould%20you%20be%20willing%20to%20share%20your%20PowerShell%20scripts%2C%20or%20the%20relevants%20parts%20with%20your%20personal%20info%20stripped%20out%3F%20I'm%20always%20looking%20for%20better%2Ffaster%20ways%20to%20do%20things%2C%20but%20I%20understand%20that%20some%20people%20may%20not%20want%20to%20provide%20that%20info%20due%20to%20potential%20security%20reasons.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-77461%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20group-based%20license%20management%20for%20Office%20365%20and%20more%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-77461%22%20slang%3D%22en-US%22%3ESo%20I%20just%20got%20this%20fully%20rolled%20out%20for%20us%2C%20and%20it%20works%20great!%20Took%20a%20bit%20more%20thought%20on%20the%20PowerShell%20automation%20to%20account%20for%20all%20of%20our%20scenarios%2C%20but%20pretty%20nice.%20I%20have%20alleviated%20the%20need%20for%20almost%2010%20global%20employees%2C%20who%20were%20managing%20licenses%20for%20various%20regions%2C%20to%20ever%20have%20to%20touch%20licensing%20at%20all%2C%20except%20for%20vary%20rare%20one%20offs%20that%20we%20maybe%20havent%20thought%20of%20yet%2C%20so%20they%20can%20focus%20on%20their%20other%20stuff%20now%20%3A)%3C%2Fimg%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-61711%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20group-based%20license%20management%20for%20Office%20365%20and%20more%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-61711%22%20slang%3D%22en-US%22%3EYa%2C%20I've%20already%20got%20it%20pretty%20much%20implemented%2C%20just%20a%20simple%20delta%20comparison%20check%20of%20the%20groups%20instead%20of%20a%20wipe%20and%20replace%2C%20just%20took%20a%20bit%20more%20extra%20thought%20than%20I%20wanted%20to%20have%20%3A)%3C%2Fimg%3E%3CBR%20%2F%3E%3CBR%20%2F%3ENot%20going%20to%20the%20complexity%20of%20tracking%20in%20Access%20or%20SQL%2C%20just%20powershell%20looking%20at%20existing%20AD%20groups%20we%20have%20set%20up%20and%20existing%20users.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-61687%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20group-based%20license%20management%20for%20Office%20365%20and%20more%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-61687%22%20slang%3D%22en-US%22%3E%3CP%3EBrent%2C%20we%20do%20something%20similar%20here%2C%20but%20we%20do%20delta%20changes%20to%20group%20membership%20using%20powershell%2C%20instead%20of%20a%20wipe%20and%20replace.%20It%20does%20rely%20on%20an%20extra%20step%20using%20MS%20Access%20or%20SQL%20Server%20to%20hold%20your%20combined%20AD%2FAzure%20data%20-%20for%20example%2C%20we%20have%20a%20scheduled%20task%20to%20powershell%20export%20the%20current%20Azure%20group%20listings%2Fmemberships%20and%20import%20into%20SQL%20Express.%20Another%20task%20to%20powershell%20export%20our%20local%20Active%20Directory%20info%20into%20same%20SQL%20Express.%20Then%20a%20query%20to%20find%20the%20new%20AD%20people%2C%20and%20another%20query%20to%20find%20the%20removed%20AD%20people.%20Export%20those%202%20queries%20to%20a%20text%20file%2C%20and%20use%20those%202%20to%20powershell%20the%20delta%20changes%20up%20to%20Azure.%20%26nbsp%3BIt%20sounds%20like%20a%20lot%20but%20once%20you%20get%20it%20built%2C%20it's%20very%20quick%20and%20easy%20to%20run%2C%20and%20it%20sounds%20like%20you're%20almost%20doing%20that%20now.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-61577%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20group-based%20license%20management%20for%20Office%20365%20and%20more%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-61577%22%20slang%3D%22en-US%22%3EThat's%20disappointing%2C%20will%20have%20to%20experiment%20with%20how%20to%20handle%20delta%20changes%20to%20achieve%20same%20goal%20%3A(%3C%2Fimg%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-61564%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20group-based%20license%20management%20for%20Office%20365%20and%20more%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-61564%22%20slang%3D%22en-US%22%3E%3CP%3ENot%20a%20good%20idea%20as%20when%20you%20clear%20the%20membership%20GBL%20will%20trigger%20a%20remove%20of%20the%20license%20and%20then%20you%20would%20have%20to%20re-apply%20them%20and%20hope%20that%20your%20timing%20matches%20that%20of%20GBL%20updating%20the%20assignments%20in%20Office%20for%20example.%20You%20will%20likely%20get%20some%20very%20unpredictable%20results%20if%20you%20keep%20running%20this%20on%20your%20groups.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20understand%20that%20you%20are%20doing%20this%20as%20a%20simple%20version%20of%20dynamic%20groups%20which%20is%20an%20Azure%20AD%20Premium%20feature%20but%20you%20have%20to%20change%20the%20logic%20to%20not%20remove%20member%20unless%20he%2Fshe%20is%20really%20removed.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EBrjann%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-61417%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20group-based%20license%20management%20for%20Office%20365%20and%20more%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-61417%22%20slang%3D%22en-US%22%3ESo%20I%20have%20set%20up%20a%20few%20AD%20groups%20that%20we%20will%20use%20to%20apply%20the%20licenses.%3CBR%20%2F%3E%3CBR%20%2F%3EI%20have%20also%20set%20up%20a%20powershell%20script%20set%20up%20that%20will%20clear%20membership%20of%20those%20groups%20and%20refresh%20them%20every%20hour%20or%20so%20to%20account%20for%20changes%20(new%20users%2C%20changed%20situations%2C%20etc).%3CBR%20%2F%3E%3CBR%20%2F%3EIf%20I%20am%20clearing%20those%20groups%20out%20and%20replacing%20all%20the%20users%20frequently%2C%20is%20there%20anything%20to%20be%20concerned%20with%20from%20the%20group-based%20licensing%20process%20perspective%3F%20Or%20other%20gotchas%3F%3CBR%20%2F%3E%3CBR%20%2F%3EOr%20would%20this%20be%20a%20pretty%20low%20risk%20process%20(given%20the%20code%20is%20built%20to%20properly%20populate%20the%20groups)%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-60412%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20group-based%20license%20management%20for%20Office%20365%20and%20more%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-60412%22%20slang%3D%22en-US%22%3E%3CBLOCKQUOTE%3E%3CHR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F44655%22%20target%3D%22_blank%22%3E%40Terry%20Munro%3C%2FA%3E%20wrote%3A%3CBR%20%2F%3E%3CP%3EThanks%20for%20your%20reply%20Nasos%20(and%20others).%20Your%20time%20and%20effort%20is%20appreciated.%3C%2FP%3E%3CP%3ENasos%2C%20are%20you%20confirming%20that%20EDU%20get%20Azure%20AD%20Basic%20included%3F%3C%2FP%3E%3CP%3ECan%20you%20confirm%26nbsp%3Bthat%20it%20is%20included%26nbsp%3Bfor%20Alumni%20and%20Students%20as%20well.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFor%20instance%20-%3C%2FP%3E%3CP%3EExchange%20Online%20(Plan%201)%20for%20alumni%20only%20includes%20Exchange%20Online%20Plan%201%20-%20Nothing%20else.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIt%20would%20be%20awesome%20if%20this%20is%20included.%3C%2FP%3E%3CP%3ECan%20you%20please%20provide%20a%20link%20to%20an%20MS%20article%20advising%20that.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20once%20again%20for%20the%20great%20support.%3C%2FP%3E%3CP%3E%3CBR%20%2F%3ETerry%3C%2FP%3E%3CHR%20%2F%3E%3C%2FBLOCKQUOTE%3E%3CP%3ETerry%2C%20if%20you're%20K-12%20or%20EDU%20like%20me%2C%20then%20the%20free%20E1%20or%20E2%20plans%20for%20faculty%2Fstudents%2Falumni%20only%20include%20AAD%20(Azure%20AD)%2C%20not%20AADB%20(Azure%20AD%20Basic).%20AADB%20is%20also%20free...but%20it%20can%20only%20be%20applied%20to%20your%20domain%20IF%20you%20also%20have%20a%20paid%20EES%20subscription.%20I%20don't%20have%20any%20articles%20on%20that%2C%20but%20I%20worked%20with%20various%20MS%20reps%20for%20the%20last%206%20months%20trying%20to%20get%20AADB%20without%20an%20EES%20and%20it%20was%20simply%20not%20possible.%20I%20wanted%20AADB%20for%20the%20ability%20to%20use%20groups%20when%20assigning%20rights.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-60243%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20group-based%20license%20management%20for%20Office%20365%20and%20more%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-60243%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Nasos%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20did%20see%20mention%20of%20E3%20and%20E5.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMust%20admit%2C%20I%20assumed%20my%20O365%20Plans%20included%20Azure%20Basic%20already%20but%20it%20sounds%20like%20it%20is%20just%20the%20Free%20version.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20for%20the%20clarification.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-60226%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20group-based%20license%20management%20for%20Office%20365%20and%20more%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-60226%22%20slang%3D%22en-US%22%3E%3CP%3EChris%20as%26nbsp%3BI%20said%20it%20is%20for%20Office%20365%20E3%20and%20E5%20only.%20Of%20course%20you%20can%26nbsp%3Bpurchase%20any%20Azure%20AD%20paid%20offering%20(Basic%2C%20Premium%20P1%20or%20P2)%20and%20you%20add%20it%20in%20your%20tenant%20and%20then%20group-based%20linceinsing%20feature%20will%20be%20available%20for%20any%20Microsoft%20online%20service%20you%20have.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CBLOCKQUOTE%3E%3CHR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F33025%22%20target%3D%22_blank%22%3E%40Chris%20Yue%3C%2FA%3E%20wrote%3A%3CBR%20%2F%3E%0A%3CP%3ESo%20does%20this%20mean%20all%20O365%20Business%20related%20Plans%20(I%20am%20using%20Business%20Essentials%20and%20Business%20Premium)%20will%20qualify%20for%20the%20use%20of%20group%20based%20licensing%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CHR%20%2F%3E%3C%2FBLOCKQUOTE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-60224%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20group-based%20license%20management%20for%20Office%20365%20and%20more%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-60224%22%20slang%3D%22en-US%22%3E%3CP%3ESo%20does%20this%20mean%20all%20O365%20Business%20related%20Plans%20(I%20am%20using%20Business%20Essentials%20and%20Business%20Premium)%20will%20qualify%20for%20the%20use%20of%20group%20based%20licensing%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-60208%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20group-based%20license%20management%20for%20Office%20365%20and%20more%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-60208%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20for%20your%20reply%20Nasos%20(and%20others).%20Your%20time%20and%20effort%20is%20appreciated.%3C%2FP%3E%3CP%3ENasos%2C%20are%20you%20confirming%20that%20EDU%20get%20Azure%20AD%20Basic%20included%3F%3C%2FP%3E%3CP%3ECan%20you%20confirm%26nbsp%3Bthat%20it%20is%20included%26nbsp%3Bfor%20Alumni%20and%20Students%20as%20well.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFor%20instance%20-%3C%2FP%3E%3CP%3EExchange%20Online%20(Plan%201)%20for%20alumni%20only%20includes%20Exchange%20Online%20Plan%201%20-%20Nothing%20else.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIt%20would%20be%20awesome%20if%20this%20is%20included.%3C%2FP%3E%3CP%3ECan%20you%20please%20provide%20a%20link%20to%20an%20MS%20article%20advising%20that.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20once%20again%20for%20the%20great%20support.%3C%2FP%3E%3CP%3E%3CBR%20%2F%3ETerry%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-60147%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20group-based%20license%20management%20for%20Office%20365%20and%20more%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-60147%22%20slang%3D%22en-US%22%3E%3CP%3EGroup-based%20licensing%20will%20be%20a%20feature%26nbsp%3Bof%20all%20the%20paid%20Azure%20AD%20editions.%20(And%20it%20is%20included%20now%20during%20the%20public%20preview%20period)%3C%2FP%3E%0A%3CP%3EThat%20means%20Azure%20AD%20Basic%2C%20Azure%20AD%20Premium%20P1%20and%20P2%20and%20of%20course%20EMS%20E3%20and%20E5%20that%20includes%20Azure%20AD%20Premium.%3C%2FP%3E%0A%3CP%3EAlso%20will%20be%26nbsp%3Ba%20feature%20of%20Office%20365%20E3%20and%20Office%20365%20E5%20when%20it%20becomes%20generally%20avaialble.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ENow%2C%20for%20EDU%20organizations%20things%20are%20rather%20simple%20becasue%20Azure%20AD%20Basic%20is%20free%20for%20them%20so%20by%20adding%20the%20free%20Azure%20AD%20Basic%20edition%20to%20their%20tenant%20they%20can%20use%20Group-Based%20Licensing%20for%20all%20the%20related%20products.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20hope%20this%20helps%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ENasos%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-59997%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20group-based%20license%20management%20for%20Office%20365%20and%20more%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-59997%22%20slang%3D%22en-US%22%3E%3CP%3EThat%20makes%20sense%20as%20Dynamic%20groups%20is%20specifically%20an%20Azure%20AD%20Premium%20offering.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAt%20the%20moment%20I'm%20tending%20towards%20recommending%20my%20clients%20create%20specific%20groups%20for%20licensing%20seperate%20from%20access%20and%20security%20groups%26nbsp%3Bunless%20they%20have%20very%20simple%20%22give%20everyone%20an%20E3%22%20requirements.%26nbsp%3B%20This%20allows%20them%20to%20then%20create%20seperate%20license%20blocks%20for%20more%20enhanced%20uses%20if%20required.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EE.g.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOffice%20365%20Base%20E3%20License%20group%20-%20Gives%20the%20'Standard'%20offering%20to%20staff%20(could%20be%20used%20for%20basic%20O365%20access%20too)%3C%2FP%3E%3CP%3EOffice%20365%20Exchange%20Plan%201%20-%20Gives%20the%20basic%20e-mail%20functionality%3C%2FP%3E%3CP%3EOffice%20365%20Exchange%20Plan%202%20-%20Gives%20the%20enhanced%20e-mail%20functionality.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eetc..%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20interested%20in%20other%20peoples%20approaches%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPaul.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-59968%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20group-based%20license%20management%20for%20Office%20365%20and%20more%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-59968%22%20slang%3D%22en-US%22%3EAs%20a%20follow-up%20since%20I%20was%20able%20to%20test%20this%20last%20night%2C%20Azure%20Basic%20(%240%20if%20you%20have%20an%20EES%2C%20even%20though%20I%20don't%20have%20E3%2C%20just%20the%20regular%20faculty%2Fstudent%20O365)%20does%20allow%20you%20to%20use%20Groups%20to%20assign%20Azure%20rights%20for%20applications.%20However%2C%20Azure%20Basic%20does%20not%20let%20you%20use%20dynamic%20groups.%20For%20example%2C%20I%20have%20a%20dynamic%20email%20group%20called%20%22All%20Staff%22%2C%20but%20that%20group%20is%20not%20available%20to%20Azure%20when%20assigning%20application%20rights%2C%20because%20you%20need%20an%20Azure%20Premium%2C%20not%20Basic%2C%20license%20for%20dynamic%20groups.%20That%20means%20that%20I%20had%20to%20create%20a%20new%20%22AllStaffAzure%22%20group%20in%20O365%20portal%20(I%20chose%20to%20hide%20that%20group%20since%20I'm%20only%20using%20it%20for%20assigning%20Azure%20rights)%20and%20I%20used%20Powershell%20to%20assign%20all%20staff%20accounts%20into%20that%20group%2C%20then%20I%20could%20set%20the%20Application%20in%20Azure%20(like%20Google%20Apps%2C%20EasyBib%2C%20etc.)%20to%20use%20that%20%22AllStaffAzure%22%20group%2C%20instead%20of%20having%20to%20assign%20each%20person%20individually.%20So%20it's%20still%20not%20as%20dynamic%20as%20I'd%20like%2C%20but%20it's%20easier%20for%20me%20to%20use%20Powershell%20to%20script%20users%20into%20an%20O365%2FExchange%20group%20than%20Azure.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-59818%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20group-based%20license%20management%20for%20Office%20365%20and%20more%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-59818%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F26185%22%20target%3D%22_blank%22%3E%40Nasos%20Kladakis%3C%2FA%3E%26nbsp%3BShould%20help%20explain%20what%20the%20intentions%20are%20around%20availbility%20of%26nbsp%3BGroup%20Based%20License%20management%20with%20regards%20to%20version%20of%20Azure%20AD.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EBrjann%20Brekkan%3C%2FP%3E%0A%3CP%3E-%20Azure%20AD%20Program%20Manager%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-59240%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20group-based%20license%20management%20for%20Office%20365%20and%20more%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-59240%22%20slang%3D%22en-US%22%3EAs%20it%20relates%20to%20Education%2C%20I%20know%20that%20we%20just%20purchased%20an%20EES%20agreement%2C%20and%20in%20so%20doing%20we%20were%20able%20to%20add%20the%20SKU%20965-00002%20for%20Azure%20Basic%20(AADB)%20for%20%240%20to%20get%20this...but%20this%20does%20require%20an%20active%20EES%20agreement%20to%20add%20AADB%20for%20free.%20I%20just%20got%20this%20and%20it%20hasn't%20been%20applied%20to%20my%20portal%20yet%2C%20but%20I've%20been%20assured%20by%20Microsoft%20that%20is%20all%20you%20need%20to%20switch%20from%20user-based%20processing%20using%20Azure%20powershell%20scripts%20to%20using%20groups%20in%20Azure.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-57595%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20group-based%20license%20management%20for%20Office%20365%20and%20more%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-57595%22%20slang%3D%22en-US%22%3E%3CP%3EGreetings%20all%2C%3C%2FP%3E%3CP%3EMy%20question%20is%20specifically%20in%20regards%20to%20end%20user%20licensing%20in%20the%20%3CSTRONG%3EEducation%20Sector%3C%2FSTRONG%3E%2C%20which%26nbsp%3Bis%20needed%20to%20use%20Azure%20AD%20Group%20Based%20Licensing.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EGoing%20by%20Source%201%2C%20all%20users%20who%20inherit%20a%20license%20via%20the%20group%20based%20licensing%20model%20will%20need%20an%20Azure%20AD%20Basic%20license%20(not%20Azure%20AD%20Free).%3C%2FP%3E%3CP%3EGoing%20by%20Source%202%2C%20this%20will%20change%20once%20the%20functionality%20reaches%20GA.%3C%2FP%3E%3CP%3EOnce%20this%20happens%2C%20%22%3CSPAN%3Eit%20will%20be%20included%20in%20Office%20365%20Enterprise%20E3%20and%20similar%20products.%22%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAs%20Education%20licensing%20differs%20from%20the%20standard%20Enterprise%20E3%2C%20will%20this%20functionality%20be%20included%20at%20no%20cost%20for%20Student%20and%20Alumni%20licensing%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAs%20you%20can%20imagine%2C%20a%20large%20University%20will%20have%20hundreds%20of%20thousands%20of%20Alumni%20and%20tens%20of%20thousands%20of%20Students.%20Having%20Education%20E3%20include%20the%20Azure%20AD%20Basic%20licensing%20%2F%20eligibility%20for%20Azure%20AD%20Group%20based%20licensing%20for%20%240%20will%20help%20for%20Staff%2C%20but%20if%20Azure%20AD%20Basic%20licensing%20is%20not%20included%20for%20Alumni%20and%20Students%2C%20the%20Education%20sector%20will%20not%20be%20able%20to%20afford%20to%20use%20this%20awesome%20functionality.%3C%2FP%3E%3CP%3E%3CBR%20%2F%3ECan%20someone%20please%20provide%20clarity%2C%20and%20preferably%20a%20link%20to%20a%20valid%20Microsoft%20site%2C%20on%20how%20Azure%20AD%20Group%20Based%20Licensing%20and%20Azure%20AD%20Basic%20will%20apply%20to%20Staff%2C%20Students%20and%20Alumni.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESource%201%20-%3C%2FP%3E%3CUL%3E%3CLI%3E%3CSTRONG%3ELink%3C%2FSTRONG%3E%20-%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Factive-directory-licensing-whatis-azure-portal%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Factive-directory-licensing-whatis-azure-portal%3C%2FA%3E%3C%2FLI%3E%3CLI%3E%3CSTRONG%3EFeatures%20%E2%80%93%20%3C%2FSTRONG%3E%3CUL%3E%3CLI%3EDuring%20public%20preview%2C%20a%20paid%20or%20trial%20subscription%20for%20Azure%20AD%20basic%20or%20premium%20editions%20is%20required%20in%20the%20tenant%20to%20use%20group-based%20license%20management.%20Also%2C%20every%20user%20who%20inherits%20any%20licenses%20from%20groups%20must%20have%20the%20paid%20Azure%20AD%20edition%20license%20assigned%20to%20them.%3C%2FLI%3E%3C%2FUL%3E%3C%2FLI%3E%3C%2FUL%3E%3CP%3ESource%202%20-%3C%2FP%3E%3CUL%3E%3CLI%3E%3CSTRONG%3ELink%3C%2FSTRONG%3E%20-%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fblogs.technet.microsoft.com%2Fenterprisemobility%2F2017%2F02%2F22%2Fannouncing-the-public-preview-of-azure-ad-group-based-license-management-for-office-365-and-more%2F%26nbsp%3B%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fblogs.technet.microsoft.com%2Fenterprisemobility%2F2017%2F02%2F22%2Fannouncing-the-public-preview-of-azure-ad-group-based-license-management-for-office-365-and-more%2F%3C%2FA%3E%26nbsp%3B%3C%2FLI%3E%3CLI%3E%3CP%3E%3CSTRONG%3EIt%20contains%20the%20following%20statement%3A%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%22While%20group-based%20license%20management%20is%20in%20public%20preview%20you%20will%20need%20an%20active%20subscription%20for%20Azure%20AD%20Basic%20(or%20above)%20in%20your%20tenant%20to%20assign%20licenses%20to%20groups.%20If%20you%20don%E2%80%99t%20have%20one%2C%20just%20sign%20up%20for%20an%20Enterprise%20Mobility%20%2B%20Security%20trial.%20Later%2C%20when%20this%20functionality%20becomes%20generally%20available%20it%20will%20be%20included%20in%20Office%20365%20Enterprise%20E3%20and%20similar%20products.%22%3C%2FP%3E%3C%2FLI%3E%3C%2FUL%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-53066%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20group-based%20license%20management%20for%20Office%20365%20and%20more%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-53066%22%20slang%3D%22en-US%22%3EGreat%20video%2C%20Paul!%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-52588%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20group-based%20license%20management%20for%20Office%20365%20and%20more%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-52588%22%20slang%3D%22en-US%22%3E%3CP%3EThis%20went%20down%20very%20well%20at%20a%20SharePoint%20Saturday%20demo%20I%20did%20in%20Munich%20last%20week.%20People%20are%20clamouring%20for%20this%20and%20it%20might%20stop%20people%20using%20Okta%20and%20similar%20third%20parties!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20anyone%20wants%20to%20see%20it%20in%20action%2C%20I%20put%20together%20a%20short%20video%20showing%20it%20in%20use.%20%3CA%20href%3D%22https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3DIh0XN0eRWwA%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3DIh0XN0eRWwA%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-52398%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20group-based%20license%20management%20for%20Office%20365%20and%20more%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-52398%22%20slang%3D%22en-US%22%3E%3CP%3EBrent%3C%2FP%3E%0A%3CP%3EPublic%20preview%20means%20a%20number%20of%20things.%20But%20most%20of%20all%20means%20no%20SLA.%3C%2FP%3E%0A%3CP%3EI%20really%20want%20to%20tell%20you%20to%20go%20and%20use%20it%20because%20it%20seems%20to%20work%20perfectly%20%3A)%3C%2Fimg%3E%20However%20this%20is%20what%20public%20preview%20is%20all%20about%3A%3C%2FP%3E%0A%3CP%3ETest%20the%20feature%2C%20get%20feedback%20from%20as%20many%20users%20as%20possible%20and%20then%20call%20it%20Generally%20available.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ENasos%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-52243%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20group-based%20license%20management%20for%20Office%20365%20and%20more%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-52243%22%20slang%3D%22en-US%22%3E%3CP%3ESo%20this%20is%20super%20exciting%2C%20tested%20it%20out%2C%20works%20amazingly.%3CBR%20%2F%3E%3CBR%20%2F%3ETwo%20questions%3A%3CBR%20%2F%3E%3CBR%20%2F%3E(1)%20Even%20though%20it%20is%20considered%20%22public%20preview%22%2C%20any%20reason%20that%20we%20should%20not%20consider%20taking%20advantage%20of%20this%20immediately%3F%3CBR%20%2F%3E%3CBR%20%2F%3E%3CSTRIKE%3E(2)%20What%20is%20the%20best%20way%20to%20bulk%20remove%20%22direct%22%20licenses%20from%20users%3F%20Just%20use%20PowerShell%2C%20or%20is%20there%20something%20new%20in%20the%20UI%20I%20have%20overlooked.%3C%2FSTRIKE%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EScratch%20question%202%2C%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F9288%22%20target%3D%22_blank%22%3E%40Adam%20Fowler%3C%2FA%3E's%26nbsp%3Blink%20covers%20it%20perfectly!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-48567%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20group-based%20license%20management%20for%20Office%20365%20and%20more%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-48567%22%20slang%3D%22en-US%22%3E%3CP%3EFantastic%20piece%20of%20work%20.%20Has%20saved%20us%20hours%2F%20days%20of%26nbsp%3Beffort.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-48403%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20group-based%20license%20management%20for%20Office%20365%20and%20more%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-48403%22%20slang%3D%22en-US%22%3E%3CP%3EAlready%20deployed%20this%2C%20works%20great!%3CBR%20%2F%3E%3CBR%20%2F%3EDid%20a%20quick%20writeup%20too%20%3A)%3C%2Fimg%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fwww.adamfowlerit.com%2F2017%2F02%2Fazure-ad-group-based-license-management-office-365%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.adamfowlerit.com%2F2017%2F02%2Fazure-ad-group-based-license-management-office-365%2F%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-48399%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20group-based%20license%20management%20for%20Office%20365%20and%20more%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-48399%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20are%20so%20glad%20that%20you%20think%20this%20is%20awesome%20!%20(We%20agree)%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-48390%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20group-based%20license%20management%20for%20Office%20365%20and%20more%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-48390%22%20slang%3D%22en-US%22%3E%3CP%3EThis%20is%20a%20great%20announcement%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F26185%22%20target%3D%22_blank%22%3E%40Nasos%20Kladakis%3C%2FA%3E%26nbsp%3Band%20the%20team%20have%20worked%20really%20hard%20to%20get%20out%20there!%20Great%20to%20see%20your%20enthusiasm%20on%20it%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F2395%22%20target%3D%22_blank%22%3E%40Cian%20Allner%3C%2FA%3E%2C%20we%60re%20looking%20forward%20to%20hear%20what%20you%20and%20other%20customers%20think%20about%20it.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Cian Allner
Trusted Contributor

This looks awesome - simplify licence management for Office 365, EMS, Dynamics 365 and more with the new group-based licensing preview in Azure AD:

 

Microsoft cloud services such as Office 365, Enterprise Mobility + Security, Dynamics CRM, and other similar products require licenses to be assigned to each user who needs access to these services. Until now, licenses could only be assigned at individual user level, which can male large-scale management difficult for our customers.

 

all-products-assign.png

 

We have introduced a new capability of the Azure AD license management system: group-based licensing. It is now possible to assign one or more product licenses to a group. Azure AD will make sure that the licenses are assigned to all members of the group. Any new members joining the group will be assigned the appropriate licenses and when they leave the group those licenses will be removed. This eliminates the need for automating license management via PowerShell to reflect changes in the organization and departmental structure on a per-user basis.

 

select-a-group2.png

 

Here is the documentation with the steps to get started - What is group-based licensing in Azure Active Directory?

38 Replies

This is a great announcement @Nasos Kladakis and the team have worked really hard to get out there! Great to see your enthusiasm on it @Cian Allner, we`re looking forward to hear what you and other customers think about it.

We are so glad that you think this is awesome ! (We agree)

Fantastic piece of work . Has saved us hours/ days of effort.

So this is super exciting, tested it out, works amazingly.

Two questions:

(1) Even though it is considered "public preview", any reason that we should not consider taking advantage of this immediately?

(2) What is the best way to bulk remove "direct" licenses from users? Just use PowerShell, or is there something new in the UI I have overlooked.

 

Scratch question 2, @Adam Fowler's link covers it perfectly!

Brent

Public preview means a number of things. But most of all means no SLA.

I really want to tell you to go and use it because it seems to work perfectly :) However this is what public preview is all about:

Test the feature, get feedback from as many users as possible and then call it Generally available.

 

Nasos

This went down very well at a SharePoint Saturday demo I did in Munich last week. People are clamouring for this and it might stop people using Okta and similar third parties!

 

If anyone wants to see it in action, I put together a short video showing it in use. https://www.youtube.com/watch?v=Ih0XN0eRWwA

 

 

This video demonstrates the newly released into preview Azure AD Group based licensing for Office 365 and related technologies. It demonstrates what Azure AD Group Based licensing is and how it can be used to apply licensing to Office 365 against on-premises Active Directory groups. For more info

Greetings all,

My question is specifically in regards to end user licensing in the Education Sector, which is needed to use Azure AD Group Based Licensing.

 

Going by Source 1, all users who inherit a license via the group based licensing model will need an Azure AD Basic license (not Azure AD Free).

Going by Source 2, this will change once the functionality reaches GA.

Once this happens, "it will be included in Office 365 Enterprise E3 and similar products."

 

As Education licensing differs from the standard Enterprise E3, will this functionality be included at no cost for Student and Alumni licensing?

 

As you can imagine, a large University will have hundreds of thousands of Alumni and tens of thousands of Students. Having Education E3 include the Azure AD Basic licensing / eligibility for Azure AD Group based licensing for $0 will help for Staff, but if Azure AD Basic licensing is not included for Alumni and Students, the Education sector will not be able to afford to use this awesome functionality.


Can someone please provide clarity, and preferably a link to a valid Microsoft site, on how Azure AD Group Based Licensing and Azure AD Basic will apply to Staff, Students and Alumni.

 

Source 1 -

Source 2 -

  • Linkhttps://blogs.technet.microsoft.com/enterprisemobility/2017/02/22/announcing-the-public-preview-of-a...
  • It contains the following statement:

    "While group-based license management is in public preview you will need an active subscription for Azure AD Basic (or above) in your tenant to assign licenses to groups. If you don’t have one, just sign up for an Enterprise Mobility + Security trial. Later, when this functionality becomes generally available it will be included in Office 365 Enterprise E3 and similar products."

As it relates to Education, I know that we just purchased an EES agreement, and in so doing we were able to add the SKU 965-00002 for Azure Basic (AADB) for $0 to get this...but this does require an active EES agreement to add AADB for free. I just got this and it hasn't been applied to my portal yet, but I've been assured by Microsoft that is all you need to switch from user-based processing using Azure powershell scripts to using groups in Azure.

@Nasos Kladakis Should help explain what the intentions are around availbility of Group Based License management with regards to version of Azure AD.

 

Brjann Brekkan

- Azure AD Program Manager

As a follow-up since I was able to test this last night, Azure Basic ($0 if you have an EES, even though I don't have E3, just the regular faculty/student O365) does allow you to use Groups to assign Azure rights for applications. However, Azure Basic does not let you use dynamic groups. For example, I have a dynamic email group called "All Staff", but that group is not available to Azure when assigning application rights, because you need an Azure Premium, not Basic, license for dynamic groups. That means that I had to create a new "AllStaffAzure" group in O365 portal (I chose to hide that group since I'm only using it for assigning Azure rights) and I used Powershell to assign all staff accounts into that group, then I could set the Application in Azure (like Google Apps, EasyBib, etc.) to use that "AllStaffAzure" group, instead of having to assign each person individually. So it's still not as dynamic as I'd like, but it's easier for me to use Powershell to script users into an O365/Exchange group than Azure.

That makes sense as Dynamic groups is specifically an Azure AD Premium offering.

 

At the moment I'm tending towards recommending my clients create specific groups for licensing seperate from access and security groups unless they have very simple "give everyone an E3" requirements.  This allows them to then create seperate license blocks for more enhanced uses if required.

 

E.g.

 

Office 365 Base E3 License group - Gives the 'Standard' offering to staff (could be used for basic O365 access too)

Office 365 Exchange Plan 1 - Gives the basic e-mail functionality

Office 365 Exchange Plan 2 - Gives the enhanced e-mail functionality.

 

etc..

 

I'm interested in other peoples approaches?

 

Paul.

 

 

 

Solution

Group-based licensing will be a feature of all the paid Azure AD editions. (And it is included now during the public preview period)

That means Azure AD Basic, Azure AD Premium P1 and P2 and of course EMS E3 and E5 that includes Azure AD Premium.

Also will be a feature of Office 365 E3 and Office 365 E5 when it becomes generally avaialble.

 

Now, for EDU organizations things are rather simple becasue Azure AD Basic is free for them so by adding the free Azure AD Basic edition to their tenant they can use Group-Based Licensing for all the related products.

 

I hope this helps

 

Nasos

Thanks for your reply Nasos (and others). Your time and effort is appreciated.

Nasos, are you confirming that EDU get Azure AD Basic included?

Can you confirm that it is included for Alumni and Students as well.

 

For instance -

Exchange Online (Plan 1) for alumni only includes Exchange Online Plan 1 - Nothing else.

 

It would be awesome if this is included.

Can you please provide a link to an MS article advising that.

 

Thanks once again for the great support.


Terry

So does this mean all O365 Business related Plans (I am using Business Essentials and Business Premium) will qualify for the use of group based licensing?

 

Chris as I said it is for Office 365 E3 and E5 only. Of course you can purchase any Azure AD paid offering (Basic, Premium P1 or P2) and you add it in your tenant and then group-based linceinsing feature will be available for any Microsoft online service you have.

 


@Chris Yue wrote:

So does this mean all O365 Business related Plans (I am using Business Essentials and Business Premium) will qualify for the use of group based licensing?

 


 

Hi Nasos,

 

I did see mention of E3 and E5.

 

Must admit, I assumed my O365 Plans included Azure Basic already but it sounds like it is just the Free version.

 

Thanks for the clarification.


@Terry Munro wrote:

Thanks for your reply Nasos (and others). Your time and effort is appreciated.

Nasos, are you confirming that EDU get Azure AD Basic included?

Can you confirm that it is included for Alumni and Students as well.

 

For instance -

Exchange Online (Plan 1) for alumni only includes Exchange Online Plan 1 - Nothing else.

 

It would be awesome if this is included.

Can you please provide a link to an MS article advising that.

 

Thanks once again for the great support.


Terry


Terry, if you're K-12 or EDU like me, then the free E1 or E2 plans for faculty/students/alumni only include AAD (Azure AD), not AADB (Azure AD Basic). AADB is also free...but it can only be applied to your domain IF you also have a paid EES subscription. I don't have any articles on that, but I worked with various MS reps for the last 6 months trying to get AADB without an EES and it was simply not possible. I wanted AADB for the ability to use groups when assigning rights.

So I have set up a few AD groups that we will use to apply the licenses.

I have also set up a powershell script set up that will clear membership of those groups and refresh them every hour or so to account for changes (new users, changed situations, etc).

If I am clearing those groups out and replacing all the users frequently, is there anything to be concerned with from the group-based licensing process perspective? Or other gotchas?

Or would this be a pretty low risk process (given the code is built to properly populate the groups)?

Not a good idea as when you clear the membership GBL will trigger a remove of the license and then you would have to re-apply them and hope that your timing matches that of GBL updating the assignments in Office for example. You will likely get some very unpredictable results if you keep running this on your groups. 

 

I understand that you are doing this as a simple version of dynamic groups which is an Azure AD Premium feature but you have to change the logic to not remove member unless he/she is really removed. 

 

Brjann

 

That's disappointing, will have to experiment with how to handle delta changes to achieve same goal :(

Brent, we do something similar here, but we do delta changes to group membership using powershell, instead of a wipe and replace. It does rely on an extra step using MS Access or SQL Server to hold your combined AD/Azure data - for example, we have a scheduled task to powershell export the current Azure group listings/memberships and import into SQL Express. Another task to powershell export our local Active Directory info into same SQL Express. Then a query to find the new AD people, and another query to find the removed AD people. Export those 2 queries to a text file, and use those 2 to powershell the delta changes up to Azure.  It sounds like a lot but once you get it built, it's very quick and easy to run, and it sounds like you're almost doing that now. 

Ya, I've already got it pretty much implemented, just a simple delta comparison check of the groups instead of a wipe and replace, just took a bit more extra thought than I wanted to have :)

Not going to the complexity of tracking in Access or SQL, just powershell looking at existing AD groups we have set up and existing users.
So I just got this fully rolled out for us, and it works great! Took a bit more thought on the PowerShell automation to account for all of our scenarios, but pretty nice. I have alleviated the need for almost 10 global employees, who were managing licenses for various regions, to ever have to touch licensing at all, except for vary rare one offs that we maybe havent thought of yet, so they can focus on their other stuff now :)

Would you be willing to share your PowerShell scripts, or the relevants parts with your personal info stripped out? I'm always looking for better/faster ways to do things, but I understand that some people may not want to provide that info due to potential security reasons.

Glad to share.  Below is a sanitized version, the only thing you really have to do is set your AD domain (line 7), and then create your Groups as necessary.

 

May take a bit to disect the different scenarios I had to account for.

 

 

The main workhorse is the deltaSync function which adds and removes users as needed (instead of repopulating the license groups).

 

The getADGroupMembers function gets all users in an AD group and adds them to an array variable

 

What I am doing is basically building arrays of users:

  1. Iterate through all users (I am looking for users that have an Employee ID attribute which is connected to our HR system)
  2. Bouncing that list of users off of different Groups which will determine if they get E3's versus E5's.  
  3. Also bouncing that list of users of a few other license groups
  4. Then use the deltaSync functions to update O365 License Groups which are used directly in AAD License Templates.

I have one OU with Groups that our ID Administrators can update to account for specific scenarios.

Then I have another OU with Groups that are specifically for licenses (that will be used in AAD).

 

We are specifically applying licenses for E3's, E5's (with S4B phone), E5's (without S4B phone), Advanced Threat Protection (to E3 users), Project Online, Project Pro, Visio, PSTN Conferencing, EMS, Exchange Plan 2, and maybe one or two others.

 

Our AADConnect runs every 30 minutes, and this script runs every 30 minutes offset by 15 minutes from the AADConnect sync job.

 

 

$ScriptStart = (Get-Date)
Add-Type -AssemblyName System.DirectoryServices.AccountManagement

function getADGroupMembers($adGroupName){
    $adGroupArray = @()

    $domain='' #Enter your AD domain here
    $pc = New-Object System.DirectoryServices.AccountManagement.PrincipalContext([System.DirectoryServices.AccountManagement.ContextType]::Domain, $domain)
    $group2 = [System.DirectoryServices.AccountManagement.GroupPrincipal]::FindByIdentity($pc, [System.DirectoryServices.AccountManagement.IdentityType]::Name, $adGroupName)
    $group2.Members.GetEnumerator() | % { 
        #Write-Host $_.DistinguishedName
        if($adGroupName -like "O365 License*"){        
            $adGroupArray += "$($_.DistinguishedName)"
        } else {
            if($_.DistinguishedName -notlike "*Disabled Objects*"){
                $adGroupArray += "$($_.DistinguishedName)"
            }
        }    
    }

    if($adGroupArray.Length -gt 0){
        return $adGroupArray
    } else {
        return $null
    }

}

function checkMembership($user, $array){
    return $array.contains($user)
}

function checkMembershipCount($checkGroup, $checkName){
    $count = 0
    foreach($checkGroupItem in $checkGroup){
        if($checkGroupItem.contains($checkName)){
            $count += 1
        }

    }    
    return $count
}

function removeArray($array1, $array2){
    if($array2){
        $array3 = @()
        foreach($item in $array1){
            if(!$array2.Contains($item)){
                $array3 += $item
            }
        }
        return $array3
    } else {
        return $array1
    }
}

function deltaSync($adGroupName, $replaceWith){

    $replaceWith = $replaceWith | select -uniq

    Write-Host "`nProcessing Target Group:" $adGroupName -ForegroundColor Cyan
    $adGroupArray = getADGroupMembers -adGroupName "$adGroupName"

    if($replaceWith.Length -eq 0 -and $adGroupArray.Length -eq 0){
        return $false
    }

    if($replaceWith.Length -eq 0 -and $adGroupArray.Length -ne 0){
        Write-Host "Removing all users"
        Remove-ADGroupMember "$adGroupName" -Members $adGroupArray -Confirm:$false
        return $false
    }

    if($replaceWith.Length -ne 0 -and $adGroupArray.Length -eq 0){
        Write-Host "Adding all users"
        Add-ADGroupMember "$adGroupName" -Members $replaceWith -Confirm:$false
        return $false
    }

    # Compare the differences between the two groups
    $arrayDiff = Compare-Object -ReferenceObject $adGroupArray -DifferenceObject $replaceWith 

    # Iterate the differences and determine Adds / Removes
    $usersToAdd = @()
    $usersToRemove = @()
    foreach($arrayItem in $arrayDiff){      
        if($arrayItem.SideIndicator -eq "=>"){
            Write-Host "Add to Array" $arrayItem.InputObject -ForegroundColor Yellow
            $usersToAdd += "$($arrayItem.InputObject)"
        } else {
            Write-Host "Remove from Group" $arrayItem.InputObject -ForegroundColor Red
            $usersToRemove += "$($arrayItem.InputObject)"            
        }
    }

    # Add users to target Group
    if($usersToAdd.Length -gt 0){
        Write-Host "`nAdd Users Now" -ForegroundColor Yellow
        Add-ADGroupMember "$adGroupName" -Members $usersToAdd -Confirm:$false
    }

    # Remove users from target Group
    if($usersToRemove.Length -gt 0){
        Write-Host "`nRemove Users Now" -ForegroundColor Yellow
        Remove-ADGroupMember "$adGroupName" -Members $usersToRemove -Confirm:$false
    }

    return $true

}

# Define E5 Groups to Check
$groups = getADGroupMembers -adGroupName "Groups with E5 Licenses (O365 Groups)"

# Build array of Users that get E5's based on Group Membership
$E5UserArray = @()
foreach($group in $groups){
    #$group | get-member
    $adGroup = Get-ADGroup $group    
    #$zzz = Get-ADGroup $adGroup -Properties *
    #$zzz.DisplayName
    #Write-Host "Processing $($adGroup.DisplayName)"
    $members = getADGroupMembers -adGroupName "$($adGroup.Name)"
    foreach($member in $members){
        #Write-Host "  $member"
        $E5UserArray += "$($member)" 
    }
}


$Users_S4BCloud = getADGroupMembers -adGroupName "Users with S4B Phone - Cloud"
$Users_S4BOnPrem = getADGroupMembers -adGroupName "Users with S4B Phone - On Prem"
$Devices_S4B = getADGroupMembers -adGroupName "Devices with S4B Conferencing"


# Get all Users from AD
$Users = Get-ADUser -Filter * -Properties userprincipalname,msRTCSIP-PrimaryUserAddress,Company,Created,displayName,employeeNumber,c,proxyAddresses,mail,sAMAccountType,userAccountControl,enabled

$Users_E5 = @()
$Users_E5_CloudPBX = @()
$Users_E3 = @()
$Users_EMS = @()
$count = 0

foreach($user in $users){
    if(($User.EmployeeNumber) -and ($User.DistinguishedName -like "*OU=Users*") -and ($User.DistinguishedName -notlike "*OU=_Disabled Objects*")){

        $count += 1

        if(checkMembership -array $E5UserArray -user "$user"){ 
            if(checkMembership -array $Users_S4BCloud -user "$user"){
                $Users_E5_CloudPBX += "$($user.DistinguishedName)"
            } else {
                $Users_E5 += "$($user.DistinguishedName)"
            }
        } else {
            $Users_E3 += "$($user.DistinguishedName)"
        }
        $Users_EMS += "$($user.DistinguishedName)"
    }
}

Write-Host "`nFound $count Users`n"


# Build array of Users that will receive no license
Write-Host "`n****`nExclusion List  `n****" -ForegroundColor Green
$ExclusionList = getADGroupMembers -adGroupName "Users with No License"
Write-Host $ExclusionList

Write-Host "`n****`nDevices with S4B Conferencing  `n****" -ForegroundColor Green
$Devices_S4B = getADGroupMembers -adGroupName "Devices with S4B Conferencing"
deltaSync -adGroup "O365 License Users with E5 (Devices)" -replaceWith $Devices_S4B

Write-Host "`n****`nUsers with Visio  `n****" -ForegroundColor Green
$Users_Visio = getADGroupMembers -adGroupName "Users with Visio"
$Users_Visio = removeArray -array1 $Users_Visio -array2 $ExclusionList
deltaSync -adGroup "O365 License Users with Visio" -replaceWith $Users_Visio

Write-Host "`n****`nUsers and Devices with Exchange Only  `n****" -ForegroundColor Green
$Users_ExchangeOnly = getADGroupMembers -adGroupName "Service Accounts with Email Only"
$Users_VM = getADGroupMembers -adGroupName "Devices with Voicemail"
$Users_ExchangeOnly = $Users_ExchangeOnly + $Users_VM
$Users_ExchangeOnly = removeArray -array1 $Users_ExchangeOnly -array2 $ExclusionList
deltaSync -adGroup "O365 License Users with Exchange Only" -replaceWith $Users_ExchangeOnly

Write-Host "`n****`nE5 (Regular)  `n****" -ForegroundColor Green
$Users_E5 = removeArray -array1 $Users_E5 -array2 $ExclusionList
deltaSync -adGroup "O365 License Users with E5 (Regular)" -replaceWith $Users_E5

Write-Host "`n****`nE5 (Phone)  `n****" -ForegroundColor Green
$Users_E5_CloudPBX = $Users_E5_CloudPBX
$Users_E5_CloudPBX = removeArray -array1 $Users_E5_CloudPBX -array2 $ExclusionList
deltaSync -adGroup "O365 License Users with E5 (Phone)" -replaceWith $Users_E5_CloudPBX

Write-Host "`n****`nE3 (Temporary)  `n****" -ForegroundColor Green
$Users_E3_Temporary = getADGroupMembers -adGroupName "Users with E3 Limited Licenses"
deltaSync -adGroup "O365 License Users with E3 (Temporary)" -replaceWith $Users_E3_Temporary

Write-Host "`n****`nE3 (Service Accounts)  `n****" -ForegroundColor Green
$Users_E3_ServiceAccounts = getADGroupMembers -adGroupName "Service Accounts with E3 Licenses"
deltaSync -adGroup "O365 License Users with E3 (Service Accounts)" -replaceWith $Users_E3_ServiceAccounts

$Users_E3_Manual = getADGroupMembers -adGroupName "Users (Non-Buckman) with E3 Licenses"
$Users_E3 = $Users_E3 + $Users_E3_Manual
$Users_E3 = removeArray -array1 $Users_E3 -array2 $ExclusionList
$Users_E3 = removeArray -array1 $Users_E3 -array2 $Users_E3_Temporary
Write-Host "`n****`nE3 / ATP  `n****" -ForegroundColor Green
deltaSync -adGroup "O365 License Users with E3" -replaceWith $Users_E3

Write-Host "`n****`nATP  `n****" -ForegroundColor Green
$Users_ATP = $Users_E3 + $Users_E3_Temporary
deltaSync -adGroup "O365 License Users with ATP" -replaceWith $Users_ATP

Write-Host "`n****`nEMS  `n****" -ForegroundColor Green
$Users_EMS = $Users_E3 + $Users_E5_CloudPBX + $Users_E5
$Users_EMS = removeArray -array1 $Users_EMS -array2 $Devices_S4B
$Users_EMS = removeArray -array1 $Users_EMS -array2 $ExclusionList
deltaSync -adGroup "O365 License Users with EMS" -replaceWith $Users_EMS

Write-Host "`n****`nProject Pro  `n****" -ForegroundColor Green
$Users_ProjectPro = getADGroupMembers -adGroupName "Users with Project Pro"
deltaSync -adGroup "O365 License Users with Project Pro" -replaceWith $Users_ProjectPro

Write-Host "`n****`nProject Online  `n****" -ForegroundColor Green
$Users_ProjectOnline = getADGroupMembers -adGroupName "Users with Project Online"
deltaSync -adGroup "O365 License Users with Project Online" -replaceWith $Users_ProjectOnline

Write-Host "`n****`nUsers with PSTN Conferencing  `n****" -ForegroundColor Green
$Users_PSTN = getADGroupMembers -adGroupName "Users with PSTN Conferencing"
$Users_PSTN = removeArray -array1 $Users_PSTN -array2 $ExclusionList
deltaSync -adGroup "O365 License Users with PSTN Conferencing" -replaceWith $Users_PSTN

$ALL_E5_1 = getADGroupMembers -adGroupName "O365 License Users with E5 (Phone)"
$ALL_E5_2 = getADGroupMembers -adGroupName "O365 License Users with E5 (Regular)"
$ALL_E5 = $ALL_E5_2 + $ALL_E5_1 
$ALL_E3 = getADGroupMembers -adGroupName "O365 License Users with E3"
$Users_PSTN_E3 = removeArray -array1 $Users_PSTN -array2 $ALL_E5
$Users_PSTN_E3 = removeArray -array1 $Users_PSTN_E3 -array2 $ExclusionList
deltaSync -adGroup "O365 License Users with PSTN Conferencing (E3)" -replaceWith $Users_PSTN_E3
$Users_PSTN_E5 = removeArray -array1 $Users_PSTN -array2 $ALL_E3
$Users_PSTN_E5 = removeArray -array1 $Users_PSTN_E5 -array2 $ExclusionList
deltaSync -adGroup "O365 License Users with PSTN Conferencing (E5)" -replaceWith $Users_PSTN_E5


$ScriptEnd = (Get-Date)
$RunTime = New-Timespan -Start $ScriptStart -End $ScriptEnd
"`nElapsed Time: {0}:{1}:{2}" -f $RunTime.Hours,$Runtime.Minutes,$RunTime.Seconds
 

 

Wow! Thank you!! I'm going to dig into this and see what I can re-use for my environment, which looks like it will end up saving us more time here too. I really appreciate your post!!
Spoiler
 

Is it also possible to get an export from for example all the users with the E3 license?

Hello, 

as I understand it is still in public preview. So my question, do you have a timeline when group-based license management will be GA? And how quick will it be available (GA) in the German Cloud?

 

Regards Thomas 

I'm keen to understand when this is going GA as well.

I concur, when is this going GA?

We have just changed our licensing to Office 365 E3 to Office 365 E5. 

And Kiosk to F1 licensing is there any reason not to use group based licensing?

This would help flip all my users properly and also remove the services that we didn't want to go live quite yet.

 

When is this going GA?

We found that the “Azure AD group-based license management” (in public preview) is not currently smart enough to recognize a single user license between E3 and E5. It “double dips”, so a user who has an E5 license (direct or inherited) and an E3 license (direct or inherited) takes up two license; one E3 and one E5. This scenario did not create any warning or alert from the system. Is there a UserVoice style area to communicate with folks evaluating what will be GA?

@Deleted, here's where you could add in to Azure AD ideas on UserVoice: https://feedback.azure.com/forums/169401-azure-active-directory

 

There's some Group Based Licensing requests in there already.

The problem here isn't the AD Group based implementation. it honours whatever licensing rules are applied by the platform. Therefore if you can apply the two license templates in the Office 365 UI, then you can do the same in the Group Based templates.

 

In this instance, it's a viable solution to apply elements from both E3 and E5 to a single user (Note I said viable.. not sensible!). You'll find that you can tick both E3 and E5 in the Office 365 UI. If you tried to do the same using and F1 and E3 or F1 and E5 it would throw an error in the UI and also in the Group Based licensing interfaces. 

@Paul Hunt - Cimares I like your quantifier "(Note I said viable.. not sensible!)"

The problem, of course is, if a thing is not sensible, someone will still try to do it at the expense of others around them.

I do understand what you are saying though.

We - large scale corporate implementation - will need a reasonable way of reporting on it or preventing it.

Pulling the data per user per license per service down from the tenant via PowerShell then republishing it via PowerBI is also viable but not sensible. ;)

My tests of the group-based license management is going well. Its value is clear especially given Microsoft's gross propensity to force service plans out as "Enabled by default". (another viable not sensible example)

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
35 Replies
Extentions Synchronization
ChirmyRam in Discussions on
3 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies