It is not possible with Windows AAD connector for FIM, but as you use FIM anyway - use PowerShell Management Agent (Microsoft's or Soren's one) to license user in the cloud :)
We have a couple of deployments where we manage O365 licenses such way :)
Hello,
at one customer with a simple solution I ran a PowerShell Script right after the confirming Import which sets a license for all users in that Domain which dont have a license.
This Script goes like:
# Import Azure PowerShell Module Import-Module MSOnline # Build Credential Object for Authentication $secpasswd = ConvertTo-SecureString "MyAzurePW" -AsPlainText -Force $mycreds = New-Object System.Management.Automation.PSCredential ("Account@MyDomain.onmicrosoft.com", $secpasswd) # connect to MSOL-Service. Connect-MSOLService -cred $mycreds # Get all synchronized Azure Users without License and assign Intune License to them. $UserList=Get-MsolUser -All -Synchronized -UnlicensedUsersOnly Write-output "Starting Intune Licencse Activation PowerShell Script." foreach ($user in $UserList) { Set-MsolUserLicense -UserPrincipalName $user.UserPrincipalName -AddLicenses "MyOrga:INTUNE_A" $username=$user.UserPrincipalName write-output "Add License for user: $username" }
This is from my simple WAAD Connector sample on my blog: https://justidm.wordpress.com/2014/10/27/a-minimalistic-fim-aad-sync-connector-solution-for-windows-intune/
Script is for Intune License but you can easily modify it for O365
Peter,
How/ Where do you call this script? You blog says 'call the script after the confirming import of the run'. Could you please explain it please?
Hello,
I have written my own PowerShell MA RunProfile Scheduler which can call Script before and after any run profile. So after exporting (and delta import for confirm) data to Azure AD I run the above script.
This script searches Azure AD for synchronized users only which dont currently have a license and apply a lic. to those users. Simple but effective, and it dont touch other "azure only" account like the sync service account.
Other Azure licenses can also be attached to users via group membership, I've done this with AD Premium, EMS and ECS but I remember that is not possible for O365.
The above script works fine in my customers productive env. for month now. The password part should be more secure I now and I'm on the way to save credentials as a encypted file. But it works like expected.
/Peter
That's awesome. I got the script working but dont know how can I call it using the microsoft connector. I am very new to the powershell connector. I am trying to get past the connectivity tab.There are many script tabs. Common Module script, validation script,
schema script....Any idea where would I call the script?
I read this article.
https://technet.microsoft.com/en-us/library/dn640417%28v=ws.10%29.aspx
All I need to do is run the script to set O365 licensing. It looks like schema script is mandatory. How would I import the schema?
- Edited by fim_sc 9 hours 21 minutes ago
That's awesome. I got the script working but dont know how can I call it using the microsoft connector. I am very new to the powershell connector. I am trying to get past the connectivity tab.There are many script tabs. Common Module script, validation script,
schema script....Any idea where would I call the script?
I read this article.
https://technet.microsoft.com/en-us/library/dn640417%28v=ws.10%29.aspx
All I need to do is run the script to set O365 licensing. It looks like schema script is mandatory. How would I import the schema?
- Edited by fim_sc Monday, June 29, 2015 10:00 PM
That's awesome. I got the script working but dont know how can I call it using the microsoft connector. I am very new to the powershell connector. I am trying to get past the connectivity tab.There are many script tabs. Common Module script, validation script,
schema script....Any idea where would I call the script?
I read this article.
https://technet.microsoft.com/en-us/library/dn640417%28v=ws.10%29.aspx
All I need to do is run the script to set O365 licensing. It looks like schema script is mandatory. How would I import the schema?
- Edited by fim_sc Monday, June 29, 2015 10:00 PM
That's awesome. I got the script working but dont know how can I call it using the microsoft connector. I am very new to the powershell connector. I am trying to get past the connectivity tab.There are many script tabs. Common Module script, validation script,
schema script....Any idea where would I call the script?
I read this article.
https://technet.microsoft.com/en-us/library/dn640417%28v=ws.10%29.aspx
All I need to do is run the script to set O365 licensing. It looks like schema script is mandatory. How would I import the schema?
- Edited by fim_sc Monday, June 29, 2015 10:00 PM
Hello,
I never used the Microsoft PowerShell MA, I mostly use Soren's PS MA, but in General you Need a Schema script which defines the objects you will have in this MA.
In this Case Users and I think you only Need a very limited amount of attributes like an ID, accountname.
Then you will Need PS Script to Import the users from Azure AD, in the Export script you can then user my PS licene script and modify it to act only on one user at a time.
So you will call this script multiple times (for each user) on Export.
If the above script works fine for you, I would not call it from am PS MA, instead let it run right after the Export of the WAAD MA, like I do.
/Peter
I am using FIM portal outbound sync rule to office365 account. What should be the dn value? Should it be the sourceAnchor (objectguid from AD) or accountname@domainname. I had accountname@domainname as dn. After the export runs of AD and Azure, AD synced the objectguid and it renamed the dn in Azure. It stopped working all of a sudden.
Object is created to Azure at first export. When source anchor is exported in the next sync cycle (after AD sync), I am getting "useraccountEnabledMissing" error. AccountEnabled is set already when the object is created. Any idea why it is throwing
this error?
Also, How to validate the presence of source Anchor before triggering the export through fimportal OSR? I could see Equal, no starts with, contains, etc but not ispresent.
- Edited by fim_sc 11 hours 38 minutes ago
I am using FIM portal outbound sync rule to office365 account. What should be the dn value? Should it be the sourceAnchor (objectguid from AD) or accountname@domainname. I had accountname@domainname as dn. After the export runs of AD and Azure, AD synced the objectguid and it renamed the dn in Azure. It stopped working all of a sudden.
Object is created to Azure at first export. When source anchor is exported in the next sync cycle (after AD sync), I am getting "useraccountEnabledMissing" error. AccountEnabled is set already when the object is created. Any idea why it is throwing
this error?
Also, How to validate the presence of source Anchor before triggering the export through fimportal OSR? I could see Equal, no starts with, contains, etc but not ispresent.
- Edited by fim_sc Tuesday, July 07, 2015 7:46 PM
I am using FIM portal outbound sync rule to office365 account. What should be the dn value? Should it be the sourceAnchor (objectguid from AD) or accountname@domainname. I had accountname@domainname as dn. After the export runs of AD and Azure, AD synced the objectguid and it renamed the dn in Azure. It stopped working all of a sudden.
Object is created to Azure at first export. When source anchor is exported in the next sync cycle (after AD sync), I am getting "useraccountEnabledMissing" error. AccountEnabled is set already when the object is created. Any idea why it is throwing
this error?
Also, How to validate the presence of source Anchor before triggering the export through fimportal OSR? I could see Equal, no starts with, contains, etc but not ispresent.
- Edited by fim_sc Tuesday, July 07, 2015 7:46 PM
I am using FIM portal outbound sync rule to office365 account. What should be the dn value? Should it be the sourceAnchor (objectguid from AD) or accountname@domainname. I had accountname@domainname as dn. After the export runs of AD and Azure, AD synced the objectguid and it renamed the dn in Azure. It stopped working all of a sudden.
Object is created to Azure at first export. When source anchor is exported in the next sync cycle (after AD sync), I am getting "useraccountEnabledMissing" error. AccountEnabled is set already when the object is created. Any idea why it is throwing
this error?
Also, How to validate the presence of source Anchor before triggering the export through fimportal OSR? I could see Equal, no starts with, contains, etc but not ispresent.
- Edited by fim_sc Tuesday, July 07, 2015 7:46 PM
Hello,
never had that issue.
As you can see from my blog post I metioned above I set the sourceAnchor to DN on provisioning objects to azure, not the UPN. After that I simple let flow AccountEnabled as a direct flow.
It doesn't matter if you use syncrules or code extension.
I assume you use outbound scope filter based OSR (not Set/MPR/Workflow), so there is no IsPresent instead you can use: sourceAnchor starts with %
This should do the trick.
/Peter