Scroll Top
Evotec Services sp. z o.o., ul. Drozdów 6, Mikołów, 43-190, Poland

Office 365 – Limiting license to minimum apps required

img_5e89cc6b4b3e9

Office 365 has a lot of options and applications to choose from. Enabling one E1, E3, or any other license gives the user a lot of features, including Exchange, SharePoint, and Teams. But what if you want to make sure that the user can access only Microsoft Teams? By default, you can do it manually during the assignment of the license. Simply choose only Apps you want to assign to a user.

Of course, doing this manually is subject to errors and possibly giving the user a bit too much. So how can we make sure that the user gets what he is supposed to get?

License assignment using group membership

If you're lucky enough to have high enough license Azure AD Premium 1, you can enable the assignment of licenses by group membership. This provides an easy way to assign multiple licenses to one user with specific apps based on our choice. It's quite easy to set up and can work on both Azure AD Group Membership and Active Directory Group Membership. The steps are:

Click Licenses from the list
Click Manage your purchased licenses

Mark checkbox next to license you want to configure
Press Assign from the menu above

Choose Assignment options (pick apps which are supposed to be enabled for the user)
Finally apply it to user or group (better)
Item List Item Text

And you're done. Once user is added to the group licenses will kick in.

License assignment using PowerShell

The second option is based on PowerShell. One can configure license options based on the existing license. Since creating a new license option requires you to provide apps you want to disable, it may be subject to change if Microsoft decides to add some new plans into your Office 365 tenant. That's why instead of relying on DisabledPlans, I've reversed the situation by requiring only EnabledPlans and figuring out which plans to disable.

$License = 'evotec:STANDARDPACK' # E1 license
$EnabledPlans = @(
    'TEAMS1'
    'WHITEBOARD_PLAN1'
)
$Exclusions = @(
    'Sync_ADCONNECT1@evotec.onmicrosoft.com'
)

$AllPlans = (Get-MsolAccountSku | Where-Object { $_.AccountSkuId -eq $License } | Select-Object -ExpandProperty ServiceStatus).ServicePlan.ServiceName
$DisabledPlans = $AllPlans | Where-Object { $EnabledPlans -notcontains $_ }
$E1CustomizedLicense = New-MsolLicenseOptions -AccountSkuId $License -DisabledPlans $DisabledPlans

$Users = Get-MsolUser -UnlicensedUsersOnly -All -EnabledFilter EnabledOnly
foreach ($User in $Users) {
    if ($User.UsageLocation -ne 'PL') {
        Set-MsolUser -UserPrincipalName $User.UserPrincipalName -UsageLocation PL
    }
    if ($User.IsLicensed -eq $false -and $Exclusions -notcontains $User.UserPrincipalName) {
        Set-MsolUserLicense -UserPrincipalName $User.UserPrincipalName -AddLicenses $License -LicenseOptions $E1CustomizedLicense
    }
}

As part of the above code, I've added the ability to exclude some accounts. Please keep in mind that I'm assigning everyone a license that doesn't have one yet. With multiple licenses being available in your tenant, you may need to modify the code a bit and apply it based on that. You can quickly check for possible plans to disable/enable with following code

$LicensePlans = Get-MsolAccountSku | ForEach-Object {
    [PSCustomObject] @{
        LicenseName = $_.AccountSkuId
        Plans = $_.ServiceStatus.ServicePlan.ServiceName -join ', '
    }
}
$LicensePlans | Format-Table -AutoSize

For me, the first option is always the way to go unless you're out of luck when it comes to having limited features for your Office 365 tenant. The second option, while great, is only applicable to PowerShell and your helpdesk staff can still assign wrong licenses manually. It would be great if the second option would create a variant of a license that can be chosen from the interface but not having much hope for this one.

Related Posts