HOW TO: Provision O365 licenses with granulated services to MSOL (o365) users

I experienced the issue within windows PowerShell ISE when providing a license then explicitly disabling some of the cloud services by disabling the service plans, which are associated to the user and that persons O365 licence.
June 27, 2015
O365Powershell

Pre-requisite: Creating the user

In order to disable selective cloud services for a particular user, you MUST first ensure that the license is first assigned to that user. To do this, you must first have a user present then you need to execute the Set-MsolUserLicense command.

Once the user has an O365 license, you can then disable the services associated to that user by referencing the AccountSkuId (the type of O365 package/license) (just fyi, i'm using the 'STANDARDOFFPACK_FACULTY' AccountSkuId)

But you must first have a user to provide a license to. A full demonstration on how to perform this can be located within an earlier post, HOW TO: Connect to O365 and add a user via powershell terminal


Add license service plan to O365

The direct approach isn't necessary possible. You in fact must provide a license license (which provides you the services associated to that license, then you disable the services you don't want to provide to the user. You can't just provide a single service New-MsolLicenseOptions cmdlet.

The New-MsolLicenseOptions cmdlet allows you to create new license options, or in our case, allows you to explicitly disable specific service plans.

Even though 'Set-MsolUserLicense' and 'New-MsolLicenseOptions' are separate commands, you can concatenate them to perform a single command. HOWEVER this is possible by setting the 'New-MsolLicenseOptions' as a variable, then passing that variable as a parameter


Example

Once you've done that, you can then begin disabling the services associated to the user Assuming no errors have popped up, you can then perform the following command to see the current service plans


Known issue: Set-MsolUserLicense : Unable to assign this license

When executing the New-MsolLicenseOptions cmdlet, you may come across the following error when disabling SharePoint as an O365 service. This is because you're probably trying to disable either the SHAREPOINTSTANDARD_EDU or SHAREPOINTWAC_EDU service plan. To must however ensure you're disabling both O365 service plans simultaneously. So if you're using the following example above, instead of including just '-DisabledPlans SHAREPOINTSTANDARD_EDU', ensure you are passing both service plans. For example, '-DisabledPlans SHAREPOINTSTANDARD_EDU, SHAREPOINTWAC_EDU'

About the author

Daniel is a Technical Manager with over 10 years of consulting expertise in the Identity and Access Management space.
Daniel has built from scratch this blog as well as technicalconfessions.com
Follow Daniel on twitter @nervouswiggles

Comments

Other Posts

NameID element must be present as part of the Subject in the Response message

ShibbolethSAML

August 7, 2018
Created by: Daniel Redfern
NameID element must be present as part of the Subject in the Response message, please enable it in the IDP configuration.
Read More...

HOW TO provision AD group membership from OpenIDM

OpenIDMICFAD-connector

June 15, 2018
Created by: Daniel Redfern
For what I see, there's not too many supportive documentations out there that will demonstrate how provision AD group membership with the ICF connector using OpenIDM. The use of the special ldapGroups attribute is not explained anywhere in the Integrators guides to to the date of this blog. This quick blog identifies the tasks required to provision AD group membership from OpenIDM to AD using the LDAP ICF connector. However this doesn't really explain what ldapGroups actually does and there's no real worked example of how to go from an Assignment to ldapGroups to an assigned group in AD. I wrote up a wiki article for my own reference: AD group memberships automatically to users This is just my view, others may disagree, but I think the implementation experience could be improved with some more documentation and a more detailed example here.
Read More...

ForgeRock OpenIDM - InvalidCredentialException: Remote framework key is invalid

ICFIDMOpenIDMOpenICF

November 8, 2017
Created by: Daniel Redfern
In the past, the similar error occurred though for the Oracle Identity Management solution. invalidcredentialexception remote framework key is invalid Because they all share the ICF connector framework, the error/solution would be the same.
Read More...

org.forgerock.script.exception.ScriptCompilationException: missing ; before statement

IDMsync.confforgerockopenidm

November 8, 2017
Created by: Daniel Redfern
org.forgerock.script.exception.ScriptCompilationException: missing ; before statement
Read More...

ForgeRock IDM - org.forgerock.script.exception.ScriptCompilationException: missing ; before statemen

OpenIDMsync.confForgeRock

September 17, 2017
Created by: Daniel Redfern
ForgeRock IDM - org.forgerock.script.exception.ScriptCompilationException: missing ; before statement
Read More...

Caused by: org.forgerock.json.resource.BadRequestException: Target does not support attribute groups

OpenIDMForgeRockICFConnector

September 17, 2017
Created by: Daniel Redfern
When performing the attempt of a reconciliation from ForgeRock IDM to Active Directory, I would get the following error
Read More...

ForgeRock OpenIDM - InvalidCredentialException: Remote framework key is invalid

OpenIDMForgeRockICFConnectorAD

September 17, 2017
Created by: Daniel Redfern
In the past, the similar error occurred though for the Oracle Identity Management solution. invalidcredentialexception remote framework key is invalid Because they all share the ICF connector framework, the error/solution would be the same.
Read More...

ERROR Caused by com.google.api.client.auth.oauth2.TokenResponseException 400 Bad Request - invalid_g

OpenIDMIDMGoogleGoogle-AppsICFreconciliation

September 12, 2017
Created by: Daniel Redfern
During the reconcilation from OpenIDM to the ICF google apps connector, the following error response would occur. ERROR Caused by com.google.api.client.auth.oauth2.TokenResponseException 400 Bad Request - invalid_grant
Read More...

forgerock-openidm-encryptedjwt-error

OpenIDMIDMForgeRockJWTIAM

August 29, 2017
Created by: Daniel Redfern
Received the JWT error
Read More...

Unexpected character ('¾' (code 190)): expected a valid value

ForgeRock-OpenIDMOpenIDMIDMKeystore

June 25, 2017
Created by: Daniel Redfern
Unexpected character occurred when the IP addresses changes and the virtual instance was migrated into a separate network subnet.
Read More...