This one is a few years old, but I haven’t seen anything
similar so I thought I may as well share some information on a solution I put
in place with MIM to manage Office 365 license and service plan allocation.
In summary:
- Create a new object class in MIM for Office 365 service
plans, and an instance for each sku/service plan.
- Add a multi-valued reference attribute to each
user to store which service plans are allocated
- Create a new MV class and attributes and flow
the data from the FIM MA into the metaverse.
This is only if you need the data in the MV (I exported this data to a
SQL database MA for a script we were using before group-based licensing)
- Create a new tab in the user editing RCDC to select
Service Plans, delegated to whoever manages license allocation
- Create a policy to allocate a default set of
Service Plans during user provisioning
- Create criteria-based groups exported out to AD
and synchronised to AAD to use Azure Group-Based Licensing.
This provided a nifty way for us to delegate and
control SKU’s down to the individual service plans. This fit into our MIM-centric view of the
world and tied in with our MIM reporting and delegation models.
Create
FIM Resources, attributes and binding
Resource
type to store office 365 license objects:
System
Name
|
Office365License
|
Display
Name
|
Office
365 License
|
Description
|
Office
365 and Azure AAD Licenses
|
New
attribute for SKU, bound to Office365License
Object Type
|
System/Display Name
|
Type
|
Multi-valued
|
Description
|
Office365License
|
SKU
|
Indexed String
|
No
|
Office 365 SKU
|
Multi-valued
reference property bound to users:
Object Type
|
System Name
|
Display Name
|
Type
|
Multi-valued
|
Description
|
Person
|
Office365ServicePlans
|
Office365 Service Plans
|
Reference (DN)
|
Yes
|
{None}
|
Note
that there is no explicit link between the user bound attribute and the new
resource type – technically any reference ID can be stored in the service plans
attribute. We are relying on the RCDC
Filter to control which references are stored in this attribute.
Add an Office365 licensing tab to the user
editing/creation RCDC
Add
the following grouping. Note that the
binding source for the creation RCDC must be schema, rather than object as
below (editing):
<my:Grouping
my:Name="Office365LicensesGroup" my:Caption="Office365"
my:Enabled="true">
<my:Control
my:Name="SyncTo365" my:TypeName="UocCheckBox"
my:Caption="{Binding Source=schema, Path=SyncTo365.DisplayName}" my:Description="{Binding
Source=schema, Path=SyncTo365.Description}" my:RightsLevel="{Binding
Source=rights, Path=SyncTo365}">
<my:Properties>
<my:Property
my:Name="Required" my:Value="{Binding Source=schema,
Path=SyncTo365.Required}"/>
<my:Property my:Name="Text" my:Value="Synchronised to
Office 365"/>
<my:Property
my:Name="Checked" my:Value="{Binding Source=object,
Path=SyncTo365, Mode=TwoWay}"/>
</my:Properties>
</my:Control>
<my:Control
my:Name="Office365Licenses" my:TypeName="UocListView"
my:Caption="Office 365 Licenses" my:Description="Office 365
Licenses." my:RightsLevel="{Binding Source=rights,
Path=Office365ServicePlans}">
<my:Properties>
<my:Property
my:Name="ColumnsToDisplay"
my:Value="DisplayName,Description,SKU" />
<my:Property
my:Name="EmptyResultText" my:Value="There are no licenses
available for this person." />
<my:Property
my:Name="ResultObjectType" my:Value="Office365License"/>
<my:Property
my:Name="PageSize" my:Value="10" />
<my:Property
my:Name="ShowTitleBar" my:Value="false" />
<my:Property
my:Name="ShowActionBar" my:Value="false" />
<my:Property
my:Name="ShowPreview" my:Value="false" />
<my:Property
my:Name="ShowSearchControl" my:Value="false" />
<my:Property
my:Name="EnableSelection" my:Value="true" />
<my:Property
my:Name="SingleSelection" my:Value="false" />
<my:Property my:Name="SelectedValue"
my:Value="{Binding Source=object, Path=Office365ServicePlans, Mode=TwoWay}"/>
<my:Property
my:Name="ItemClickBehavior" my:Value="ModelessDialog" />
<my:Property
my:Name="ReadOnly" my:Value="false" />
<my:Property my:Name="ListFilter"
my:Value="/Office365License" />
</my:Properties>
</my:Control>
</my:Grouping>
For
example, the RCDC results in an ‘Office365’ tab for license allocation (and we
also control synchronisation in this way)
Recycle the SharePoint app pool
$sharepoint
= Get-WMIObject -Computer "mim01 " -Namespace root\MicrosoftIISv2
-Authentication PacketPrivacy -Query
"SELECT * from IIsApplicationPool where name = 'W3SVC/APPPOOLS/SharePoint
- 80'"
$sharepoint.recycle()
Create Office 365 licensing objects and allow sync
to MV
Set
for access:
Create FIM MPRs to allow synchronisation
DisplayName
|
Synchronization:
Synchronization account can read Office365Licenses it synchronizes
|
Description
|
Policy
to allow synchronisation of Office365License objects
|
Type
|
Request
|
Requestor
|
Synchronization
Engine
|
Operation
|
Read
|
Permissions
|
Grant
|
Target
Resource Set
|
All
Office 365 Licenses
|
Resource
Attributes
|
All
Attributes
|
DisplayName
|
Synchronization:
Synchronization account controls Office365Licenses it synchronizes
|
Description
|
Policy
to allow synchronisation of Office365License objects
|
Type
|
Request
|
Requestor
|
Synchronization
Engine
|
Operation
|
Modify
|
Permissions
|
Grant
|
Target
Resource Set
|
All
Office 365 Licenses
|
Resource
Attributes
|
All
Attributes
|
Note
that the modify policy above is required otherwise a’ failed-modification-via-web-services
‘ export error will occur: while exporting MVObjectID
Fault
Reason: Policy prohibits the request from completing, Microsoft.ResourceManagement.WebServices.Exceptions.PermissionDeniedException
Create FIM MPRs for administrative access
Allow
add/delete grant permissions to the set above:
Name
|
Administration:
Administrators can control Office 365 licenses
|
Requestors
|
Administrators
|
Operation
|
Create,
Delete, Add, Remove, Modify
|
Grants
Permission
|
Yes
|
Target
Resource Before
|
All
Office 365 Licenses
|
Target
Resource After
|
All
Office 365 Licenses
|
Resource
Attributes
|
All
Attributes
|
Name
|
Administration:
Administrators can read and update Users
|
Requestors
|
<No
Change>
|
Operation
|
<No
Change>
|
Grants
Permission
|
<No
Change>
|
Target
Resource Before
|
<No
Change>
|
Target
Resource After
|
<No
Change>
|
Resource
Attributes
|
Add
‘Office 365 Service Plans’
|
Add the new object to the sync to the
metaverse
Modify
the All Resource | Synchronization Filter:
Synchronization
Filter
|
Add
Office365License
|
Create
a new PowerShell session – the following error may be returned using an
existing session:
Error=
System.InvalidOperationException: Operation is not valid due to the current
state of the object.
For
example, create some EMS and E1 Service Plans, grouped by SKU:
DisplayName
|
Description
|
SKU
|
MFA
|
Azure
Multi-factor authentication
|
EMS
|
Intune
|
Intune
|
EMS
|
RMS
|
Azure
Active Directory Rights Management
|
EMS
|
Yammer
|
Yammer
|
E1
|
Sway
|
Sway
|
E1
|
Lync
|
Lync
Online
|
E1
|
SharePoint
|
SharePoint
Online
|
E1
|
Exchange
|
Exchange
Online
|
E1
|
Ensure
a CSV file with the above table exists:
$licenses =
import-csv -path c:\temp\licenses.csv
foreach
($license in $licenses) {
#write-output "DisplayName:
'$($license.DisplayName)', Description: '$($license.Description)', SKU
'$($license.SKU)'"
. .\CreateOffice365License.ps1 -displayName
$license.DisplayName -description $license.Description -sku $license.SKU
}
Create metaverse object class
office365License:
Object Type
|
AttributesName
|
office365License
|
displayName
description
sKU
csObjectID
|
Object Type
|
AttributeName
|
Type
|
Multi-valued
|
Indexed
|
office365License
|
sKU
|
String (indexable)
|
No
|
No
|
person:
Object Type
|
AttributesName
|
Type
|
Multi-valued
|
Indexed
|
person
|
office365ServicePlans
|
Reference (DN)
|
Yes
|
No
|
FIM
MA:
Refresh
Schema
|
|
Select
Object Types
|
Office365License
|
Select
Attributes
|
SKU,
Office365ServicePlans
|
Object
Type Mapping
|
Office365License
-> office365License
|
Attribute
Flow
|
office365License:
Add SKU -> sKU
Add DisplayName -> displayName
Add Description -> description
Remove
ExpectedRulesList
Remove
DetectedRulesList
|
Attribute
Flow
|
Person
Add
import Office365ServicePlans -> office365ServicePlans
|
Synchronise Office 365 licenses from FIM to the
metaverse
- Run
FIM Full Import and Full Sync
- FIM
Export
- FIM
Full Import and Full Sync
Read more!