Office 365 has a lot of options and applications to choose from. Enabling one E1, E3, or any other license gives the user a lot of features, including Exchange, SharePoint, and Teams. But what if you want to make sure that the user can access only Microsoft Teams? By default, you can do it manually during the assignment of the license. Simply choose only Apps you want to assign to a user.
Of course, doing this manually is subject to errors and possibly giving the user a bit too much. So how can we make sure that the user gets what he is supposed to get?
If you're lucky enough to have high enough license Azure AD Premium 1, you can enable the assignment of licenses by group membership. This provides an easy way to assign multiple licenses to one user with specific apps based on our choice. It's quite easy to set up and can work on both Azure AD Group Membership and Active Directory Group Membership. The steps are:
And you're done. Once user is added to the group licenses will kick in.
The second option is based on PowerShell. One can configure license options based on the existing license. Since creating a new license option requires you to provide apps you want to disable, it may be subject to change if Microsoft decides to add some new plans into your Office 365 tenant. That's why instead of relying on DisabledPlans, I've reversed the situation by requiring only EnabledPlans and figuring out which plans to disable.
$License = 'evotec:STANDARDPACK' # E1 license
$EnabledPlans = @(
'TEAMS1'
'WHITEBOARD_PLAN1'
)
$Exclusions = @(
'[email protected]'
)
$AllPlans = (Get-MsolAccountSku | Where-Object { $_.AccountSkuId -eq $License } | Select-Object -ExpandProperty ServiceStatus).ServicePlan.ServiceName
$DisabledPlans = $AllPlans | Where-Object { $EnabledPlans -notcontains $_ }
$E1CustomizedLicense = New-MsolLicenseOptions -AccountSkuId $License -DisabledPlans $DisabledPlans
$Users = Get-MsolUser -UnlicensedUsersOnly -All -EnabledFilter EnabledOnly
foreach ($User in $Users) {
if ($User.UsageLocation -ne 'PL') {
Set-MsolUser -UserPrincipalName $User.UserPrincipalName -UsageLocation PL
}
if ($User.IsLicensed -eq $false -and $Exclusions -notcontains $User.UserPrincipalName) {
Set-MsolUserLicense -UserPrincipalName $User.UserPrincipalName -AddLicenses $License -LicenseOptions $E1CustomizedLicense
}
}As part of the above code, I've added the ability to exclude some accounts. Please keep in mind that I'm assigning everyone a license that doesn't have one yet. With multiple licenses being available in your tenant, you may need to modify the code a bit and apply it based on that. You can quickly check for possible plans to disable/enable with following code
$LicensePlans = Get-MsolAccountSku | ForEach-Object {
[PSCustomObject] @{
LicenseName = $_.AccountSkuId
Plans = $_.ServiceStatus.ServicePlan.ServiceName -join ', '
}
}
$LicensePlans | Format-Table -AutoSize
For me, the first option is always the way to go unless you're out of luck when it comes to having limited features for your Office 365 tenant. The second option, while great, is only applicable to PowerShell and your helpdesk staff can still assign wrong licenses manually. It would be great if the second option would create a variant of a license that can be chosen from the interface but not having much hope for this one.
