• State Verified Answer
  • Replies 13 replies
  • Subscribers 62 subscribers
  • Views 1141 views
  • Users 0 members are here
Options
Related

How to check if an account is licenced after backsync following update to 8.1.3

charleneforbes
6 months ago

Hi,

I've recently updated to 8.1.3 and I'm having trouble with one of the custom scripts since it uses a newer version of powershell.  We have a hybrid setup and when we create users we aren't creating a mailbox.  Instead Exchange online is creating a mailbox when Azure syncs with the cloud.  Then when the backsync happens Active Roles checks that accounts have a icence assigned and then sets a custom attribute we created (edsvaRemoteMailboxCreation, bad name tbh), which then runs another script that adds the exchange attributes we want.  The second part is working fine, but since we updated the licence check isn't working properly.

Old script - 

$MSOLSession = Connect-msolservice -Credential $credential
$UserPN = $DirObj.get("UserPrincipalName")
$User = Get-MsolUser -userprincipalname $UserPN
if ($User.islicensed -eq $true)
{
$user = ($user.userprincipalname)
Set-QADUser $User -proxy -objectAttributes @{edsvaRemoteMailboxCreation=$true}
}
}

Initially after update I was getting an error on the first line, so I replaced that with:

$MSOLSession = Connect-ExchangeOnline -Credential $credential

I can run this script manually with powershell and it works but the new Active Roles doesn't like it when running as part of a workflow.  In Change history I get an error:

  • At line: 6 char:16. Could not load type 'System.IdentityModel.Tokens.JwtSecurityToken' from assembly 'System.IdentityModel.Tokens.Jwt, Version=6.22.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35'.

I had a play with it and changed the script to use the Assigned licenses attribute instead, coming up with this:

$Licence = get-qaduser -proxy $UserPN -IncludedProperties edsaAzureUserAssignedLicenses,edsvaAzureObjectID | select edsaAzureUserAssignedLicenses
if ($Licence ="*disabledplans*")
{
Set-QADUser $UserPN -proxy -objectAttributes @{edsvaRemoteMailboxCreation=$true}
}
}

That seemed to work perfectly until I thought to check what it would do on someone who doesn't have a license. It makes the attribute true even if the AssignedLicenses attribute is blank!  Is this something anyone else has tried to do or do you have any suggestions please?

Thanks

Charlene

Parents
  • 0 6 months ago

    If you are performing this evaluation in the Active Roles Administration Service after a user has been Azure-enabled, you don't need to connect to Azure or Exchange Online in order to check if the license was properly applied. Active Roles queries the value for you via the Graph API, you just have to get it from Active Roles.

    I checked the edsaAzureUserAssignedLicenses attribute of an enabled and licensed user in order to see what the SKU GUID was that I was interested in, and then I was able to successfully check this using this query:

    $t = (Get-qaduser azure.enable01 -IncludedProperties edsvaAzureObjectID,edsaAzureUserPrincipalName,edsaAzureUserAssignedLicenses -proxy).edsaAzureUserAssignedLicenses

$licence = $t | ConvertFrom-Json

If($licence.skuid -eq "6fd2c87f-b296-42f0-b197-1e91e994b900")
{$TRUE}
else{$FALSE}

    If the license was present, even if it was one among many, the above evaluation spits out TRUE. If that specific SKU was not assigned, the evaluation was always FALSE.

    I hope that this helps!

Reply Children
No Data