• State Verified Answer
  • Replies 13 replies
  • Subscribers 62 subscribers
  • Views 993 views
  • Users 0 members are here
Options
Related

How to check if an account is licenced after backsync following update to 8.1.3

charleneforbes
5 months ago

Hi,

I've recently updated to 8.1.3 and I'm having trouble with one of the custom scripts since it uses a newer version of powershell.  We have a hybrid setup and when we create users we aren't creating a mailbox.  Instead Exchange online is creating a mailbox when Azure syncs with the cloud.  Then when the backsync happens Active Roles checks that accounts have a icence assigned and then sets a custom attribute we created (edsvaRemoteMailboxCreation, bad name tbh), which then runs another script that adds the exchange attributes we want.  The second part is working fine, but since we updated the licence check isn't working properly.

Old script - 

$MSOLSession = Connect-msolservice -Credential $credential
$UserPN = $DirObj.get("UserPrincipalName")
$User = Get-MsolUser -userprincipalname $UserPN
if ($User.islicensed -eq $true)
{
$user = ($user.userprincipalname)
Set-QADUser $User -proxy -objectAttributes @{edsvaRemoteMailboxCreation=$true}
}
}

Initially after update I was getting an error on the first line, so I replaced that with:

$MSOLSession = Connect-ExchangeOnline -Credential $credential

I can run this script manually with powershell and it works but the new Active Roles doesn't like it when running as part of a workflow.  In Change history I get an error:

  • At line: 6 char:16. Could not load type 'System.IdentityModel.Tokens.JwtSecurityToken' from assembly 'System.IdentityModel.Tokens.Jwt, Version=6.22.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35'.

I had a play with it and changed the script to use the Assigned licenses attribute instead, coming up with this:

$Licence = get-qaduser -proxy $UserPN -IncludedProperties edsaAzureUserAssignedLicenses,edsvaAzureObjectID | select edsaAzureUserAssignedLicenses
if ($Licence ="*disabledplans*")
{
Set-QADUser $UserPN -proxy -objectAttributes @{edsvaRemoteMailboxCreation=$true}
}
}

That seemed to work perfectly until I thought to check what it would do on someone who doesn't have a license. It makes the attribute true even if the AssignedLicenses attribute is blank!  Is this something anyone else has tried to do or do you have any suggestions please?

Thanks

Charlene

Parents
  • 0 5 months ago

    If you are performing this evaluation in the Active Roles Administration Service after a user has been Azure-enabled, you don't need to connect to Azure or Exchange Online in order to check if the license was properly applied. Active Roles queries the value for you via the Graph API, you just have to get it from Active Roles.

    I checked the edsaAzureUserAssignedLicenses attribute of an enabled and licensed user in order to see what the SKU GUID was that I was interested in, and then I was able to successfully check this using this query:

    $t = (Get-qaduser azure.enable01 -IncludedProperties edsvaAzureObjectID,edsaAzureUserPrincipalName,edsaAzureUserAssignedLicenses -proxy).edsaAzureUserAssignedLicenses

$licence = $t | ConvertFrom-Json

If($licence.skuid -eq "6fd2c87f-b296-42f0-b197-1e91e994b900")
{$TRUE}
else{$FALSE}

    If the license was present, even if it was one among many, the above evaluation spits out TRUE. If that specific SKU was not assigned, the evaluation was always FALSE.

    I hope that this helps!

  • 0 1 month ago in reply to Terrance.Crombie

    Hey Terrance,

    Any reason why I cant pull this attribute, edsaAzureUserAssignedLicenses,  from a script used in a workflow?

    I have tried these commands and cannot store the value to a variable for properly check always empty..  They all work fine at a command prompt.
    $User = $Workflow.SavedObjectProperties("Store SAM").get("samaccountname")


    #$tgtUserLic = (Get-qaduser mydomain\$User -IncludedProperties edsvaAzureObjectID,edsaAzureUserPrincipalName,edsaAzureUserAssignedLicenses -proxy).edsaAzureUserAssignedLicenses


    $tgtUser = Get-qaduser -proxy -identity mydomain\$User -IncludeallProperties
    $tgtUserLic = $tgtUser.edsaAzureUserAssignedLicenses

    $tgtUser = (Get-qaduser mydomain\$User -proxy -DontUseDefaultIncludedProperties).DN
    $tgtUserEntry = [ADSI]"EDMS://$tgtUser"
    $tgtUserLic = $tgtUserEntry.properties.edsaAzureUserAssignedLicenses

  • 0 1 month ago in reply to CM

    Make sure that there is a value in $User. Write it to a file using Out-File to confirm.

    Also, check to see if you are getting any result at all from Get-qaduser mydomain\$User -proxy

    Personally, I'd be retrieving the userPrincipalName instead of the samAccountName. You won't need to append the domain, you can just use the attribute value.

  • 0 1 month ago in reply to CM

    I think you need to do it like this:

    $tgtUserEntry = [ADSI]"EDMS://$tgtUser"

    # The licenses property is not part of the default property set so you need to pull it.

    $tgtUserEntry.RefreshCache(@("edsaAzureUserAssignedLicenses"))
    $tgtUserLic = $tgtUserEntry.properties.edsaAzureUserAssignedLicenses

  • 0 1 month ago in reply to CM

    All,
    Thanks for the advice.

    Wanted to give a bit of feedback as well as some extra results I found while testing all method of making the calls to get edsaAzureUserAssignedLicenses
    The average time was from 150 calls running every 15 min through the day/night to get a decent baseline.
    Was quite surprised EDMS was not the fastest in this scenario but am assuming it could be easier on the overall resources versus QAD cmdlets.

    $tgtUserLicDirectUPN = (Get-qaduser $UserUPN -IncludedProperties edsaAzureUserAssignedLicenses -proxy).edsaAzureUserAssignedLicensesWorked
    # 633 ms average

    $tgtUserEntryEDMS = [ADSI]"EDMS://$UserDN"
    $tgtUserEntryEDMS.refreshcache(@("edsaAzureUserAssignedLicenses"))
    $tgtUserLicEDMS = $tgtUserEntryEDMS.properties.edsaAzureUserAssignedLicenses
    # 691 ms average

    $tgtUserLicDirectDN = (Get-qaduser $UserDN -IncludedProperties edsaAzureUserAssignedLicenses -proxy).edsaAzureUserAssignedLicenses
    # 790 ms average

    $tgtUserLicDirectSAM = (Get-qaduser atlascopco\$User -IncludedProperties edsaAzureUserAssignedLicenses -proxy).edsaAzureUserAssignedLicenses
    # 1251 ms average

    $tgtUserUPN = Get-qaduser -proxy -identity $UserUPN -IncludeallProperties
    $tgtUserLicUPN = $tgtUserUPN.edsaAzureUserAssignedLicenses
    # 11447 ms average

    $tgtUserDN = Get-qaduser -proxy -identity $UserDN -IncludeallProperties
    $tgtUserLicDN = $tgtUserDN.edsaAzureUserAssignedLicenses
    # 12552 ms average

    $tgtUserSAM = Get-qaduser -proxy -identity <domain>\$UserSAM -IncludeallProperties
    $tgtUserLicSAM = $tgtUserSAM.edsaAzureUserAssignedLicenses
    Did not work - Was not able to retrieve the attribute


    One odd thing is within a script/workflow usage this would not work

    $tgtUserLic = $tgtUserLicEDMS | ConvertFrom-JSON
    $tgtUserLic.skuId # would never be present

    It would not convert it quite right, like it does in cmdline,vscode,ISE

    Had to get it this way
    $tgtUserLic = ($tgtUserLicEDMS | ConvertFrom-JSON).skuId

Reply
  • 0 1 month ago in reply to CM

    All,
    Thanks for the advice.

    Wanted to give a bit of feedback as well as some extra results I found while testing all method of making the calls to get edsaAzureUserAssignedLicenses
    The average time was from 150 calls running every 15 min through the day/night to get a decent baseline.
    Was quite surprised EDMS was not the fastest in this scenario but am assuming it could be easier on the overall resources versus QAD cmdlets.

    $tgtUserLicDirectUPN = (Get-qaduser $UserUPN -IncludedProperties edsaAzureUserAssignedLicenses -proxy).edsaAzureUserAssignedLicensesWorked
    # 633 ms average

    $tgtUserEntryEDMS = [ADSI]"EDMS://$UserDN"
    $tgtUserEntryEDMS.refreshcache(@("edsaAzureUserAssignedLicenses"))
    $tgtUserLicEDMS = $tgtUserEntryEDMS.properties.edsaAzureUserAssignedLicenses
    # 691 ms average

    $tgtUserLicDirectDN = (Get-qaduser $UserDN -IncludedProperties edsaAzureUserAssignedLicenses -proxy).edsaAzureUserAssignedLicenses
    # 790 ms average

    $tgtUserLicDirectSAM = (Get-qaduser atlascopco\$User -IncludedProperties edsaAzureUserAssignedLicenses -proxy).edsaAzureUserAssignedLicenses
    # 1251 ms average

    $tgtUserUPN = Get-qaduser -proxy -identity $UserUPN -IncludeallProperties
    $tgtUserLicUPN = $tgtUserUPN.edsaAzureUserAssignedLicenses
    # 11447 ms average

    $tgtUserDN = Get-qaduser -proxy -identity $UserDN -IncludeallProperties
    $tgtUserLicDN = $tgtUserDN.edsaAzureUserAssignedLicenses
    # 12552 ms average

    $tgtUserSAM = Get-qaduser -proxy -identity <domain>\$UserSAM -IncludeallProperties
    $tgtUserLicSAM = $tgtUserSAM.edsaAzureUserAssignedLicenses
    Did not work - Was not able to retrieve the attribute


    One odd thing is within a script/workflow usage this would not work

    $tgtUserLic = $tgtUserLicEDMS | ConvertFrom-JSON
    $tgtUserLic.skuId # would never be present

    It would not convert it quite right, like it does in cmdline,vscode,ISE

    Had to get it this way
    $tgtUserLic = ($tgtUserLicEDMS | ConvertFrom-JSON).skuId

Children
No Data