Creating an O365 Licensing policy using MIM 2016 Security Groups

For this blog post I will assume you are using O365 group licensing feature.

First create user profiles for the employees. Lets look at this Organization, TLK Enterprise, here are the

O365 Licensing requirements.

Full-Time Employees

  1. FTEs that are active and in the office will get E5.
  2. FTEs that are active and remote will get E1.
  3. FTEs that are exceptions will get E5. If exception user is in the group that currently has E1 the E1 will be removed.

Contractors

  1. Contractors that are active and in the office will get E1.
  2. Contractors that are remote will get no license
  3. Contractors that are exceptions will get E1 or E5. If in the E5 exception then the E1 will be removed.

Solution

Set up group sync in MIM. From AD to Sync engine to Portal.

Create the following Criteria based and manual groups in the MIM Portal

Name: _FTE Employees in the Office

Criteria: EmployeeStatus = A and EmployeeType = Full Time Employee and OfficeLocation != Remote

Name: _FTE Employee not in the office

Criteria: EmployeeStatus = A and EmployeeType = Full Time Employee and OfficeLocation = Remote

Name: _FTE Employee O365 Licensing Exception

Type: Manually managed

Name: _Contractor Employees in the Office

Criteria: EmployeeStatus = A and EmployeeType = Contractor and OfficeLocation != Remote

Name: _Contractor Employee O365 Licensing Exception

Type: Manually managed

Name: _FTE E5 Licensing

Criteria: member of _FTE Employee in the Office and not member of _FTE Employee O365 Licensing Exception

Name: _FTE E1 Licensing

Criteria: member of _FTE Employee not in the Office

Name: _Contractor E1 Licensing

Criteria: member of _FTE Employee in the Office and not member of _FTE Employee O365 Licensing Exception

Code

I am using Lithnet configuration management to create the SGs, I can also use Lithnet PowerShell.

<?xml version=”1.0″ encoding=”UTF-8″?>

<Lithnet.ResourceManagement.ConfigSync>

<Operations>

<!– Declare some Objects –>

<ResourceOperation operation=”None” resourceType=”ObjectTypeDescription” id=”Person”>

<AnchorAttributes>

<AnchorAttribute>Name</AnchorAttribute>

</AnchorAttributes>

<AttributeOperations>

<AttributeOperation operation=”none” name=”Name”>Person</AttributeOperation>

</AttributeOperations>

</ResourceOperation>

<ResourceOperation operation=”None” resourceType=”Person” id=”Person1″>

<AnchorAttributes>

<AnchorAttribute>DisplayName</AnchorAttribute>

</AnchorAttributes>

<AttributeOperations>

<AttributeOperation operation=”none” name=”DisplayName”>tlkmimserv</AttributeOperation>

</AttributeOperations>

</ResourceOperation>

<ResourceOperation operation=”None” resourceType=”ObjectTypeDescription” id=”Group”>

<AnchorAttributes>

<AnchorAttribute>Name</AnchorAttribute>

</AnchorAttributes>

<AttributeOperations>

<AttributeOperation operation=”none” name=”Name”>Group</AttributeOperation>

</AttributeOperations>

</ResourceOperation>

<!– Create Group –>

<ResourceOperation operation=”Add Update” resourceType=”Group” id=”CreatemyGroup1″>

<AnchorAttributes>

<AnchorAttribute>DisplayName</AnchorAttribute>

</AnchorAttributes>

<AttributeOperations>

<AttributeOperation operation=”replace” name=”DisplayName”>_FTE Employees in the Office</AttributeOperation>

<AttributeOperation operation=”replace” name=”AccountName”>FTE Employees in the Office</AttributeOperation>

<AttributeOperation operation=”replace” name=”Domain”>TLKdomain</AttributeOperation>

<AttributeOperation operation=”replace” name=”Scope”>Global</AttributeOperation>

<AttributeOperation operation=”replace” name=”Type”>Security</AttributeOperation>

<AttributeOperation operation=”replace” name=”MembershipLocked”>True</AttributeOperation>

<AttributeOperation operation=”replace” name=”MembershipAddWorkflow”>None</AttributeOperation>

<AttributeOperation operation=”replace” name=”Filter” type=”filter”>/Person[EmployeeStatus = ‘A’ and EmployeeType = ‘Full Time Employee’ and (not(OfficeLocation = ‘Remote’))]</AttributeOperation>

<AttributeOperation operation=”replace” name=”DisplayedOwner” type=”xmlref”>Person1</AttributeOperation>

<AttributeOperation operation=”replace” name=”Owner” type=”xmlref”>Person1</AttributeOperation>

</AttributeOperations>

</ResourceOperation>

<ResourceOperation operation=”Add Update” resourceType=”Group” id=”CreatemyGroup2″>

<AnchorAttributes>

<AnchorAttribute>DisplayName</AnchorAttribute>

</AnchorAttributes>

<AttributeOperations>

<AttributeOperation operation=”replace” name=”DisplayName”>_FTE Employees not in the Office</AttributeOperation>

<AttributeOperation operation=”replace” name=”AccountName”>FTE Employees not in the Office</AttributeOperation>

<AttributeOperation operation=”replace” name=”Domain”>TLKdomain</AttributeOperation>

<AttributeOperation operation=”replace” name=”Scope”>Global</AttributeOperation>

<AttributeOperation operation=”replace” name=”Type”>Security</AttributeOperation>

<AttributeOperation operation=”replace” name=”MembershipLocked”>True</AttributeOperation>

<AttributeOperation operation=”replace” name=”MembershipAddWorkflow”>None</AttributeOperation>

<AttributeOperation operation=”replace” name=”Filter” type=”filter”>/Person[EmployeeStatus = ‘A’ and EmployeeType = ‘Full Time Employee’ and OfficeLocation = ‘Remote’]</AttributeOperation>

<AttributeOperation operation=”replace” name=”DisplayedOwner” type=”xmlref”>Person1</AttributeOperation>

<AttributeOperation operation=”replace” name=”Owner” type=”xmlref”>Person1</AttributeOperation>

</AttributeOperations>

</ResourceOperation>

<ResourceOperation operation=”Add Update” resourceType=”Group” id=”CreatemyGroup3″>

<AnchorAttributes>

<AnchorAttribute>DisplayName</AnchorAttribute>

</AnchorAttributes>

<AttributeOperations>

<AttributeOperation operation=”replace” name=”DisplayName”>_FTE Employees O365 Licensing Exception</AttributeOperation>

<AttributeOperation operation=”replace” name=”AccountName”>FTE Employees O365 Licensing exception</AttributeOperation>

<AttributeOperation operation=”replace” name=”Domain”>TLKdomain</AttributeOperation>

<AttributeOperation operation=”replace” name=”Scope”>Global</AttributeOperation>

<AttributeOperation operation=”replace” name=”Type”>Security</AttributeOperation>

<AttributeOperation operation=”replace” name=”MembershipLocked”>False</AttributeOperation>

<AttributeOperation operation=”replace” name=”MembershipAddWorkflow”>None</AttributeOperation>

<AttributeOperation operation=”replace” name=”DisplayedOwner” type=”xmlref”>Person1</AttributeOperation>

<AttributeOperation operation=”replace” name=”Owner” type=”xmlref”>Person1</AttributeOperation>

</AttributeOperations>

</ResourceOperation>

<ResourceOperation operation=”Add Update” resourceType=”Group” id=”CreatemyGroup4″>

<AnchorAttributes>

<AnchorAttribute>DisplayName</AnchorAttribute>

</AnchorAttributes>

<AttributeOperations>

<AttributeOperation operation=”replace” name=”DisplayName”>_Contractor Employees in the Office</AttributeOperation>

<AttributeOperation operation=”replace” name=”AccountName”>Contractor Employees in the Office</AttributeOperation>

<AttributeOperation operation=”replace” name=”Domain”>TLKdomain</AttributeOperation>

<AttributeOperation operation=”replace” name=”Scope”>Global</AttributeOperation>

<AttributeOperation operation=”replace” name=”Type”>Security</AttributeOperation>

<AttributeOperation operation=”replace” name=”MembershipLocked”>True</AttributeOperation>

<AttributeOperation operation=”replace” name=”MembershipAddWorkflow”>None</AttributeOperation>

<AttributeOperation operation=”replace” name=”Filter” type=”filter”>/Person[EmployeeStatus = ‘A’ and EmployeeType = ‘Contractor’ and (not(OfficeLocation = ‘Remote’))]</AttributeOperation>

<AttributeOperation operation=”replace” name=”DisplayedOwner” type=”xmlref”>Person1</AttributeOperation>

<AttributeOperation operation=”replace” name=”Owner” type=”xmlref”>Person1</AttributeOperation>

</AttributeOperations>

</ResourceOperation>

<ResourceOperation operation=”Add Update” resourceType=”Group” id=”CreatemyGroup5″>

<AnchorAttributes>

<AnchorAttribute>DisplayName</AnchorAttribute>

</AnchorAttributes>

<AttributeOperations>

<AttributeOperation operation=”replace” name=”DisplayName”>_Contractor O365 Licensing Exception</AttributeOperation>

<AttributeOperation operation=”replace” name=”AccountName”>Contractor O365 Licensing exception</AttributeOperation>

<AttributeOperation operation=”replace” name=”Domain”>TLKdomain</AttributeOperation>

<AttributeOperation operation=”replace” name=”Scope”>Global</AttributeOperation>

<AttributeOperation operation=”replace” name=”Type”>Security</AttributeOperation>

<AttributeOperation operation=”replace” name=”MembershipLocked”>False</AttributeOperation>

<AttributeOperation operation=”replace” name=”MembershipAddWorkflow”>None</AttributeOperation>

<AttributeOperation operation=”replace” name=”DisplayedOwner” type=”xmlref”>Person1</AttributeOperation>

<AttributeOperation operation=”replace” name=”Owner” type=”xmlref”>Person1</AttributeOperation>

</AttributeOperations>

</ResourceOperation>

<ResourceOperation operation=”Add Update” resourceType=”Group” id=”CreatemyGroup6″>

<AnchorAttributes>

<AnchorAttribute>DisplayName</AnchorAttribute>

</AnchorAttributes>

<AttributeOperations>

<AttributeOperation operation=”replace” name=”DisplayName”>_FTE E5 Licensing</AttributeOperation>

<AttributeOperation operation=”replace” name=”AccountName”>FTE E5 Licensing Group</AttributeOperation>

<AttributeOperation operation=”replace” name=”Domain”>TLKdomain</AttributeOperation>

<AttributeOperation operation=”replace” name=”Scope”>Global</AttributeOperation>

<AttributeOperation operation=”replace” name=”Type”>Security</AttributeOperation>

<AttributeOperation operation=”replace” name=”MembershipLocked”>True</AttributeOperation>

<AttributeOperation operation=”replace” name=”MembershipAddWorkflow”>None</AttributeOperation>

<AttributeOperation operation=”replace” name=”Filter” type=”filter”>/Person[(ObjectID = /*[ObjectID = ‘##xmlref:CreatemyGroup1:ObjectID##’]/ComputedMember) and (ObjectID != /*[ObjectID = ‘##xmlref:CreatemyGroup3:ObjectID##’]/ComputedMember)]</AttributeOperation>

<AttributeOperation operation=”replace” name=”DisplayedOwner” type=”xmlref”>Person1</AttributeOperation>

<AttributeOperation operation=”replace” name=”Owner” type=”xmlref”>Person1</AttributeOperation>

</AttributeOperations>

</ResourceOperation>

<ResourceOperation operation=”Add Update” resourceType=”Group” id=”CreatemyGroup7″>

<AnchorAttributes>

<AnchorAttribute>DisplayName</AnchorAttribute>

</AnchorAttributes>

<AttributeOperations>

<AttributeOperation operation=”replace” name=”DisplayName”>_FTE E1 Licensing</AttributeOperation>

<AttributeOperation operation=”replace” name=”AccountName”>FTE E1 Licensing Group</AttributeOperation>

<AttributeOperation operation=”replace” name=”Domain”>TLKdomain</AttributeOperation>

<AttributeOperation operation=”replace” name=”Scope”>Global</AttributeOperation>

<AttributeOperation operation=”replace” name=”Type”>Security</AttributeOperation>

<AttributeOperation operation=”replace” name=”MembershipLocked”>True</AttributeOperation>

<AttributeOperation operation=”replace” name=”MembershipAddWorkflow”>None</AttributeOperation>

<AttributeOperation operation=”replace” name=”Filter” type=”filter”>/Person[(ObjectID = /*[ObjectID = ‘##xmlref:CreatemyGroup2:ObjectID##’]/ComputedMember)]</AttributeOperation>

<AttributeOperation operation=”replace” name=”DisplayedOwner” type=”xmlref”>Person1</AttributeOperation>

<AttributeOperation operation=”replace” name=”Owner” type=”xmlref”>Person1</AttributeOperation>

</AttributeOperations>

</ResourceOperation>

<ResourceOperation operation=”Add Update” resourceType=”Group” id=”CreatemyGroup8″>

<AnchorAttributes>

<AnchorAttribute>DisplayName</AnchorAttribute>

</AnchorAttributes>

<AttributeOperations>

<AttributeOperation operation=”replace” name=”DisplayName”>_Contractor E1 Licensing</AttributeOperation>

<AttributeOperation operation=”replace” name=”AccountName”>Contractor E1 Licensing Group</AttributeOperation>

<AttributeOperation operation=”replace” name=”Domain”>TLKdomain</AttributeOperation>

<AttributeOperation operation=”replace” name=”Scope”>Global</AttributeOperation>

<AttributeOperation operation=”replace” name=”Type”>Security</AttributeOperation>

<AttributeOperation operation=”replace” name=”MembershipLocked”>True</AttributeOperation>

<AttributeOperation operation=”replace” name=”MembershipAddWorkflow”>None</AttributeOperation>

<AttributeOperation operation=”replace” name=”Filter” type=”filter”>/Person[(ObjectID = /*[ObjectID = ‘##xmlref:CreatemyGroup4:ObjectID##’]/ComputedMember) and (ObjectID != /*[ObjectID = ‘##xmlref:CreatemyGroup5:ObjectID##’]/ComputedMember)]</AttributeOperation>

<AttributeOperation operation=”replace” name=”DisplayedOwner” type=”xmlref”>Person1</AttributeOperation>

<AttributeOperation operation=”replace” name=”Owner” type=”xmlref”>Person1</AttributeOperation>

</AttributeOperations>

</ResourceOperation>

</Operations>

</Lithnet.ResourceManagement.ConfigSync>