Voorbeelden van Microsoft Graph PowerShell-licenties op basis van groepen
Groepslicenties in Microsoft Entra-id, onderdeel van Microsoft Entra, zijn beschikbaar via de Azure Portal. Er zijn handige taken die kunnen worden uitgevoerd met Microsoft Graph PowerShell-cmdlets. In dit artikel bekijken we enkele voorbeelden van het gebruik van Microsoft Graph PowerShell.
Notitie
Voordat u cmdlets gaat uitvoeren, moet u eerst verbinding maken met uw organisatie door de Connect-MgGraph cmdlet uit te voeren.
Waarschuwing
Deze voorbeelden worden alleen verstrekt voor demonstratiedoeleinden. We raden u aan deze op kleinere schaal of in een afzonderlijke testomgeving te testen voordat u erop vertrouwt in uw productieomgeving. Mogelijk moet u de voorbeelden ook aanpassen om te voldoen aan de vereisten van uw specifieke omgeving.
Licenties toewijzen aan een groep
Groepslicenties bieden een handige manier om licentietoewijzing te beheren. U kunt een of meer productlicenties toewijzen aan een groep en deze licenties worden toegewezen aan alle leden van de groep.
# Import the Microsoft.Graph.Groups module
Import-Module Microsoft.Graph.Groups
$groupId = "911f05cf-f635-440c-b888-e54c73e0ef1a"
# Create a hashtable to store the parameters for the Set-MgGroupLicense cmdlet
$params = @{
AddLicenses = @(
@{
# Remove the DisabledPlans key as we don't need to disable any service plans
# Specify the SkuId of the license you want to assign
SkuId = "c42b9cae-ea4f-4ab7-9717-81576235ccac"
}
)
# Keep the RemoveLicenses key empty as we don't need to remove any licenses
RemoveLicenses = @(
)
}
# Call the Set-MgGroupLicense cmdlet to update the licenses for the specified group
# Replace $groupId with the actual group ID
Set-MgGroupLicense -GroupId $groupId -BodyParameter $params
Productlicenties weergeven die zijn toegewezen aan een groep
(Get-MgGroup -GroupId 99c4216a-56de-42c4-a4ac-1111cd8c7c41 -Property "AssignedLicenses" | Select-Object -ExpandProperty AssignedLicenses).SkuId
Alle groepen met licenties ophalen
# Import the Microsoft.Graph.Groups module
Import-Module Microsoft.Graph.Groups
# Get all groups and licenses
$groups = Get-MgGroup -All
$groupsWithLicenses = @()
# Loop through each group and check if it has any licenses assigned
foreach ($group in $groups) {
$licenses = Get-MgGroup -GroupId $group.Id -Property "AssignedLicenses, Id, DisplayName" | Select-Object AssignedLicenses, DisplayName, Id
if ($licenses.AssignedLicenses) {
$groupData = [PSCustomObject]@{
ObjectId = $group.Id
DisplayName = $group.DisplayName
Licenses = $licenses.AssignedLicenses
}
$groupsWithLicenses += $groupData
}
}
Statistieken ophalen voor groepen met licenties
# Import User Graph Module
Import-Module Microsoft.Graph.Users
# Authenticate to MS Graph
Connect-MgGraph -Scopes "User.Read.All", "Directory.Read.All", "Group.ReadWrite.All"
#get all groups with licenses
$groups = Get-MgGroup -All -Property LicenseProcessingState, DisplayName, Id, AssignedLicenses | Select-Object displayname, Id, LicenseProcessingState, AssignedLicenses | Select-Object DisplayName, Id, AssignedLicenses -ExpandProperty LicenseProcessingState | Select-Object DisplayName, State, Id, AssignedLicenses | Where-Object {$_.State -eq "ProcessingComplete"}
$groupInfoArray = @()
# Filter the groups to only include those that have licenses assigned
$groups = $groups | Where-Object {$_.AssignedLicenses -ne $null}
# For each group, get the group name, license types, total user count, licensed user count, and license error count
foreach ($group in $groups) {
$groupInfo = New-Object PSObject
$groupInfo | Add-Member -MemberType NoteProperty -Name "Group Name" -Value $group.DisplayName
$groupInfo | Add-Member -MemberType NoteProperty -Name "Group ID" -Value $group.Id
$groupInfo | Add-Member -MemberType NoteProperty -Name "License Types" -Value ($group.AssignedLicenses | Select-Object -ExpandProperty SkuId)
$groupInfo | Add-Member -MemberType NoteProperty -Name "Total User Count" -Value (Get-MgGroupMember -GroupId $group.Id -All | Measure-Object).Count
$groupInfo | Add-Member -MemberType NoteProperty -Name "Licensed User Count" -Value (Get-MgGroupMember -GroupId $group.Id -All | Where-Object {$_. LicenseProcessingState -eq "ProcessingComplete"} | Measure-Object).Count
$groupInfo | Add-Member -MemberType NoteProperty -Name "License Error Count" -Value (Get-MgGroupMember -GroupId $group.Id -All | Where-Object {$_.LicenseProcessingState -eq "ProcessingFailed"} | Measure-Object).Count
$groupInfoArray += $groupInfo
}
# Format the output and print it to the console
$groupInfoArray | Format-Table -AutoSize
Alle groepen met licentiefouten ophalen
# Import User Graph Module
Import-Module Microsoft.Graph.Users
# Authenticate to MS Graph
Connect-MgGraph -Scopes "Group.Read.All"
# Get all groups in the tenant with license assigned and with errors
$groups = Get-MgGroup -All -Property LicenseProcessingState, DisplayName, Id, AssignedLicenses | Select-Object displayname, Id, LicenseProcessingState, AssignedLicenses | Select-Object DisplayName, Id, AssignedLicenses -ExpandProperty LicenseProcessingState | Select-Object DisplayName, State, Id, AssignedLicenses | Where-Object {$_.State -eq "ProcessingFailed" -and $_.AssignedLicenses -ne $null }
# Display the results and format output
$groups | Format-Table -AutoSize
Alle gebruikers met licentiefouten in een groep ophalen
Gezien een groep die enkele licentiegerelateerde fouten bevat, kunt u nu alle gebruikers weergeven die worden beïnvloed door deze fouten. Een gebruiker kan ook fouten van andere groepen hebben. In dit voorbeeld beperken we de resultaten echter alleen tot fouten die relevant zijn voor de betreffende groep door de eigenschap ReferencedObjectId van elke IndirectLicenseError-vermelding op de gebruiker te controleren.
# Import User Graph Module
Import-Module Microsoft.Graph.Users
# Authenticate to MS Graph
Connect-MgGraph -Scopes "Group.Read.All", "User.Read.All"
# Get all groups in the tenant with license assigned
$groups = Get-MgGroup -All -Property LicenseProcessingState, DisplayName, Id, AssignedLicenses | Select-Object displayname, Id, LicenseProcessingState, AssignedLicenses | Select-Object DisplayName, Id, AssignedLicenses | Where-Object {$_.AssignedLicenses -ne $null }
#output array
$groupInfoArray = @()
# Get All Members from the groups and check their license status
foreach($group in $groups) {
$groupMembers = Get-MgGroupMember -GroupId $group.Id -All -Property LicenseProcessingState, DisplayName, Id, AssignedLicenses | Select-Object displayname, Id, LicenseProcessingState, AssignedLicenses | Select-Object DisplayName, Id, AssignedLicenses -ExpandProperty LicenseProcessingState | Select-Object DisplayName, Id, AssignedLicenses | Where-Object {$_.AssignedLicenses -ne $null }
foreach($member in $groupMembers) {
Write-Host "Member $($member.DisplayName)"
if($member.LicenseProcessingState -eq "ProcessingFailed") {
$group | Add-Member -MemberType NoteProperty -Name "License Error" -Value $member.DisplayName
$groupInfoArray += $group
}
}
}
# Format the output and print it to the console
if ($groupInfoArray.Length -gt 0) {
$groupInfoArray | Format-Table -AutoSize
}
else {
Write-Host "No License Errors"
}
Alle gebruikers met licentiefouten in de hele organisatie ophalen
Het volgende script kan worden gebruikt om alle gebruikers met licentiefouten op te halen uit een of meer groepen. Met het script wordt één rij per gebruiker, per licentiefout afgedrukt, zodat u duidelijk de bron van elke fout kunt identificeren.
# Import User Graph Module
Import-Module Microsoft.Graph.Users
# Authenticate to MS Graph
Connect-MgGraph -Scopes "User.Read.All"
# Get All Users From the Tenant with licenses assigned
$users = Get-MgUser -All -Property AssignedLicenses, LicenseAssignmentStates, DisplayName | Select-Object DisplayName, AssignedLicenses -ExpandProperty LicenseAssignmentStates | Select-Object DisplayName, AssignedByGroup, State, Error, SkuId
#count the number of users found with errors
$count = 0
# Loop through each user and check the Error property for None value
foreach($user in $users) {
if($user.Error -ne "None") {
$count += 1
Write-Host "User $($user.DisplayName) has a license error"
}
}
if ($count -le 0) {
write-host "No user found with license errors"
}
Controleren of de gebruikerslicentie rechtstreeks is toegewezen of is overgenomen van een groep
# Connect to Microsoft Graph using Connect-MgGraph
Connect-MgGraph -Scopes "User.Read.All"
# Get all users using Get-MgUser with a filter
$users = Get-MgUser -All -Property AssignedLicenses, LicenseAssignmentStates, DisplayName | Select-Object DisplayName, AssignedLicenses -ExpandProperty LicenseAssignmentStates | Select-Object DisplayName, AssignedByGroup, State, Error, SkuId
$output = @()
# Loop through all users and get the AssignedByGroup Details which will list the groupId
foreach ($user in $users) {
# Get the group ID if AssignedByGroup is not empty
if ($user.AssignedByGroup -ne $null)
{
$groupId = $user.AssignedByGroup
$groupName = Get-MgGroup -GroupId $groupId | Select-Object -ExpandProperty DisplayName
Write-Host "$($user.DisplayName) is assigned by group - $($groupName)" -ErrorAction SilentlyContinue -ForegroundColor Yellow
$result = [pscustomobject]@{
User=$user.DisplayName
AssignedByGroup=$true
GroupName=$groupName
GroupId=$groupId
}
$output += $result
}
else {
$result = [pscustomobject]@{
User=$user.DisplayName
AssignedByGroup=$false
GroupName="NA"
GroupId="NA"
}
$output += $result
Write-Host "$($user.DisplayName) is Not assigned by group" -ErrorAction SilentlyContinue -ForegroundColor Cyan
}
}
# Display the result
$output | ft
Directe licenties verwijderen voor gebruikers met groepslicenties
Het doel van dit script is om onnodige directe licenties te verwijderen van gebruikers die dezelfde licentie al overnemen van een groep; bijvoorbeeld als onderdeel van een overgang naar groepslicenties.
Notitie
Om ervoor te zorgen dat gebruikers de toegang tot services en gegevens niet verliezen, is het belangrijk om te bevestigen dat rechtstreeks toegewezen licenties niet meer servicefunctionaliteit bieden dan de overgenomen licenties. Het is momenteel niet mogelijk om PowerShell te gebruiken om te bepalen welke services zijn ingeschakeld via overgenomen licenties versus directe licenties. Daarom gebruikt het script een minimumniveau van services waarvan bekend is dat ze worden overgenomen van groepen om te controleren en ervoor te zorgen dat gebruikers geen onverwacht serviceverlies ervaren.
# Import the Microsoft.Graph.Users and Microsoft.Graph.Groups modules
Import-Module Microsoft.Graph.Users -Force
Import-Module Microsoft.Graph.Authentication -Force
Import-Module Microsoft.Graph.Users.Actions -Force
Import-Module Microsoft.Graph.Groups -Force
Clear-Host
if ($null -eq (Get-MgContext)) {
Connect-MgGraph -Scopes "Directory.Read.All, User.Read.All, Group.Read.All, Organization.Read.All" -NoWelcome
}
# Get all groups with licenses assigned
$groupsWithLicenses = Get-MgGroup -All -Property AssignedLicenses, DisplayName, Id | Where-Object { $_.assignedlicenses } | Select-Object DisplayName, Id -ExpandProperty AssignedLicenses | Select-Object DisplayName, Id, SkuId
$output = @()
# Check if there is any group that has licenses assigned or not
if ($null -ne $groupsWithLicenses) {
# Loop through each group
foreach ($group in $groupsWithLicenses) {
# Get the group's licenses
$groupLicenses = $group.SkuId
# Get the group's members
$groupMembers = Get-MgGroupMember -GroupId $group.Id -All
# Check if the group member list is empty or not
if ($groupMembers) {
# Loop through each member
foreach ($member in $groupMembers) {
# Check if the member is a user
if ($member.AdditionalProperties.'@odata.type' -eq '#microsoft.graph.user') {
# Get the user's direct licenses
Write-Host "Fetching license details for $($member.AdditionalProperties.displayName)" -ForegroundColor Yellow
# Get User With Directly Assigned Licenses Only
$user = Get-MgUser -UserId $member.Id -Property AssignedLicenses, LicenseAssignmentStates, DisplayName | Select-Object DisplayName, AssignedLicenses -ExpandProperty LicenseAssignmentStates | Select-Object DisplayName, AssignedByGroup, State, Error, SkuId | Where-Object { $_.AssignedByGroup -eq $null }
$licensesToRemove = @()
if($user)
{
if ($user.count -ge 2) {
foreach ($u in $user) {
$userLicenses = $u.SkuId
$licensesToRemove += $userLicenses | Where-Object { $_ -in $groupLicenses }
}
}
else {
$userLicenses = $user.SkuId
$licensesToRemove = $userLicenses | Where-Object { $_ -in $groupLicenses }
}
} else {
Write-Host "No conflicting licenses found for the user $($member.AdditionalProperties.displayName)" -ForegroundColor Green
}
# Remove the licenses from the user
if ($licensesToRemove) {
Write-Host "Removing the license $($licensesToRemove) from user $($member.AdditionalProperties.displayName) as inherited from group $($group.DisplayName)" -ForegroundColor Green
$result = Set-MgUserLicense -UserId $member.Id -AddLicenses @() -RemoveLicenses $licensesToRemove
$obj = [PSCustomObject]@{
User = $result.DisplayName
Id = $result.Id
LicensesRemoved = $licensesToRemove
LicenseInheritedFromGroup = $group.DisplayName
GroupId = $group.Id
}
$output += $obj
}
else {
Write-Host "No action required for $($member.AdditionalProperties.displayName)" -ForegroundColor Green
}
}
}
}
else {
Write-Host "The licensed group $($group.DisplayName) has no members, exiting now!!" -ForegroundColor Yellow
}
}
$output | Format-Table -AutoSize
}
else {
Write-Host "No groups found with licenses assigned." -ForegroundColor Cyan
}
Volgende stappen
Zie de volgende artikelen voor meer informatie over de functieset voor licentiebeheer via groepen: