Managing Office 365 license (Individual Service Plans) via Identity Manager


1. Brief introduction to Office 365 licensing

Office 365 licensing is unique where it is possible to mix and match various Enterprise Plans. The common two types of plans offered are Enterprise Packaged Plans and Enterprise Individual Plans. Currently there are three different packaged enterprise plans offered which are E1, E3, and E4. The enterprise plans are prepackaged combinations of Enterprise Individual Plans. These include Lync Online, SharePoint Online, Exchange Online, and Office ProPlus. As an organization one can choose to have any combination of these plans assigned to users that best suits their business needs.

1.1 Office 365 Packaged Plan Contents

1.1.1 Office 365 Enterprise E1

E1 consists of the following Individual Enterprise Plans:

  • Lync Online Plan2

  • Exchange Online Plan 1

  • SharePoint Online Plan 1

  • Office Web Apps (view and edit)

1.1.2 Office 365 Enterprise E3

E3 consists of the following Individual Enterprise Plans:

  • Lync Online Plan 2

  • Exchange Online Plan 2

  • SharePoint Online Plan 2

  • Office Web Apps (view and edit)

  • Office ProPlus Desktop Software

1.1.3 Office 365 Enterprise E4

E4 consists of the following Individual Enterprise Plans:

  • Lync Online Plan 3

  • Exchange Online Plan 2

  • SharePoint Online Plan 2

  • Office Web Apps (view and edit)

  • Office ProPlus Desktop Software

Here is a table that provides the description of all services that are generally part of an enterprise plan.

Service plan





Mobile Device Management for Office 365




Azure Rights Management (RMS)


Office Professional Plus


Skype for Business Online


Office Online


SharePoint Online


Exchange Online Plan 2

(Note: The service plan names are not very intuitive as for example OFFICESUSBCRIPTION and MCOSTANDARD are internal programming names of Office Professional Plus and Skype for Business Online respectively.)

With that introduction to the enterprise license plans in Office 365, let us talk about a scenario where an organization has a particular enterprise license, however the business requires that not all users should have all the services that the enterprise plan entails, but only a few needed services are to be assigned for a particular employee to get his/her job done. Office 365 makes a provision for this type of license provisioning by allowing to create custom license plans via Office 365 PowerShell and assign it to users. (Discussed later in this document)

2. Examining the Office 365 license using Office 365 PowerShell

Office 365 licenses from licensing plans (also called SKUs or Office 365 plans) determine what services are available for users. Before we dwell into creating custom Office 365 licenses, let us take a step back and examine the purchased Office 365 license and the individual services that come along with it. Below are the steps to determine what services are available for an organization. We will be using Office 365 PowerShell to examine the available license.

2.1 Connect to exchange online

To connect to exchange online, from your local computer that has PowerShell installed, open Windows PowerShell and run the following command.

$UserCredential = Get-Credential

An authentication window should pop up requesting the login information. In the Windows PowerShell Credential Request dialog box, type your Office 365 user name and password (that has admin rights to licenses), and then click OK.

2.2 Create a PowerShell session

Now using New-PSSession cmdlet create a Windows PowerShell session (PSSession) which establishes a persistent connection to the remote computer.

$PSSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri -Credential $UserCredential -Authentication Basic -AllowRedirection

2.3 Import the Powershell session

Using Import-PSSession cmdlet import commands (such as cmdlets, functions, and aliases) from a PSSession from a remote computer into the current session.

Import-PSSession $PSSession

2.4 Login to exchange online

Now that the sessions are setup and imported, initiate a connection to Office 365 by entering the below command

Connect-MSolService -credential $UserCredential

2.5 Query the available licenses

To view what one’s Account SKU IDs are run the following command:

forEach ($sku in Get-MsolAccountSku) { echo "";echo $sku; forEach ($service in $sku.ServiceStatus) {write-host `t- $service.ServicePlan.ServiceName [ $service.ProvisioningStatus ]}}

Below is a screen shot of one such query


The format of the license pack as seen above will be in the format <o365domain-name>:<license-pack>

Eg: xxxxxxxxx:ENTERPRISE

Underneath the parent license pack are the individual service licenses that come bundled.


Also to be noted next to the service licenses in the above screen shot, is a status in the bracket as either “Success or Pending Activation”. This indicates whether a particular service license is available for assignment or not. PendingActivation status indicates that a particular service that comes bundled with the license pack was not actually purchased and hence is not available for assignment. Only services that have the status as “Success” are available for assignment.

3. View of Office365 license in the portal

Here is a screen shot of the available license packs and individual licenses as seen in the Office365 administrator’s portal. This should look similar to what was seen via PowerShell.


4. Defining and using custom Office 365 licenses in PowerShell

Until now we have tried to understand the licensing options that Office365 makes available and also how we can identify the services that each pack comprises off. As explained in the beginning, the idea is to have a finer control of what specific Office365 services are to be made available for individual users. For that to happen new custom licenses can be defined and used while provisioning the licenses to users in Office365.

For the purposes of this demo the use case is to disable all other service plans except for SharePoint services.

4.1 Creating License Option

To accomplish this, a new custom license plan has to be created that defines access to only Sharepoint services. The way to go about it is by using New-MsolLicenseOptions Powershell cmdlet and leveraging its “–DisabledPlans” option, which accepts a list of services that needs to be disabled from the plan. Any services that are not provided as a value for –DisabledPlans will stay enabled when the license is assigned. Using the screen shot of the licenses in the previous sections, here is the command to create the license option


(Notice that SHAREPOINTENTERPRISE (to which access is needed) is the only one not included in the above command)

The created license option can now be used while creating/modifying the user and providing the license option.

Note that it is still required to specify the AccountSkuId to "mydomain:ENTERPRISEPACK" (via LicenseAssignment option), however using the DisabledPlans all the other service plans will be disabled, leaving SharePoint Online only enabled in the license plan.

Here is a sample PowerShell command to create a new Office365 account and using the license option created

New-MsolUser -UserPrincipalName "" -DisplayName "John Black" -FirstName "John" -LastName "Black" -UsageLocation "GB" -LicenseAssignment "mydomain:ENTERPRISEPACK" -LicenseOptions $ SharepointOnlyAssignmentOption

5. Creating custom Office 365 licenses for use in NetIQ Identity Manager Designer

NetIQ Identity manager driver for Office365 in addition to providing the capability to manage user, groups and roles in Office365, it also provides a way to easily create/manage custom Offfce365 licenses and enables very fine control of what users have access to which Office365 services.

In this section we will discuss how to go about creating new custom licenses.

5.1 Creating the Office365 driver

In an existing or a new designer IDM project, drag the office 365 driver from the palette under Enterprise category.


Follow the prompts and configure the driver

5.2 Deploy the Office365 driver

After the driver is created and configured deploy the driver to IDVAULT. Start the driver to ensure that it can connect to Office365 without any problems.

If there are problems with driver connecting to Office365 then all errors have to resolved before proceeding to the next step.

5.3 Query License entitlement

Login to RBPM/RRA and attempt to create a new sample resource. Ensure in the entitlement tab of the resource, the Office365 driver deployed above is selected. Select the License Entitlement under it, ensure “Assign entitlement values now” is selected and click the search button. Take a look at the default values for the entitlements that are retrieved by querying Office365 by the driver. This list of values depends on what enterprise packages are available for your organization.


5.4 Define custom license in Identity Manager driver

Edit the properties of the Office365 driver in designer. Go to Driver Properties à Driver Configuration à Driver Parameters à Subscriber Options in designer. Under Office365 License Options Settings, click the button


(Note: The demo custom license definition shown below is to provide access to SharePoint Services only)

  • In designer, for the custom license name enter a friendly name that uniquely identifies the purpose of the license.

  • For the services to be disabled, copy the same comma separated line from the previous section and paste it here. (Note: Copy is being performed in this step because for this demo, the same use case is being used as discussed before. This string will be different for different Enterprise package plans and enterprise plans depending on your own enterprise license and the purchased service plans.)

6Save and deploy the changes

5.5 Start the Identity Manager driver

Restart the driver and carefully examine the Office365 driver’s remote loader trace (trace level has to be 5 and above). The following trace log confirms that the license entitlement value was successfully initialized.


TRACE:SUB: Created custom license for Office365 - xxxxxxx:ENTERPRISEPACK(SharepointOnly)

5.6 Perform code-map refresh

Login to RBPM as admin user and access the Roles and Resources section. In the left side pane select “Configure Roles and Resources settings” à Entitlement Query Settings à Refresh Status and click the refresh button when the status is “Not Running”. Allow sometime for the code-map refresh to run and finish.

5.7 Examine custom license entitlement in RBPM

Access “Roles and Resource tab” --> Resource Catalog --> New (to create a new resource) --> Give it a name to easily identify its purpose and save it.

Click on the newly created resource and select the entitlement tab --> Click the search button --> From the list of drivers select the Office365 driver --> Select the License Entitlement.


Click OK. Select “Assign entitlement values now” check box and click the search button

8Select the new custom entitlement created and click add. Click save to save the resource configuration. Once this is done the resource can be assigned to the users either directly or via roles.

That concludes the creation of custom licenses. This is the same procedure that should be used to add more than one custom licenses for Identity Manager Driver to handle license provisioning.


How To-Best Practice
Comment List
  • Licensing in Office365 is notoriously annoying and frustrating, be wary you might run into issues with multiple license assignments which conflict with each other. In the environment I run, I have multiple types defined in a mapping table (as I don't use the Office 365 driver, instead a Null driver calls python scripts to hit the Azure AD API), say standardOffice which is the customised pro plus license for my environment which has the appropriate enabled and disabled plans for that license, we also have another one called ProjectAndStandard as we have users who use Project online.
    Assigning Project online is not straightforward, both office pro plus and project use different instances of a sharepoint license (sp1 for proplus and sp2 for project in this example). When ProPlus is assigned SP1 has to be enabled in your license assignment in order to see the online app icons on the home page (, when Project is assigned also - SP1 must be disabled for the Proplus license (it will make more sense if i could paste a picture) and SP2 must be enabled on the Project license in order for project and all the office apps to be visible on the home page ... one of those caveats of Office 365 unfortunately.