The final piece of our puzzle is provisioning of Office 365 Education (o365) automatically. To recap, we started out by using Moodle as the directory reference, modified Moodle plugin called Configurable Reports to synchronize Moodle user accounts to our LDAP server, and used Google Cloud Directory Sync (GCDS) to provision Google accounts from our LDAP server.
Microsoft does not have the equivalent of Google’s GCDS which is a great pity. In general it has been very painful to deal with directory synchronization with Microsoft. I used a very useful SAML App provided by Google to do this. Here is the documentation for this App. I finally got the SSO to work by federating my custom domain even though it was a huge pain.
Federating domains is explained in this post.
Provisioning doesn’t assign licenses though. So you have to still assign licenses outside of the SAML App. While you can do this from the office.com admin panel it is convenient to do this using a powershell script (I did this on a Windows 10 machine):
# Open MS Azure AD Module for Windows Power Shell on your Windows 10 machine
# The next command connects to your Windows Office 365 admin login
# Enter your email and password for your non-federated domain ADMIN account
# Don’t use your admin account on your federated domain, because of SSO
Connect-MsolService
#
# Now get your account SKU ID
Get-MsolAccountSku
# set variable to correct SKU ID obtained from step above. Only use 1st part.$acctSKU = "get information derived from above step "
#
# Get all unset accounts and set their location to IN
#$AllIn = Get-MsolUser -All | where {$_.UsageLocation -eq $null}; $AllIn | foreach {Set-MsolUser -ObjectId $_.ObjectID -UsageLocation "IN"}
#
# Get all unlicensed users into an object
#$AllUn = Get-MsolUser -All -UnlicensedUsersOnly
#
# Set the services to be disabled for all users to whom licenses need to be issued per your need
#$LO = New-MsolLicenseOptions -AccountSkuId $acctSKU -DisabledPlans "EXCHANGE_S_STANDARD", "BPOS_S_TODO_2","STREAM_O365_E3","Deskless","FLOW_O365_P2","POWERAPPS_O365_P2","RMS_S_ENTERPRISE","OFFICE_FORMS_PLAN_2","SWAY","INTUNE_O365","YAMMER_EDU"
#
#Assign licenses to the unlicensed with the disable services also specified
#$AllUn | ForEach {Set-MsolUserLicense -UserPrincipalName $_.UserPrincipalName -AddLicenses $acctSKU -LicenseOptions $LO}
If we wish to assign a new license, say add Yammer, we need to modify the license options, remove licenses from