Microsoft 365 Licenses' Purchased values do not match our Admin portal/are not reported

Microsoft 365 Licenses' Purchased values do not match our Admin portal/are not reported

Symptoms:

On the All Licenses page or License Properties, our Purchased Entitlements are either 0 or do not match the Microsoft 365 summary of our total purchased License Entitlements.

Diagnosis:

1. On the Application Server/Beacon device running our connection, take a copy of the ProgramData\Flexera Software\Compliance\ImportProcedures\Reader\Microsoft 365\Logic.ps1 file

2. Move this to another location - for example Documents - this is to ensure this copied Logic.ps1 is not overwritten by the Application Server or Cloud

3. In the copied Logic.ps1 file (in Documents), locate the:

@{N='EntitlementCount';E={$_.prepaidUnits.Enabled}}

m365code1.png

 

line, and remove .Enabled there - you should have:

@{N='EntitlementCount';E={$_.prepaidUnits}}

Instead

m365code2.png

 

 

4. Open a Windows Powershell Administrator window - you can do this from the File > Open Windows Powershell > As Administrator button on the top-left of the File Explorer for this location

5. Enter the following into our Windows Powershell prompt:

. .\Logic.ps1
$authendpoint = "https://login.microsoftonline.com/common/oauth2/v2.0/authorize"
$tokenendpoint = "https://login.microsoftonline.com/common/oauth2/v2.0/token"
$redirecturl = "https://login.microsoftonline.com/common/oauth2/nativeclient"
$clientID = "5bb1a5a2-0d97-4335-9448-119f7b27aff9"
$token = Get-RefreshToken -AuthorizationEndpoint $authendpoint -TokenEndpoint $tokenendpoint -ClientID $clientID -RedirectUrl $redirecturl
Write-Output $token | Ft -autosize | out-string -width 4096 > log.txt

 

6. This should output an Access Token for Microsoft 365 to a text file in the same location for our reference - open the text file and replace 'string from text file' in the next command with our token

. .\Logic.ps1
$authendpoint = "https://login.microsoftonline.com/common/oauth2/v2.0/authorize"
$tokenendpoint = "https://login.microsoftonline.com/common/oauth2/v2.0/token"
$redirecturl = "https://login.microsoftonline.com/common/oauth2/nativeclient"
$clientID = "5bb1a5a2-0d97-4335-9448-119f7b27aff9"
$securetoken = ConvertTo-SecureString "string from text file" -AsPlainText -Force
Get-O365Licenses -AuthorizationEndpoint $authendpoint -TokenEndpoint $TokenEndpoint -RedirectUrl $redirecturl -RefreshToken $securetoken -ClientID $clientID > output.txt

============================================================================================

 

7. This should then run the Get-O365Licenses method from the Logic.ps1 file and send the output to an output.txt file

Solution:

In Microsoft 365, our License units can have three states:
Enabled - all is well; user access is unrestricted
Warning - user access is unrestricted, however, the subscription is expired -- this lasts for a thirty-day grace period
Suspended - Once the grace period is over, the user is not able to access any Microsoft 365 content - admins cannot assign licenses, but can access data - this can be reactivated by the global admin -- this lasts for another ninety days
Following this, the entitlement is deleted; this is no longer able to be restored or reactivated, and data begins to be deleted

Essentially, the only status where we are consuming from purchased, active entitlements is Enabled status.
When we're in warning status, our entitlement is already expired and is not therefore counted as a Purchased Entitlement in our License Summary.
Confirm against our Powershell output for the relevant License(s) here; the total of the Enabled, Suspended and Warning status Entitlements should add up to our Microsoft 365 Portal value.

m365code3.png

 

If we have 0 enabled entitlements, due to all our entitlements being in suspended or warning status, that would explain our returned value of 0 in FNMS.

Was this article helpful? Yes No
No ratings
Version history
Revision #:
1 of 1
Last update:
‎Jul 06, 2020 07:07 AM
Updated by:
 
Contributors