Let’s take a look at how to manage user licenses (subscriptions) in Microsoft 365 (Azure AD) using PowerShell. We’ll show how to assign or remove a license, get statistics on assigned licenses, and enable automatic license assignment using Azure groups (group-based licensing).
You can manage Microsoft 365 user licenses on Azure Portal or with M365 Admin Center. Find a user in Azure AD and open the Licenses section. Here you can assign any of the available licenses to the user and select available products. In large companies, it is more convenient to manage Microsoft 365 licenses using PowerShell.
To connect to Microsoft 365, use the Azure AD PowerShell module:
Connect-AzureAD
You can find a list of available licenses in Azure AD -> Licenses -> All products. In our case, 25 Microsoft 365 E5 Developer licenses are available, and 9 of them are free.
Using PowerShell, you can display information about available and assigned licenses in your Azure tenant as follows:
Get-AzureADSubscribedSku | Select -Property Sku*,ConsumedUnits -ExpandProperty PrepaidUnits
SkuPartNumber is a name of a license (license plan). Enabled shows the number of licenses purchased under this plan. ConsumedUnits means the number of licenses assigned to the users.
You can use different Microsoft products under a license plan.
In our example, the only DEVELOPERPACK_E5 license plan is available in this tenant. Let’s display Microsoft 365 services available to your users.
$licenses = Get-AzureADSubscribedSku
$licenses[0].ServicePlans
The ServicePlanName column shows the names of the products available to the users with this license.
You can display information about licenses assigned to a user. Get the SkuID of the license assigned to the user and then show its name:
$SkuIDs=(Get-AzureADUser -ObjectId [email protected]| Select -ExpandProperty AssignedLicenses).SkuId
Foreach ($SkuID in $SkuIDs) {
(Get-AzureADSubscribedSku | Where {$_.SkuId -eq $SkuID}).SkuPartNumber
}
Let’s try to assign a license to a user. Prior to doing it, make sure that the location (country) is set for the user. It is mandatory, since depending on the country users may be affected by the local laws (it is especially important for Exchange Online). Set a 2-character country code in the ISO alpha-2 format.
Get-AzureADUser -ObjectId max[email protected]| Select UsageLocation, AssignedLicenses
If the country is not set or you have to change it, run the command below:
Get-AzureADUser -ObjectId [email protected] | Set-AzureADUser -UsageLocation DE
Then you can assign a license to a user:
$UserUPN="[email protected]"
$LicPlan="DEVELOPERPACK_E5"
$License = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicense
$License.SkuId = (Get-AzureADSubscribedSku | Where-Object -Property SkuPartNumber -Value $LicPlan -eq).SkuID
$assignlic = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicenses
$assignlic.AddLicenses = $License
Set-AzureADUserLicense -ObjectId $UserUPN -AssignedLicenses $assignlic
Get-AzureADUserLicenseDetail -objectid $UserUPN
You can assign a license to multiple users at once. For example, let’s assign licenses to all users in the DE region:
$LicPlan="DEVELOPERPACK_E5"
$License = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicense
$License.SkuId = (Get-AzureADSubscribedSku | Where-Object -Property SkuPartNumber -Value $LicPlan -eq).SkuID
Get-AzureADUser -Filter "UsageLocation eq 'DE'”| Set-AzureADUserLicense -AssignedLicenses $assignlic
To remove a license, use the PowerShell script below:
$userUPN="[email protected]"
$LicPlan="DEVELOPERPACK_E5"
$license = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicenses
$License.RemoveLicenses = (Get-AzureADSubscribedSku | Where-Object -Property SkuPartNumber -Value $LicPlan -EQ).SkuID
Set-AzureADUserLicense -ObjectId $userUPN -AssignedLicenses $license
To display a list of unlicensed users, run this command:
Get-AzureAdUser | ForEach{ $licensed=$False ; For ($i=0; $i -le ($_.AssignedLicenses | Measure).Count ; $i++) { If( [string]::IsNullOrEmpty( $_.AssignedLicenses[$i].SkuId ) -ne $True) { $licensed=$true } } ; If( $licensed -eq $false) { Write-Host $_.UserPrincipalName} }
The following PowerShell script allows exporting the information about Azure users and licenses assigned to them into a CSV file. If no license is assigned to a user, “Not Licensed” will be specified for them in the report.
$Report = @()
$users= Get-AzureAdUser
Foreach ($user in $users) {
$SkuIDs= @()
$SkuIDs=(Get-AzureADUser -ObjectId $user.UserPrincipalName| Select -ExpandProperty AssignedLicenses).SkuId
If ($SkuIDs -ne $null) {
Foreach ($SkuID in $SkuIDs) {
$License=(Get-AzureADSubscribedSku | Where {$_.SkuId -eq $SkuID}).SkuPartNumber
$objReport = [PSCustomObject]@{
UPN = $user.UserPrincipalName
DisplayName = $user.DisplayName
Department = $user.Department
License = $License
}
$Report += $objReport
}
}
Else
{
$objReport = [PSCustomObject]@{
UPN = $user.UserPrincipalName
DisplayName = $user.DisplayName
Department = $user.Department
License = "Not licensed"
}
$Report += $objReport
}
}
$Report|Export-Csv c:\ps\aad_user_licenses.csv -Encoding UTF8 -NoTypeInformation
It is hard and time-consuming to manage user licenses individually. In Azure AD, you can bind a license to an Azure group (group-based licensing). As soon as a user is added to the group, Azure assigns them a license automatically. However, you need an Azure AD Premium P1 subscription to use this feature. Also, the Azure AD module doesn’t allow to assign a license to a group. Group licensing features are available on Azure Portal or through the Microsoft Graph API.