Covering Microsoft 365 License Management Basics
Updated 11-Jul-2023 for Microsoft Graph PowerShell SDK V2
Microsoft’s revised schedule to retire the AzureAD and Microsoft Online Services (MSOL) PowerShell modules gives tenant administrators a little extra time to upgrade scripts before support ceases on March 30, 2024. Time is slipping away to inventory and update license management scripts.
Microsoft’s suggests that tenant use cmdlets from the Microsoft Graph PowerShell SDK to replace those from the two deprecated modules. I show how to approach using the SDK for license management in an example which creates a licensing report for a tenant. It’s evident from the questions I received since and what I see in internet searches that the basics of license assignment and removal needs more discussion and examples, which is what I attempt here.
To start off, connect to the Microsoft Graph using the Connect-MgGraph cmdlet. You need to sign into an administrator account with at least the Directory.Read.All permission to have full access to license information.
$RequiredScopes = @(Directory.AccessAsUser.All, Directory.ReadWrite.All) Connect-MgGraph -Scopes $RequiredScopes -NoWelcome
Assign a New Microsoft 365 License
The most basic operation is to assign a license to a user account using the Set-MgUserLicense cmdlet. You need to know:
- The UPN or object identifier of the target account.
- The SKU identifier of the product you wish to license for the account. The Get-MgSubscribedSku cmdlet returns the set of products the tenant has subscriptions for (now or at some time in the past). See the article about creating a licensing report for information about how to use this data.
Equipped with this information, we can assign a license. In this case, we’re assigning a Viva Topics license (the SkuID is 4016f256-b063-4864-816e-d818aad600c9).
Set-MgUserLicense -UserId "John.West@Office365itpros.com" -Addlicenses @{SkuId = '4016f256-b063-4864-816e-d818aad600c9’} -RemoveLicenses @()
Note that you must pass a null array in the RemoveLicenses parameter. This applies even if you don’t want the command to remove any licenses.
Table 1 lists some reasons why a license assignment will fail.
Reason | Example error |
No licenses for the specified product are available. | Subscription with SKU 26d45bd9-adf1-46cd-a9e1-51e9a5524128 does not have any available licenses. |
The license is unknown in the tenant (a subscription for the license has never existed). | License e82ae690-a2d5-4d76-8d30-7c6e01e6022e does not correspond to a valid company License. |
An invalid identifier for a service plan in a compound license is specified. | Service plan 2078e8df-cff6-4290-98cb-5408261a760a for license 26d45bd9-adf1-46cd-a9e1-51e9a5524128 is not valid. |
Attempt to remove a license from an account that it doesn’t have. | User does not have a corresponding license. |
If the Set-MgUserLicense cmdlet doesn’t report an error, the license assignment worked (or you attempted to assign a license to an account which it already had). To check, run the Get-MgUser cmdlet to examine the AssignedLicenses property for the account.
Get-MgUser -UserId John.West@Office365itpros.com -Property Id, displayName, assignedLicenses | Select -ExpandProperty AssignedLicenses DisabledPlans SkuId ------------- ----- {} 4016f256-b063-4864-816e-d818aad600c9
Assigning Compound Licenses
Microsoft 365 products can cover a single piece of functionality (like Viva Topics) or they can be a compound product/SKU where a single license covers multiple service plans. Each service plan allows the user to access specific functionality, like Yammer or Planner. Office 365 E3 and E5 are examples of compound SKUs. Microsoft publishes full details of the service plans included in compound SKUs online.
You can assign a license for a compound SKU and remove access to one or more service plans to deny access to that functionality. Educational establishments often do this to limit access to features that they don’t want students to use.
In this example, we assign an Office 365 A1 (student) license to an account with several disabled service plans. The license information is held in a hash table, which is then passed in the AddLicenses parameter for the Set-MgUserLicense cmdlet. Hash tables are commonly used to pass information to SDK cmdlets. The hash table defines:
- The SKU identifier of the compound license (SkuId).
- A list of the identifiers for the service plans to disable (DisabledPlans). This includes Teams (57ff2da0-773e-42df-b2af-ffb7a2317929), Yammer for Education (2078e8df-cff6-4290-98cb-5408261a760a), and Exchange standard (9aaf7827-d63c-4b61-89c3-182f06f82e5c).
$StudentLicenseOptions = @{SkuId = "e82ae690-a2d5-4d76-8d30-7c6e01e6022e"; DisabledPlans = @("57ff2da0-773e-42df-b2af-ffb7a2317929", "2078e8df-cff6-4290-98cb-5408261a760a", "9aaf7827-d63c-4b61-89c3-182f06f82e5c")} Set-MgUserLicense -UserID John.West@Office365itpros.com -AddLicenses @($StudentLicenseOptions) -RemoveLicenses @()
Another way of passing the information is to create an array for the service plans you want to disable. In this example, we assign an Office 365 E3 license and disable the Sway and Yammer service plans:
$DisabledServicePlans = @("a23b959c-7ce8-4e57-9140-b90eb88a9e97", "7547a3fe-08ee-4ccb-b430-5077c5041653”) $Office365E3Sku = “6fd2c87f-b296-42f0-b197-1e91e994b900” Set-MgUserLicense -UserId John.West@Office365itpros.com -AddLicenses @{SkuId = $Office365E3Sku; DisabledPlans = $DisabledServicePlans} -RemoveLicenses @()
Running Get-MgUser to examine the assigned licenses reveals the disabled service plans.
Get-MgUser -UserId John.West@Office365itpros.com -Property Id, displayName, assignedLicenses | Select -ExpandProperty AssignedLicenses DisabledPlans SkuId ------------- ----- {a23b959c-7ce8-4e57-9140-b90eb88a9e97, 7547a3fe-08ee-4ccb-b430-5077c5041653} 6fd2c87f-b296-42f0-b197-1e91e994b900 {} 4016f256-b063-4864-816e-d818aad600c9
Another way to see the licenses assigned to an account is with the Get-MgUserLicenseDetail cmdlet:
Get-MgUserLicenseDetail -UserId John.West@Office365itpros.com | fl Id : PzFitvwUokOaetLif080eFbyFkBjsGRIgW7YGKrWAMk ServicePlans : {GRAPH_CONNECTORS_SEARCH_INDEX_TOPICEXP, CORTEX} SkuId : 4016f256-b063-4864-816e-d818aad600c9 SkuPartNumber : TOPIC_EXPERIENCES AdditionalProperties : {} Id : PzFitvwUokOaetLif080eH_I0m-WsvBCsZcekemUuQA ServicePlans : {VIVA_LEARNING_SEEDED, Nucleus, ContentExplorer_Standard, POWER_VIRTUAL_AGENTS_O365_P2...} SkuId : 6fd2c87f-b296-42f0-b197-1e91e994b900 SkuPartNumber : ENTERPRISEPACK AdditionalProperties : {}
The disabled service plans are not obvious in the listing, but we can see them by running:
Get-MgUserLicenseDetail -UserId John.West@Office365itpros.com | ? {$_.SkuId -eq "6fd2c87f-b296-42f0-b197-1e91e994b900"} | Select-Object -ExpandProperty ServicePlans
Removing Licenses
To remove licenses, include the license identifiers in an array and pass the array in the RemoveLicenses parameter. This example command removes the two licenses we assigned earlier.
[array]$LicensesToRemove = "4016f256-b063-4864-816e-d818aad600c9", “6fd2c87f-b296-42f0-b197-1e91e994b900” Set-MgUserLicense -UserId "John.West@Office365itpros.com” -RemoveLicenses $LicensesToRemove -AddLicenses @()
To remove all licenses from an account, create an array of license identifiers from the current set of licenses from the account and pass it as the value of the RemoveLicenses parameter:
$User = Get-MgUser -UserId John.Wilson@office365itpros.com -Property Id, DisplayName, assignedLicenses [array]$Licenses = $User.assignedLicenses.SkuId Set-MgUserLicense -UserId $User.Id -RemoveLicenses $Licenses -AddLicenses @()
Set-MgUserLicense cannot remove a license from an account if the assignment is via group membership.
Assigning Multiple Licenses in One Operation
To add multiple Microsoft 365 licenses in a single operation, create a hash table containing details of the licenses to add and pass the hash table in the BodyParameter parameter for Set-UserMgLicense instead of using the AddLicenses parameter.
$LicenseParams = @{ AddLicenses = @( @{ DisabledPlans = @() SkuId = "4016f256-b063-4864-816e-d818aad600c9" } @{ DisabledPlans = @() SkuId = "a403ebcc-fae0-4ca2-8c8c-7a907fd6c235" } ) RemoveLicenses = @( ) } Set-MgUserLicense -UserId John.West@office365itpros.com -BodyParameter $LicenseParams
As before, you can disable service plans when you assign licenses. In this example, we assign licenses for Enterprise Mobility and Security (EMS) E5 and Viva Topics and disable the Intune plan included in EMS E5.
$LicenseParams = @{ AddLicenses = @( @{ DisabledPlans = @("c1ec4a95-1f05-45b3-a911-aa3fa01094f5") SkuId = "b05e124f-c7cc-45a0-a6aa-8cf78c946968" } @{ DisabledPlans = @() SkuId = "4016f256-b063-4864-816e-d818aad600c9" } ) RemoveLicenses = @( ) } Set-MgUserLicense -UserId John.West@office365itpros.com -BodyParameter $LicenseParams
The same technique can remove multiple licenses in one operation. This command removes the licenses for Power BI (standard) and Viva Topics:
$LicenseParams = @{ AddLicenses = @() RemoveLicenses = @( "a403ebcc-fae0-4ca2-8c8c-7a907fd6c235" "4016f256-b063-4864-816e-d818aad600c9" ) } Set-MgUserLicense -UserId John.West@office365itpros.com -BodyParameter $LicenseParams
You can combine license assignments and removals in a single command by populating the appropriate data in the hash table.
Finding Users with Licenses
To find accounts assigned a specific license, use a filter with a lambda operator with Get-MgUser. This command finds users assigned an Office 365 E3 license:
Get-MgUser -Filter "assignedLicenses/any(x:x/skuId eq 6fd2c87f-b296-42f0-b197-1e91e994b900)" -All
Another way is to find all tenant accounts and filter against the AssignedLicenses property:
[array]$AllUsers = Get-MgUser -Filter "UserType eq 'Member'" -All -Property Id, assignedLicenses, UserPrincipalName, DisplayName [array]$Office365E3Users = $AllUsers | Where-Object {$_.AssignedLicenses.SkuId -contains "6fd2c87f-b296-42f0-b197-1e91e994b900"} Write-Host (“You have {0} tenant accounts and {1} have Office 365 E3 licenses.” -f $AllUsers.Count, $Office365E3Users.Count)
Being able to search for Microsoft 365 license assignments means that we can create a simple licensing report by looping through the subscribed licenses in the tenant and retrieving the set of accounts which hold each license.
[array]$Skus = Get-MgSubscribedSku | Select SkuId, SkuPartNumber, ConsumedUnits $Report = [System.Collections.Generic.List[Object]]::new() ForEach ($Sku in $Skus) { $Command = 'Get-MgUser -Filter "assignedLicenses/any(x:x/skuId eq ' + $Sku.SkuId + ')" -All' [array]$SkuUsers = Invoke-Expression $Command $ReportLine = [PSCustomObject][Ordered]@{ Sku = $Sku.SkuId Product = $Sku.SkuPartNumber 'Consumed Units' = $Sku.ConsumedUnits 'Calculated Units' = $SkuUsers.Count 'Assigned accounts' = $SkuUsers.UserPrincipalName -Join ", " } $Report.Add($ReportLine) } # End ForEach $Report | Sort-Object Product | Out-GridView
The result is shown in Figure 1.
The Same but Different
Managing Microsoft 365 licenses for Entra ID user accounts using the Microsoft Graph PowerShell SDK follows the same principles as before. Accounts receive product licenses, some of which allow access to multiple service plans. Individual service plans can be disabled. Cmdlets exist to assign and remove licenses, and you can assign or remove multiple licenses in a single operation. The cmdlets and syntax are different, but it shouldn’t be a huge task to move from older MSOL and AzureAD cmdlets to embrace the new paradigm.
Thank you for your examples, Tony. I am trying to find the best way to export SKU, UPN, Display Name, and Department to one CSV file, but no amount of manipulation gives me the right results. Do you know of the best method to achieve this?
Hi Tony,
I have seen a lot of examples of how to assign skus and disable service plans, I am yet to see an example on how to enable disabled service plans. I can’t seem to get the right syntax for it.
The Real Person!
Author Tony Redmond acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
When you run Set-MgUserLicense to disable service plans for a license, you pass two values in a hash table to the AddLicenses parameter. One is the product (SKU) id for the license, the other is an array of disabled service plans. To reenable a service plan, run Set-MgUserLicense again after removing its service plan identifier from the array of disabled service plans. All explained in detail in the Office 365 for IT Pros eBook (;-)
Tony, I have looked high and low and cannot find a command that says if you have both SkuId X and SkuId Y assigned to your account, remove the Y license. Is this possible with Graph? Just to clarify, we recently got Microsoft 365 E3 licenses and assigned them via groups. I need to go back and remove the Exchange Online Plan 2 license from their account. Doing this with Graph would probably be the best way to do it, but I can’t seem to find the right commands for it. It may not even be possible but it probably is. Have you seen this type of scenario before?
The Real Person!
Author Tony Redmond acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
Seems straightforward enough. Find the users with the Microsoft 365 E3 licenses (SKUId = 05e9a617-0261-4cee-bb44-138d3ef5d965) and check each account to see if they have a separate Exchange Online Plan 2 license (SKUId = 19ec0d23-8335-4cbd-94ac-6050e30712fa). If true, remove the Exchange Online Plan 2. Is that what you want to do?
That’s what I am looking for, so i can do this for 2000 or so users.
The Real Person!
Author Tony Redmond acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
Should be quick and easy.
Run Get-MgUser to find the users with the Microsoft 365 E3 license.
ForEach user check the AssignedLicenses property to see if Exchange Online Plan 2 is present.
If it is, run Set-MgUserLicense to remove the Exchange Online license.
The Real Person!
Author Tony Redmond acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
And I am literally running out of the house to the airport else I would write the code… But it is simple enough. You might want to add some logging etc. to track the removals of the licenses. Remember to stop paying Microsoft for the Exchange Online P2 licenses!
I will see if I can figure out how to write this. hopefully with some whatif statements! Thanks!
I remembered that I wrote this article https://practical365.com/switch-microsoft-365-licenses/ about approximately the same situation. Perhaps it will help.
The Real Person!
Author Tony Redmond acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
Did you get your licenses reassigned?
I am working on that now! This is a script I wrote that pulls the userid’s from a CSV file. I did it this way because I can run a report to show who has the E3 and the Exchange Online Plan 2 license, and I know for certain I am pulling an EP2 license away from an E3. You just put the userid’s in the CSV file, with the first line being called UserId, and all the lines below are the UPN’s of the users that you want to remove the license from. Not as complex of a script like yours but hey it works!
$users= Import-Csv “C:\temp\userlist.csv”
$ep2Sku = Get-MgSubscribedSku -All | Where SkuPartNumber -eq ‘EXCHANGEENTERPRISE’
foreach ($user in $users)
{
Set-MgUserLicense -UserId $user.userid -RemoveLicenses $ep2Sku.SkuId -AddLicenses @()
}
The Real Person!
Author Tony Redmond acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
Whatever works… works… that’s the beauty of PowerShell.
I appreciate the help!
Why not simply show how to script the removal of a single or all lics assigned to a departed user?
Here is how I do this using MSOL:
$upn = “someupn” #this is trivial
(get-MsolUser -UserPrincipalName $upn).licenses.AccountSkuId |
foreach-object{
Set-MsolUserLicense -UserPrincipalName $upn -RemoveLicenses $_
Set-MsolUser -UserPrincipalName $upn -BlockCredential $true
}
This used to work like a charm before Graph.
does anyone here know how to do the exsact same action using Mg-GRaph?
Thanks
The Real Person!
Author Tony Redmond acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
It’s even easier to remove all the licenses from a user account using the Graph SDK. I’ve updated the post to show how.
Hello Tony,
I find myself in a somewhat complicated situation at my company, and I believe your expertise could be very helpful. We regularly need to make license changes in Microsoft 365, for example, switching from an EOP2 to an M365 E3. The main challenge is managing services during these transitions.
To give you a clearer picture, consider this example: a user currently has the ENTERPRISEPACK license with the BPOS_S_TODO_2 service active. When changing their license to ENTERPRISEPREMIUM, I want to ensure that the equivalent service in the new license remains active, which in this case would be BPOS_S_TODO_3.
Although I can set up a logic to handle these changes based on service nomenclature, this method isn’t entirely accurate or reliable. I wonder if you know of any more robust and precise solution to maintain the equivalence of activated or deactivated services when switching between different Microsoft 365 licenses.
Any guidance or suggestion you could provide would be immensely appreciated.
Thank you for your time and help.
Nick Castle
The Real Person!
Author Tony Redmond acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
Interesting question. It should be possible to compare the set of service plans for the original SKU with those for the new SKU and figure out matching plans. After that, it’s a matter of making sure to disable the correct service plans when assigning the new license to make sure that you end up with equivalence. I’ll think about this a bit more and see if I can do any better.
Hi Tony,
Thanks for the script that is bit helpful to move from MSOL to Graph. I have only one difficulty, how do I get total license count by MS Graph (Previously called “ActiveUnits” in MSOL) ? From your script I can get ConsumedUnits but how do I get ActiveUnit count ? Actually we have Report License script that runs based on MSOL and sends us a report of every product’s name, total license count and consumed unit count – facing difficulity with Graph to get it.
The Real Person!
Author Tony Redmond acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
You mean like the code explained in https://office365itpros.com/2023/07/06/microsoft-365-subscriptions-ps/?
Wow, Thanks a ton, Tony. I Appreciate your quick response. Your referred link solved my issues with the report. I was actually after this below two lines –
ActiveUnits = $Sku.PrepaidUnits.Enabled
WarningUnits = $Sku.PrepaidUnits.Warning
Thank you very much once again. I am converting our legacy MSOL scripts into Graph but as I am not that expert I may come back again for help. Thank you very much.
The Real Person!
Author Tony Redmond acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
Amazing what you can find on the internet 😉
can you give the github link to this script
The Real Person!
Author Tony Redmond acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
There is no link. There are only code examples.
Hey i need to assign licenses to multiple users , using csv,can give me the scripts for that
Whatever happened to the “new license management platform” announced by Alex Simonds here:
https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/migrate-your-apps-to-access-the-license-managements-apis-from/ba-p/2464366
in which he says: “Group licensing will be extended. In the new licensing platform, Azure AD Premium or Office 365 E3 will no longer be required to use group-based licensing for license assignments”
?
The Real Person!
Author Tony Redmond acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
I asked Alex Simons about this recently. The answer from his team is that work is still ongoing to finalize the new product license management platform. When that’s done, they’ll remove the P1 requirement.
I have a script that pulls from a csv file where I create temp student accounts. I have the script create the account, then change the password, then add office license, then add PBI license. During each license phase assignment every piece of meta information about the account that was assigned a license is displayed. So, student 1 -10 shows me each account meta info and it happens twice since it runs through assigning one license then the other. Below is a snippet of the PBI assignment section (other license assignment section is the same). Looks the same as above in article other than the throttle control statement. Why would all that info be show after each assignment?
#Add Office License
$batchCount = 0
Import-Csv -Path .\PbiXX.csv |
ForEach-Object {
if ($batchCount -eq $batchSize){
Start-Sleep -Seconds $wait
$batchCount = 0
}
Set-MgUserLicense -UserId “$($_.FirstName)@pbiclass.com” -Addlicenses @{SkuId = ‘3b555118-da6a-4418-894f-7df1e2096870’} -RemoveLicenses @()
$batchCount++
}
The Real Person!
Author Tony Redmond acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
Do you mean that you don’t want to see the Set-MgUserLicense cmdlet output anything? If so, just assign the output to a variable:
$Status = Set-MgUserLicense -UserId “$($_.FirstName)@pbiclass.com” -Addlicenses @{SkuId = ‘3b555118-da6a-4418-894f-7df1e2096870’} -RemoveLicenses @()
BTW, I cover bulk assignment in https://practical365.com/bulk-license-assignment-with-the-microsoft-graph-powershell-sdk/
Hi,
when I use this command:
Set-MgUserLicense -UserId $user.Id -AddLicenses $addLicenses -RemoveLicenses @()
I have this error:
Set-MgUserLicense : License assignment failed because service plans 63038b2c-28d0-45f6-bc36-33062963b498,0a4983bb-d3e5-4a09-95d8-b2d0127b3df5 are mutually exclusive Status: 400 (BadRequest)
The Real Person!
Author Tony Redmond acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
What’s in $AddLicenses?
What licenses are you attempting to assign?
Hola Tony, una pregunta, como puedo asignar un único tipo de licencia a un listado CSV, tendrás ese ejemplo ? agradezco el apoyo.
The Real Person!
Author Tony Redmond acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
I’ve just written a script to read users in from a CSV to assign licenses. I need to add some error handling and I will post the results in an article soon.
The Real Person!
Author Tony Redmond acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
https://practical365.com/bulk-license-assignment-with-the-microsoft-graph-powershell-sdk/ is what you need.
Great article! No questions here… everything worked as described. You’re my new hero!
Hi Tony, I’m trying to remove licenses for bulk deleted users, can you help if you have written something?
The Real Person!
Author Tony Redmond acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
I just deleted a user account by running Remove-MgUser. The license was removed from the account. Why do you think you need to remove licenses from bulk-deleted users?
Hi Tony, When I checked the deleted users in admin portal I see licenses are tagged against that deleted user hence came the thought, is this expected behavior if you know?
The Real Person!
Author Tony Redmond acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
Licenses are noted for deleted accounts so that Microsoft 365 can reassign the license to an account if it is restored. However, once an account is deleted, any licenses it had prior to deletion are available for reassignment.
Hi Tony,
Can you help me here with error below.
My command.
$CSV = Import-CSV -Path C:\Temp\users5.csv #-Delimiter “;”
ForEach ($Users in $CSV)
{
Set-MgUserLicense -UserId $User.UserId -AddLicenses @{SkuId = ‘c1821944-af26-46d5-ae15-4f65450761cc_66b55226-6b4f-492c-910c-a3b7a3c9d993’} -RemoveLicenses @()
}
Here’s the error
Set-MgUserLicense : Cannot convert the literal ‘c1821944-af26-46d5-ae15-4f65450761cc_66b55226-6b4f-492c-910c-a3b7a3c9d993’ to the expected type ‘Edm.Guid’.
Status: 400 (BadRequest)
ErrorCode: Request_BadRequest
Date: 2023-07-28T19:41:51
Headers:
Transfer-Encoding : chunked
Vary : Accept-Encoding
Strict-Transport-Security : max-age=31536000
request-id : 3073e24e-5de4-4928-b509-116c8d0c96d8
client-request-id : e084dd65-ea84-4cb4-8044-9b666aed98bf
x-ms-ags-diagnostic : {“ServerInfo”:{“DataCenter”:”South Central US”,”Slice”:”E”,”Ring”:”5″,”ScaleUnit”:”004″,”RoleInstance”:”SA2PEPF0000110C”}}
x-ms-resource-unit : 1
Cache-Control : no-cache
Date : Fri, 28 Jul 2023 19:41:50 GMT
At line:7 char:1
The Real Person!
Author Tony Redmond acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
The SKU id that you’re trying to use is not a valid GUID (it’s too long). Where did you get it?
Hello,
$st = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement
$st.RelyingParty = “*”
$st.State = “Enforced”
$sta = @($st)
Update-MgUser -UserId $line.username -StrongAuthenticationRequirements $sta
I used the above command to enable MFA after creating the account. Please, how can I do it using Update-MgUser?
Thank you,
The Real Person!
Author Tony Redmond acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
You can’t enforce MFA using the Update-MgUser cmdlet. This is an acknowledged gap with the Graph (add your comments at https://feedbackportal.microsoft.com/feedback/idea/9b1b2216-9ab2-ed11-a81b-002248519701).
Microsoft knows this is an API parity issue and will fix it in time. In the interim, continue using the MSOL cmdlet or (better) enforce MFA using a conditional access policy.
I having issues adding BULK license. How do I do that?
The Real Person!
Author Tony Redmond acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
You don’t give enough detail in your question to allow any sort of a reasonable response.
In general, if you want to assign licenses to several accounts, you’d loop through each account and add the license to the account.
Great article! This is extremely helpful, but how you would pull when a license was assigned to an individual? Thanks!
The Real Person!
Author Tony Redmond acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
That information isn’t kept with the license data for an account. It is captured in Azure AD “update user” records and you could search for those events in either Azure AD or the Unified audit log and report license assignments that way.
Hello, I am very new to Graph and am having an issue working with Bulk License removals from a CSV user list.
In the CSV (header “Users” and the UPNs under) i have the UPN of the users. This is what i am trying to do.
$Users = Import-csv “C:\Removals\removal_audioconferencing.csv”
$SkuToRemove = “0c266dff-15dd-4b49-8397-2bb16070ed52”
$users |ForEach-Object {Set-MgUserLicense -UserId $Users.id -RemoveLicenses $SkuToRemove -AddLicenses @()}
The Real Person!
Author Tony Redmond acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
Do you have the user identifier in the CSV?
Also, $Users.Id refers to the set of values in the Id property of the $Users array.
Maybe try:
ForEach ($User in $Users) {
Set-MgUserLicense -UserId $User.Id -RemoveLicenses $SkuToRemove -AddLicenses @() }
No the only entry in the CSV is the UPN –
Basically i am doing a dump to CSV for the licensed users and want to use that CSV to inject the UserID. Does that need to be the ID now instead of the UPN?
I can use the UPN for a single removal with Set-MgUserLicense -UserId “user@domain.com” -RemoveLicenses @($MCOMEETADV.SkuId) -AddLicenses @{}
The Real Person!
Author Tony Redmond acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
What’s the column name? Is it ID or something else? Whatever it is, you need to reference the column name in what you feed to Set-MgUserLicense (the identity used can be either the UPN or the object identifier). For instance, if the column name is Id, then it’s Set-MgUserLicense -UserId $User.Id, if it’s UPN, then it’s Set-MgUserLicense -UserId $User.UPN.
The Real Person!
Author Tony Redmond acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
If there’s only one value per user in the CSV, then this should work:
ForEach ($User in $Users) {
Set-MgUserLicense -UserId $User -RemoveLicenses $SkuToRemove -AddLicenses @() }
That was it Thanks a Bunch!
Hi, Tx for this great read.
What about getting the licenses including the commitment term (NCE) Year/Month.
Hi Tony,
You provide examples of disabling service plans when assigning licenses. How about an example of a script that ENABLES service plans that the user currently has disabled?
The Real Person!
Author Tony Redmond acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
Geez… I have to leave something out that forces people to buy the Office 365 for IT Pros eBook!
In any case, simply omit the service plan identifier from the list of identifiers passed in the DisabledPlan element, and run Set-MgUserLicense again. I just did this by removing a service plan from the $DisabledServicePlans variable shown below and running the command. The removed service plan is reenabled because it is part of the Office 365 E3 product.
$DisabledServicePlans = @(“7547a3fe-08ee-4ccb-b430-5077c5041653”)
Office365E3Sku = “6fd2c87f-b296-42f0-b197-1e91e994b900”
Set-MgUserLicense -UserId Terry.Hegarty@Office365itpros.com -AddLicenses @{SkuId = $Office365E3Sku; DisabledPlans = $DisabledServicePlans} -RemoveLicenses @()
I read this comment, and I went and looked at the book (https://office365itpros.com/book-versions-and-prices) and I do not see how or why anyone that does anything more than casual scripting for Office 365 would NOT have this book.
I bought mine! Did not even know you had this out there, I came here for the food…wait…the need to answer a Microsoft Graph and Powershell question for something I was working on…no answer here, but some hints and clues got me there.
Just in case you’re the curios type Tony, Invoke-MgReplyUserMessage is where I landed eventually, and I figured it out, but I still want to know more about this than what I can find about this as well as the other Powershell Graph message send cmdlets (or API wrappers) – like what in the heck is the difference between the message body param and comment!!!!?
Anyway, thanks for the posts here, been following your public posts for a dang long time…makes me feel old long time! end of NT 3.51 and start of NT 4 days…ouch…that hurt to type!
The Real Person!
Author Tony Redmond acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
Thanks Daniel. The Office 365 for IT Pros eBook has been around since 2015 and is updated monthly. We just issued monthly update #104. PowerShell is the largest chapter at some 142 pages.
I must admit that Invoke-MgReplyUserMessage is not a cmdlet I am familar with. But like many of the SDK cmdlets, finding out how to use it is a matter of starting with the underlying Graph API and understanding how it has transitioned to a PowerShell cmdlet. That usually helps to identify what parameters are and how they should be passed. In many cases, it ends up as a hash table with keys and values.
And I have been writing about technology for a very long time. I think the first magazine article I had published was in 1986…
Well I could share my script, but it would look horrible here without your authoring tools to clean up the code 🙂
I had >48K email messages that required a somewhat personal and individual reply. I also had to include the original message in the body of the reply as well as an acknowledgement of the specific time that message was received.
Also had to reply to them in the order they were received – oldest first to newest last.
Invoke-MgReplyUserMessage in PowerShell clearly does some of the heavy lifting for you – recipient = sender of source message and copy of sent message automatically dropped in the sent items folder: As long as you use the comment instead of the arduous task of building out the message body param, your reply automatically:
1) Will be sent in HTML format.
2) Includes original message in reply message body.
The comment can be built out in a variable hash table with HTML4 tags or HTML5 inline CSS and then have that variable = that variable piped to Out-String…now comment: $var and your message body is done.
I am not a true developer, so I find looking at the SDK API documentation hard to marry back to PowerShell unless they help me – like the REST API “message: reply” page (https://learn.microsoft.com/en-us/graph/api/message-reply?view=graph-rest-1.0&tabs=powershell) shows several code language examples, the syntax shown typically is hint enough for me to go digging, but figuring out how in the world which PowerShell cmdlet does which thing(s) in the Microsoft Graph API is challenging sometimes.
Digging into the PowerShell command yielded little results. Even my long dear friend – I kid you not, this guy knows everything – Google, was stumped 🙂
The Real Person!
Author Tony Redmond acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
We’re still in the early days of the Graph and finding examples for little used cmdlets derived from Graph APIs will always be difficult to find. Documentation is getting better, but solid examples covering all situations are still not available.