In the previous article, we did create an Office 365 tenant. In this step by…
Remove direct assigned licenses for users with group licenses
Organizations should use group-based licensing rather than directly assign licenses to the user. The reason is that it will keep everything organized, it’s easier to troubleshoot when there are license errors, and to maintain. What if you have directly assigned licenses and group-based licenses assigned to users? In this article, you will learn how to remove direct assigned licenses from Microsoft 365 users with group licenses.
Table of contents
Before you start
Do you want to export all the users and their assignment paths? Read the article Check Microsoft 365 user license is direct assigned or inherited from group.
Note: To ensure that users do not lose access to services and data, it is important to confirm that directly assigned licenses do not provide more service functionality than the inherited licenses. It is not currently possible to use the Microsoft Entra admin center or PowerShell to determine which services are enabled through inherited licenses versus direct licenses when removing a license.
Remove direct assigned license in Microsoft Entra admin center
To remove the direct assigned license for the users that have inherited group-based licensing in Microsoft Entra admin center, follow the below steps:
- Sign in to Microsoft Entra admin center
- Expand Identity > Billing > Licenses
- Click All products
- Click the Microsoft product name
- Check in the column Assignment Paths if the user is direct assigned, inherited from a group, or has both applied
- Select the User(s) that have both the assignment paths Direct and Inherited
- Click Remove license
- Click Yes
- Give it a couple of seconds and click on the Refresh button in the toolbar
- Verify that only Inherited appears in the Assignment Paths column for the user(s)
If you have a small organization, you can select all the users and remove the direct license. But if you have thousands of users, this can take a lot of time.
That’s when PowerShell comes to the rescue. Let’s look at that in the next part.
Remove direct assigned licenses with PowerShell
To bulk remove the direct assigned license for the users that have inherited group-based licensing with PowerShell, follow the below steps:
Step 1. Install Microsoft Graph PowerShell
Run Windows PowerShell as administrator and Install Microsoft Graph PowerShell.
Install-Module Microsoft.Graph -Force
Install-Module Microsoft.Graph.Beta -AllowClobber -Force
Important: Always install the Microsoft Graph PowerShell and Microsoft Graph Beta PowerShell modules. That’s because some cmdlets are not yet available in the final version, and they will not work. Update both modules to the latest version before you run a cmdlet or script to prevent errors and incorrect results.
Step 2. Prepare Remove-DirectLicense PowerShell script
Create two folders on the (C:) drive:
- Temp
- Scripts
Download the Remove-DirectLicense.ps1 PowerShell script and place it in C:\scripts folder. The script will export the CSV file to the C:\temp folder.
Ensure the file is unblocked to prevent errors when running the script. Read more in the article Not digitally signed error when running PowerShell script.
Another option is to copy and paste the code below into Notepad. Give it the name Remove-DirectLicense.ps1 and place it in the C:\scripts folder.
<#
.SYNOPSIS
Remove-DirectLicense.ps1
.DESCRIPTION
The script will remove unnecessary direct licenses from Microsoft 365 users who already inherit the same license from a group.
For example, as part of a transition to group-based licensing. The script will output the results on the console and export it to CSV file.
.LINK
https://www.alitajran.com/remove-direct-assigned-licenses-for-users-with-group-licenses/
.NOTES
Written by: ALI TAJRAN
Website: www.alitajran.com
LinkedIn: linkedin.com/in/alitajran
.CHANGELOG
V1.00, 03/31/2024 - Initial version
#>
# Connect to Microsoft Graph
Connect-MgGraph -Scopes "Directory.Read.All, User.ReadWrite.All, Group.Read.All, Organization.Read.All"
# Get all groups with licenses assigned
$groupsWithLicenses = Get-MgGroup -All -Property AssignedLicenses, DisplayName, Id | Where-Object { $_.assignedlicenses } |
Select-Object DisplayName, Id -ExpandProperty AssignedLicenses
$output = @()
# Check if there is any group that has licenses assigned or not
if ($null -ne $groupsWithLicenses) {
# Loop through each group
foreach ($group in $groupsWithLicenses) {
# Get the group's licenses
$groupLicenses = $group.SkuId
# Get the group's members
$groupMembers = Get-MgGroupMember -GroupId $group.Id -All
# Check if the group member list is empty or not
if ($groupMembers) {
# Loop through each member
foreach ($member in $groupMembers) {
# Check if the member is a user
if ($member.AdditionalProperties.'@odata.type' -eq '#microsoft.graph.user') {
# Get the user's direct licenses
Write-Host "Fetching license details for $($member.AdditionalProperties.displayName)" -ForegroundColor Yellow
# Get User With Directly Assigned Licenses Only
$user = Get-MgUser -UserId $member.Id -Property AssignedLicenses, LicenseAssignmentStates, DisplayName |
Select-Object DisplayName, AssignedLicenses -ExpandProperty LicenseAssignmentStates |
Where-Object { $_.AssignedByGroup -eq $null }
$licensesToRemove = @()
if ($user) {
if ($user.count -ge 2) {
foreach ($u in $user) {
$userLicenses = $u.SkuId
$licensesToRemove += $userLicenses | Where-Object { $_ -in $groupLicenses }
}
}
else {
$userLicenses = $user.SkuId
$licensesToRemove = $userLicenses | Where-Object { $_ -in $groupLicenses }
}
}
else {
Write-Host "No conflicting licenses found for the user $($member.AdditionalProperties.displayName)" -ForegroundColor Green
}
# Remove the licenses from the user (remove the -WhatIf parameter)
if ($licensesToRemove) {
Write-Host "Removing the license $($licensesToRemove) from user $($member.AdditionalProperties.displayName) as inherited from group $($group.DisplayName)" -ForegroundColor Green
$null = Set-MgUserLicense -UserId $member.Id -AddLicenses @() -RemoveLicenses $licensesToRemove -WhatIf
$obj = [PSCustomObject]@{
User = $member.AdditionalProperties.displayName
Id = $member.Id
LicensesRemoved = $licensesToRemove
LicenseInheritedFromGroup = $group.DisplayName
GroupId = $group.Id
}
$output += $obj
}
else {
Write-Host "No action required for $($member.AdditionalProperties.displayName)" -ForegroundColor Green
}
}
}
}
else {
Write-Host "The licensed group $($group.DisplayName) has no members, exiting now!!" -ForegroundColor Yellow
}
}
# Display the results
$output | Format-Table -AutoSize
$output | Export-Csv -Path "C:\temp\DirectLicenseRemoval.csv" -NoTypeInformation -Encoding utf8
}
else {
Write-Host "No groups found with licenses assigned." -ForegroundColor Cyan
}
- Line 100: Edit the CSV file path
Step 3. Run Remove-DirectLicense PowerShell script
Run the below command to run the script Remove-DirectLicense.ps1.
c:\scripts\.\Remove-DirectLicense.ps1
Important: The -WhatIf parameter is added to the script, so nothing happens to the environment when it is run. Once satisfied with the results, remove the -WhatIf parameter and rerun the script.
The PowerShell output shows from which users the direct license will be removed and which group the license is inherited from.
The licensed group M365_Licenses_E3_Exchange has no members, exiting now!!
Fetching license details for Boris Campbell
Removing the license c42b9cae-ea4f-4ab7-9717-81576235ccac from user Boris Campbell as inherited from group M365_Licenses_E3_Base
What if: Performing the operation "Set-MgUserLicense_AssignExpanded" on target "Call remote 'POST /users/{user-id}/microsoft.graph.assignLicense' operation".
Fetching license details for Alison Bell
Removing the license c42b9cae-ea4f-4ab7-9717-81576235ccac from user Alison Bell as inherited from group M365_Licenses_E3_Base
What if: Performing the operation "Set-MgUserLicense_AssignExpanded" on target "Call remote 'POST /users/{user-id}/microsoft.graph.assignLicense' operation".
Fetching license details for Edward Lincoln
No conflicting licenses found for the user Edward Lincoln
No action required for Edward Lincoln
Fetching license details for Alysia Maverick
No conflicting licenses found for the user Alysia Maverick
No action required for Alysia Maverick
Fetching license details for Carol Baker
Removing the license c42b9cae-ea4f-4ab7-9717-81576235ccac from user Carol Baker as inherited from group M365_Licenses_E3_Base
What if: Performing the operation "Set-MgUserLicense_AssignExpanded" on target "Call remote 'POST /users/{user-id}/microsoft.graph.assignLicense' operation".
Fetching license details for Richard Grant
Removing the license c42b9cae-ea4f-4ab7-9717-81576235ccac from user Richard Grant as inherited from group M365_Licenses_E3_Base
What if: Performing the operation "Set-MgUserLicense_AssignExpanded" on target "Call remote 'POST /users/{user-id}/microsoft.graph.assignLicense' operation".
Fetching license details for Zoë Roberts
Removing the license c42b9cae-ea4f-4ab7-9717-81576235ccac from user Zoë Roberts as inherited from group M365_Licenses_E3_Base
What if: Performing the operation "Set-MgUserLicense_AssignExpanded" on target "Call remote 'POST /users/{user-id}/microsoft.graph.assignLicense' operation".
Fetching license details for Amanda Morgan
No conflicting licenses found for the user Amanda Morgan
No action required for Amanda Morgan
At the end, it will show all the information in a table on the PowerShell console.
User Id LicensesRemoved LicenseInheritedFromGroup GroupId
---- -- --------------- ------------------------- -------
Boris Campbell 4b350521-7006-4a9d-ab11-9127fa9563db c42b9cae-ea4f-4ab7-9717-81576235ccac M365_Licenses_E3_Base 62dee815-d5c9-44ce-9085-e17f2c80734d
Alison Bell 77f04d81-fdf0-4604-810a-3a90fe4030e3 c42b9cae-ea4f-4ab7-9717-81576235ccac M365_Licenses_E3_Base 62dee815-d5c9-44ce-9085-e17f2c80734d
Carol Baker 1e6461f3-b842-4891-bc57-cdea3d430b43 c42b9cae-ea4f-4ab7-9717-81576235ccac M365_Licenses_E3_Base 62dee815-d5c9-44ce-9085-e17f2c80734d
Richard Grant 03e95a20-3652-4895-af25-6deed0856081 c42b9cae-ea4f-4ab7-9717-81576235ccac M365_Licenses_E3_Base 62dee815-d5c9-44ce-9085-e17f2c80734d
Zoë Roberts 88db92fa-4a15-4e8f-a0c8-eeadd8fae52b c42b9cae-ea4f-4ab7-9717-81576235ccac M365_Licenses_E3_Base 62dee815-d5c9-44ce-9085-e17f2c80734d
After everything looks good, we remove the -WhatIf parameter from the script and rerun the script.
The below output appears.
The licensed group M365_Licenses_E3_Exchange has no members, exiting now!!
Fetching license details for Boris Campbell
Removing the license c42b9cae-ea4f-4ab7-9717-81576235ccac from user Boris Campbell as inherited from group M365_Licenses_E3_Base
Fetching license details for Alison Bell
Removing the license c42b9cae-ea4f-4ab7-9717-81576235ccac from user Alison Bell as inherited from group M365_Licenses_E3_Base
Fetching license details for Edward Lincoln
No conflicting licenses found for the user Edward Lincoln
No action required for Edward Lincoln
Fetching license details for Alysia Maverick
No conflicting licenses found for the user Alysia Maverick
No action required for Alysia Maverick
Fetching license details for Carol Baker
Removing the license c42b9cae-ea4f-4ab7-9717-81576235ccac from user Carol Baker as inherited from group M365_Licenses_E3_Base
Fetching license details for Richard Grant
Removing the license c42b9cae-ea4f-4ab7-9717-81576235ccac from user Richard Grant as inherited from group M365_Licenses_E3_Base
Fetching license details for Zoë Roberts
Removing the license c42b9cae-ea4f-4ab7-9717-81576235ccac from user Zoë Roberts as inherited from group M365_Licenses_E3_Base
Fetching license details for Amanda Morgan
No conflicting licenses found for the user Amanda Morgan
No action required for Amanda Morgan
User Id LicensesRemoved LicenseInheritedFromGroup GroupId
---- -- --------------- ------------------------- -------
Boris Campbell 4b350521-7006-4a9d-ab11-9127fa9563db c42b9cae-ea4f-4ab7-9717-81576235ccac M365_Licenses_E3_Base 62dee815-d5c9-44ce-9085-e17f2c80734d
Alison Bell 77f04d81-fdf0-4604-810a-3a90fe4030e3 c42b9cae-ea4f-4ab7-9717-81576235ccac M365_Licenses_E3_Base 62dee815-d5c9-44ce-9085-e17f2c80734d
Carol Baker 1e6461f3-b842-4891-bc57-cdea3d430b43 c42b9cae-ea4f-4ab7-9717-81576235ccac M365_Licenses_E3_Base 62dee815-d5c9-44ce-9085-e17f2c80734d
Richard Grant 03e95a20-3652-4895-af25-6deed0856081 c42b9cae-ea4f-4ab7-9717-81576235ccac M365_Licenses_E3_Base 62dee815-d5c9-44ce-9085-e17f2c80734d
Zoë Roberts 88db92fa-4a15-4e8f-a0c8-eeadd8fae52b c42b9cae-ea4f-4ab7-9717-81576235ccac M365_Licenses_E3_Base 62dee815-d5c9-44ce-9085-e17f2c80734d
Step 4. Open direct license removal report
The Remove-DirectLicense.ps1 PowerShell script exports all Microsoft 365 users from whom the direct license is removed to a CSV file.
Find the file DirectLicenseRemoval.csv in the path C:\temp.
Open the CSV file with your favorite application. In our example, it’s Microsoft Excel.
That’s it!
Read more: Get MFA status in Microsoft Entra and PowerShell »
Conclusion
You learned how to remove direct assigned licenses for users with group licenses. You can select a single or multiple users in Microsoft Entra admin center and remove their direct license. If you want to speed up the work or need a list of which users the direct license will be removed from, use the PowerShell script.
Did you enjoy this article? You may also like How to use Get-MgUser in PowerShell. Don’t forget to follow us and share this article.
This Post Has 0 Comments