How to Identify Users with Broken Group-Based License Assignments

Group-based licensing in Microsoft Entra ID (formerly Azure Active Directory) simplifies license management by automatically assigning licenses to users through groups. However, sometimes users might not receive the expected licenses — a sign of broken or inconsistent group-based license assignments.

This guide explains how to identify such users using Microsoft Graph PowerShell.

Understanding the Issue

When group-based licensing breaks, affected users may:

• Show missing or partial licenses.
• Appear as unlicensed even though they belong to a licensed group.
• Have stuck license processing states, often due to directory sync or group assignment delays.

These inconsistencies can be fixed using Invoke-MgLicenseUser, but first, you need to identify the affected users.

Step 1: Connect to Microsoft Graph PowerShell

Start by connecting to Microsoft Graph with the required permissions:

Connect-MgGraph -Scopes "User.Read.All", "Directory.Read.All"

Verify connection:

Get-MgContext

Step 2: Retrieve Users Missing Licenses

You can identify unlicensed users using the following command:

Get-MgUser -All -Filter "assignedLicenses/`$count eq 0 and userType eq 'Member'" -ConsistencyLevel eventual -CountVariable Records

Explanation:

• assignedLicenses/$count eq 0 filters users who have no licenses assigned.
• userType eq 'Member' ensures that guest users are excluded.
• -ConsistencyLevel eventual is required for count-based queries in Microsoft Graph.

Step 3: Cross-Check Group Membership

Once you identify unlicensed users, check if they belong to groups that assign licenses:

Get-MgUserMemberOf -UserId "<UserId>" | Select-Object DisplayName, Id

Note: you’ll have to pass the group ids returned by Get-MgUserMemberOf to Get-MgGroup cmdlet to fetch the group display name.

If the user appears in licensed groups but has no assigned licenses, the group-based assignment is likely broken.

Step 4: (Optional) Export Results for Review

You can export the unlicensed users list to a CSV file for review:

Get-MgUser -All -Filter "assignedLicenses/`$count eq 0 and userType eq 'Member'" -ConsistencyLevel eventual -CountVariable Records | Export-Csv "UnlicensedUsers.csv" -NoTypeInformation

Step 5: Reprocess License Assignments (Fix)

Once you confirm affected users, reprocess their group-based license assignments using the following cmdlet:

Invoke-MgLicenseUser -UserId "<UserId>"

This command triggers Microsoft Entra ID to re-evaluate and reassign all group-based licenses for that user.

Tips

• Always verify that the user is a member of a licensed group before reprocessing.
• Avoid running reprocessing commands for all users simultaneously; it can overload the directory.
• You can schedule periodic checks using automation scripts to detect unlicensed users early.

Common Errors & Solutions

Error	Cause	Solution
PermissionDenied	Missing permissions for Graph operations.	Connect with Directory.ReadWrite.All scope.
Request_ResourceNotFound	User or group doesn’t exist or was deleted.	Validate the UserId or group ID.
InvalidFilterClause	Incorrect $count filter used without -ConsistencyLevel eventual.	Add -ConsistencyLevel eventual to the cmdlet.

Conclusion

Broken group-based license assignments can silently affect users and cause access issues across Microsoft 365 services.

By combining Get-MgUser filters with group membership checks, you can easily detect users who aren’t receiving their licenses as expected. Once identified, the Invoke-MgLicenseUser cmdlet can quickly reprocess their assignments, ensuring consistency and compliance within your tenant.

Regular checks using this method can save administrators hours of troubleshooting time while maintaining a smooth licensing experience for users.