Bulk Assign Microsoft 365 License

Creating a PowerShell script that uses the Microsoft Graph PowerShell SDK to check if users are licensed and, if not, to assign them a specific license can be quite useful for managing Microsoft 365 environments. Below is a basic example of how such a script might look. This script will:

  • Check each user in your Microsoft 365 environment to see if they have a specific license.
  • If a user does not have the license, the script will assign it to them.

Prerequisites

  • Install the Microsoft Graph PowerShell SDK. You can install it using the following command if you haven't already:
  • PowerShell command for installing Microsoft Graph PowerShell module.
  • You need administrative credentials to access and modify user licenses.
  • Make sure you have the correct license SKU ID that you want to assign to the users. You can find the SKU IDs by using the Get-MgSubscribedSku command.

Graph PowerShell Script for Bulk Assigning Microsoft 365 License

# Connect to Microsoft Graph
Connect-MgGraph -Scopes "User.ReadWrite.All", "Directory.ReadWrite.All"
# Function to assign license
function Assign-License($userId, $licenseSkuId) {
# Prepare the license assignment information
$licenseToAdd = @{
"SkuId" = $licenseSkuId
"DisabledPlans" = @() # No plans are disabled
}
$licensesToModify = @{
"AddLicenses" = @($licenseToAdd)
"RemoveLicenses" = @() # No licenses are removed
}
# Convert to JSON string as BodyParameter needs a JSON object
$licenseJson = $licensesToModify | ConvertTo-Json -Depth 2
# Apply the license change to the user
Set-MgUserLicense -UserId $userId -BodyParameter $licenseJson
Write-Host "License assigned to user: $userId"
}
# Main script to check and assign licenses
$licenseSkuId = "c42b9cae-ea4f-4ab7-9717-81576235ccac" # Replace with actual SKU ID
$users = Get-MgUser -All
foreach ($user in $users) {
$isLicensed = $false
foreach ($assignedLicense in $user.AssignedLicenses) {
if ($assignedLicense.SkuId -eq $licenseSkuId) {
$isLicensed = $true
break
}
}
if (-not $isLicensed) {
Write-Host "User $($user.Id) does not have the license. Assigning..."
Assign-License -userId $user.Id -licenseSkuId $licenseSkuId
} else {
Write-Host "User $($user.Id) is already licensed."
}
}
# Disconnect the session
Disconnect-MgGraph

How the Script Works?


Connect to Microsoft Graph

    PowerShell command for connecting to Microsoft Graph PowerShell module.
  • Connect-MgGraph: This cmdlet connects your PowerShell session to Microsoft Graph.
  • -Scopes: Specifies the permissions that the script needs to operate. User.ReadWrite.All allows the script to read and modify all user profiles. Directory.ReadWrite.All provides access to read and modify directory data. These scopes are necessary for managing user licenses.

Define the Assign License Function

function Assign-License($userId, $licenseSkuId) {
$licenseToAdd = @{
"SkuId" = $licenseSkuId
"DisabledPlans" = @() # No plans are disabled
}
$licensesToModify = @{
"AddLicenses" = @($licenseToAdd)
"RemoveLicenses" = @() # No licenses are removed
}
}$licenseJson = $licensesToModify | ConvertTo-Json -Depth 2
Set-MgUserLicense -UserId $userId -BodyParameter $licenseJson
Write-Host "License assigned to user: $userId"
}
  • Assign-License function takes two parameters: userId (the ID of the user) and licenseSkuId (the SKU ID of the license to assign).
  • $licenseToAdd is a hashtable storing the SKU ID of the license to be added and an empty array for DisabledPlans (indicating no specific sub-features of the license are to be disabled).
  • $licensesToModify is a hashtable that includes arrays for licenses to add and remove. Here, it’s set to add the license defined in $licenseToAdd and remove none.
  • Convert to JSON: Converts the hashtable to a JSON format string, which is required for the Set-MgUserLicense cmdlet.
  • Set-MgUserLicense: Cmdlet that assigns user license when -UserId and -BodyParameter (which contains license details) are passed to it.
  • Write-Host: Prints a message to the console indicating that the license has been assigned.


Check for Unlicensed Users and Assign License

$licenseSkuId = "c42b9cae-ea4f-4ab7-9717-81576235ccac" # Replace with actual SKU ID
$users = Get-MgUser -All

foreach ($user in $users) {
$isLicensed = $false
foreach ($assignedLicense in $user.AssignedLicenses) {
if ($assignedLicense.SkuId -eq $licenseSkuId) {
$isLicensed = $true
break
}
}
if (-not $isLicensed) {
Write-Host "User $($user.Id) does not have the license. Assigning..."
Assign-License -userId $user.Id -licenseSkuId $licenseSkuId
}else{
Write-Host "User $($user.Id) is already licensed."
}
}
  • $licenseSkuId contains your Microsoft 365 license ID.
  • $users contains all your M365 tenant users retrieved using Get-MgUser -All cmdlet.
  • Next you loop through all the user to check their license status.
  • A nested foreach loop checks for assignedLicenses property. If it contains the license SkuID, then the script prints out "User is already licensed" message. If not, the Assign-License function is called and the userId and licenseId are passed as parameters. Assign-License function uses Set-MgUserLicense cmdlet to assign the license to the unlicensed users.

Running the Script

  • Navigate to the location where you have placed the script file and run the file with a ./<your-file-name>.ps1 command.
  • The script prompts you to sign in if you are not signed into Microsoft 365 already.
  • The script checks for unlicensed users and assigns them with the license provided to the script.
  • Running the PowerShell script file.

Errors You Might Face

  • Permissions not available: Make sure that the required permissions (User.ReadWrite.All, Directory.ReadWrite.All ) are not only added in the Azure portal under your app registration but also have been granted admin consent, especially in organizational contexts.
  • Not running PowerShell as administrator: Ensure you always run the PowerShell as an administrator.
  • Execution policy set to restricted: If execution policy is set to restricted, then you cannot execute scripts. Execute Get-ExecutionPolicy cmdlet to find out the current execution policy. Your execution policy should be set to RemoteSigned. To set execution policy to RemoteSigned, execute the following command: Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser

Related Articles:

Connect to Microsoft 365 Using PowerShell
How to Create Bulk Users in Office 365 Using Graph PowerShell?
Create Microsoft 365 Group Using Microsoft Graph PowerShell
Block Microsoft 365 User Using Microsoft Graph PowerShell
Assign Microsoft 365 License Using Graph PowerShell
Microsoft 365 User Management Using Graph PowerShell
Checking Group Membership in Microsoft 365
Bulk Assign Microsoft 365 License
Find Inactive Users in Microsoft 365
Using Powershell Graph Search Query
Using Powershell Graph Filter Query
Using Where-Object In Graph PowerShell
Using Expand Property In Graph PowerShell
Using Select Object In Graph PowerShell
Using -Contains Operator In Graph PowerShell
Add User to Multiple Microsoft 365 Groups Using Graph PowerShell
Get Microsoft 365 User Location Using Graph PowerShell
Import Microsoft 365 Groups from CSV File Using Graph PowerShell
Microsoft 365 Group User Import Using Graph PowerShell

© m365corner.com. All Rights Reserved. Design by HTML Codex