Creating a PowerShell script that uses the Microsoft Graph PowerShell SDK to check if users are licensed and, if not, to assign them a specific license can be quite useful for managing Microsoft 365 environments. Below is a basic example of how such a script might look. This script will:
Check each user in your Microsoft 365 environment to see if they have a specific license.
If a user does not have the license, the script will assign it to them.
Prerequisites
Install the Microsoft Graph PowerShell SDK. You can install it using the following command if you haven't already:
You need administrative credentials to access and modify user licenses.
Make sure you have the correct license SKU ID that you want to assign to the users. You can find the SKU IDs by using the Get-MgSubscribedSku command.
Graph PowerShell Script for Bulk Assigning Microsoft 365 License
# Connect to Microsoft Graph Connect-MgGraph -Scopes "User.ReadWrite.All", "Directory.ReadWrite.All" # Function to assign license function Assign-License($userId, $licenseSkuId) { # Prepare the license assignment information $licenseToAdd = @{ "SkuId" = $licenseSkuId "DisabledPlans" = @() # No plans are disabled } $licensesToModify = @{ "AddLicenses" = @($licenseToAdd) "RemoveLicenses" = @() # No licenses are removed } # Convert to JSON string as BodyParameter needs a JSON object $licenseJson = $licensesToModify | ConvertTo-Json -Depth 2 # Apply the license change to the user Set-MgUserLicense -UserId $userId -BodyParameter $licenseJson Write-Host "License assigned to user: $userId" } # Main script to check and assign licenses $licenseSkuId = "c42b9cae-ea4f-4ab7-9717-81576235ccac" # Replace with actual SKU ID $users = Get-MgUser -All
foreach ($user in $users) {
$isLicensed = $false foreach ($assignedLicense in $user.AssignedLicenses) { if ($assignedLicense.SkuId -eq $licenseSkuId) { $isLicensed = $true break } } if (-not $isLicensed) { Write-Host "User $($user.Id) does not have the license. Assigning..." Assign-License -userId $user.Id -licenseSkuId $licenseSkuId } else { Write-Host "User $($user.Id) is already licensed." } } # Disconnect the session Disconnect-MgGraph
How the Script Works?
Connect to Microsoft Graph
Connect-MgGraph: This cmdlet connects your PowerShell session to Microsoft Graph.
-Scopes: Specifies the permissions that the script needs to operate. User.ReadWrite.All allows the script to read and modify all user profiles. Directory.ReadWrite.All provides access to read and modify directory data. These scopes are necessary for managing user licenses.
Define the Assign License Function
function Assign-License($userId, $licenseSkuId) { $licenseToAdd = @{ "SkuId" = $licenseSkuId "DisabledPlans" = @() # No plans are disabled } $licensesToModify = @{ "AddLicenses" = @($licenseToAdd) "RemoveLicenses" = @() # No licenses are removed } }$licenseJson = $licensesToModify | ConvertTo-Json -Depth 2 Set-MgUserLicense -UserId $userId -BodyParameter $licenseJson Write-Host "License assigned to user: $userId"
}
Assign-License function takes two parameters: userId (the ID of the user) and licenseSkuId (the SKU ID of the license to assign).
$licenseToAdd is a hashtable storing the SKU ID of the license to be added and an empty array for DisabledPlans (indicating no specific sub-features of the license are to be disabled).
$licensesToModify is a hashtable that includes arrays for licenses to add and remove. Here, it’s set to add the license defined in $licenseToAdd and remove none.
Convert to JSON: Converts the hashtable to a JSON format string, which is required for the Set-MgUserLicense cmdlet.
Set-MgUserLicense: Cmdlet that assigns user license when -UserId and -BodyParameter (which contains license details) are passed to it.
Write-Host: Prints a message to the console indicating that the license has been assigned.
Check for Unlicensed Users and Assign License
$licenseSkuId = "c42b9cae-ea4f-4ab7-9717-81576235ccac" # Replace with actual SKU ID
$users = Get-MgUser -All
foreach ($user in $users) { $isLicensed = $falseforeach ($assignedLicense in $user.AssignedLicenses) { if ($assignedLicense.SkuId -eq $licenseSkuId) { $isLicensed = $true break } } if (-not $isLicensed) {Write-Host "User $($user.Id) does not have the license. Assigning..." Assign-License -userId $user.Id -licenseSkuId $licenseSkuId }else{ Write-Host "User $($user.Id) is already licensed." }
}
$licenseSkuId contains your Microsoft 365 license ID.
$users contains all your M365 tenant users retrieved using Get-MgUser -All cmdlet.
Next you loop through all the user to check their license status.
A nested foreach loop checks for assignedLicenses property. If it contains the license SkuID, then the script prints out "User is already licensed" message. If not, the Assign-License function is called and the userId and licenseId are passed as parameters. Assign-License function uses Set-MgUserLicense cmdlet to assign the license to the unlicensed users.
Running the Script
Navigate to the location where you have placed the script file and run the file with a ./<your-file-name>.ps1 command.
The script prompts you to sign in if you are not signed into Microsoft 365 already.
The script checks for unlicensed users and assigns them with the license provided to the script.
Errors You Might Face
Permissions not available: Make sure that the required permissions (User.ReadWrite.All, Directory.ReadWrite.All ) are not only added in the Azure portal under your app registration but also have been granted admin consent, especially in organizational contexts.
Not running PowerShell as administrator: Ensure you always run the PowerShell as an administrator.
Execution policy set to restricted: If execution policy is set to restricted, then you cannot execute scripts. Execute Get-ExecutionPolicy cmdlet to find out the current execution policy. Your execution policy should be set to RemoteSigned. To set execution policy to RemoteSigned, execute the following command: Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser