AzureAD license PowerShell snippets

I’ve got a file on my machine with various PowerShell snippets. While that’s useful as a quick reference I want to also put these somewhere I can easily refer to when I don’t have that file handy. Plus who knows maybe it’s useful for others too. This blog post is for that. I’ll keep updating it as I learn.

Note: There’s two set of cmdlets. The AzureAD ones are the newer and Graph API based ones. The MSOnline ones (shortened to Msol usually) are the older. I use both below. Each requires us to connect to Azure AD – the former via Connect-AzureAD and the latter via Connect-MsolService.

Get all users without a license

A variant that filters out AD disabled accounts

Find all users with directly assigned licenses

I was moving over from assigning users licenses directly to assigning them via a group. Thought I had moved over everyone but there was a discrepency in the free count so I used the following to find everyone directly assigned a license:

I discovered this from StackOverflow. The original post removed the licenses instead of outputting the info. So it had the following instead of the Write-Host statement:

Add/ Remove licenses

This is probably a good time to highlight yesterday’s post where I used the newer Set-AzureADUserLicense cmdlet to add remove licenses. The Set-MsolUserLicense cmdlet used above is the older method.

Set-MsolUserLicense can take the -AddLicenses switch to add licenses.

Whereas Set-AzureADUserLicense took a GUID as the license SKU, Set-MsolUserLicense takes a more friendly name. Example: contoso:ENTERPRISEPACK.

Viewing license SKUs

The older cmdlet is:

Its output is like this:

The newer cmdlet is:

And its output is like this:

In the old cmdlet the SkuId is the “tenantname:license“. Thie tenantname is not your custom domain name, but the one before (You can view all your domain names via Get-MsolDomain).

In the new cmdlet the Id is “tenantguid-licenseguid“. In the new cmdlet the SkuPartNumber has the license name. You can get the tenant GUID from Get-AzureADTenantDetail.

Assigning licenses to a user

I came across this snippet from the official docs, thought I’d add it here as a reference for myself:

I didn’t understand the part about disabling plans. A license/ SKU like E3 has service plans within it (you can see it in the Web UI too) and what the snippet above does is enable a specific service plan and not the entire license (I think).

To assign/ remove licenses I can do what I blogged about yesterday: