I’ve got a file on my machine with various PowerShell snippets. While that’s useful as a quick reference I want to also put these somewhere I can easily refer to when I don’t have that file handy. Plus who knows maybe it’s useful for others too. This blog post is for that. I’ll keep updating it as I learn.
Note: There’s two set of cmdlets. The AzureAD
ones are the newer and Graph API based ones. The MSOnline
ones (shortened to Msol
usually) are the older. I use both below. Each requires us to connect to Azure AD – the former via Connect-AzureAD
and the latter via Connect-MsolService
.
Get all users without a license
1 2 3 |
Get-AzureADUser -All:$true | %{Ā if ($(Get-AzureADUserLicenseDetail -ObjectId $_.UserPrincipalName) -eq $null) { $_.DisplayName } } |
A variant that filters out AD disabled accounts
1 2 3 |
Get-AzureADUser -All:$true | ?{ $(Get-AzureADUserLicenseDetail -ObjectId $_.UserPrincipalName) -eq $null } | ?{ $(Get-ADUser -Filter 'UserPrincipalName -eq $_.UserPrincipalName').Enabled -eq $true } | select DisplayName |
Find all users with directly assigned licenses
I was moving over from assigning users licenses directly to assigning them via a group. Thought I had moved over everyone but there was a discrepency in the free count so I used the following to find everyone directly assigned a license:
1 2 3 4 5 6 7 8 9 |
Get-MsolUser -All | %{ $user = $_ foreach ($license in $user.Licenses) { if ($license.GroupsAssigningLicense[0].ToString() -eq $user.ObjectId) { Write-Host "$($User.UserPrincipalName) has $($license.AccountSkuId) assigned directly" } } } |
I discovered this from StackOverflow. The original post removed the licenses instead of outputting the info. So it had the following instead of the Write-Host
statement:
1 |
Set-MsolUserLicense -UserPrincipalName $user.UserPrincipalName -RemoveLicenses $license.AccountSkuId |
Add/ Remove licenses
This is probably a good time to highlight yesterday’s post where I used the newer Set-AzureADUserLicense
cmdlet to add remove licenses. The Set-MsolUserLicense
cmdlet used above is the older method.
Set-MsolUserLicense
can take the -AddLicenses
switch to add licenses.
Whereas Set-AzureADUserLicense
took a GUID as the license SKU, Set-MsolUserLicense
takes a more friendly name. Example: contoso:ENTERPRISEPACK
.
Viewing license SKUs
The older cmdlet is:
1 |
Get-MsolAccountSku |
Its output is like this:
1 2 3 4 |
AccountSkuId ActiveUnits WarningUnits ConsumedUnits ------------ ----------- ------------ ------------- tenantname:AAD_PREMIUM_P2 1940 0 1940 tenantname:SPE_E3 1940 0 1940 |
The newer cmdlet is:
1 |
Get-AzureADSubscribedSku |
And its output is like this:
1 2 3 4 5 |
ObjectId SkuPartNumber PrepaidUnits ConsumedUnits -------- ------------- ------------ ------------- cd8e1d4f-5295-4de8-b18a-1d85b4195a17_2bc9d149-a1dc-4d8f-bcd8-e9c5750a59b5 M365_INFO_PROTECTION_GOVERNANCE class LicenseUnitsDetail {... 1940 cd8e1d4f-5295-4de8-b18a-1d85b4195a17_b05e124f-c7cc-45a0-a6aa-8cf78c946968 EMSPREMIUM class LicenseUnitsDetail {... 0 cd8e1d4f-5295-4de8-b18a-1d85b4195a17_6470687e-a428-4b7a-bef2-8a291ad947c9 WINDOWS_STORE class LicenseUnitsDetail {... 0 |
In the old cmdlet the SkuId is the “tenantname:license
“. Thie tenantname is not your custom domain name, but the one before onmicrosoft.com
. (You can view all your domain names via Get-MsolDomain
).
In the new cmdlet the Id is “tenantguid-licenseguid
“. In the new cmdlet the SkuPartNumber has the license name. You can get the tenant GUID from Get-AzureADTenantDetail
.
Assigning licenses to a user
I came across this snippet from the official docs, thought I’d add it here as a reference for myself:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 |
#The user that will get a license $UserToLicense = Get-AzureADUser -ObjectId "<upn of the user for which you want to assign a license>" #Define the plans that will be enabled (Exchange Online, Skype for Business and Office 365 ProPlus) $EnabledPlans = 'O365_BUSINESS_PREMIUM' #Get the LicenseSKU and create the Disabled ServicePlans object $LicenseSku = Get-AzureADSubscribedSku | Where-Object {$_.SkuPartNumber -eq 'O365_BUSINESS_PREMIUM'} #Loop through all the individual plans and disable all plans except the one in $EnabledPlans $DisabledPlans = $LicenseSku.ServicePlans | ForEach-Object -Process { $_ | Where-Object -FilterScript {$_.ServicePlanName -notin $EnabledPlans } } #Create the AssignedLicense object with the License and DisabledPlans earlier created $License = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicense $License.SkuId = $LicenseSku.SkuId $License.DisabledPlans = $DisabledPlans.ServicePlanId #Create the AssignedLicenses Object $AssignedLicenses = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicenses $AssignedLicenses.AddLicenses = $License $AssignedLicenses.RemoveLicenses = @() #Assign the license to the user Set-AzureADUserLicense -ObjectId $UserToLicense.ObjectId -AssignedLicenses $AssignedLicenses |
I didn’t understand the part about disabling plans. A license/ SKU like E3 has service plans within it (you can see it in the Web UI too) and what the snippet above does is enable a specific service plan and not the entire license (I think).
1 2 3 4 5 6 7 8 9 10 11 12 |
Get-AzureADSubscribedSku | ?{ $_.SkuPartNumber -eq "SPE_E3" } | select -ExpandProperty ServicePlans AppliesTo ProvisioningStatus ServicePlanId ServicePlanName --------- ------------------ ------------- --------------- User Success 041fe683-03e4-45b6-b1af-c0cdc516daee POWER_VIRTUAL_AGENTS_O365_P2 User Success 95b76021-6a53-4741-ab8b-1d1f3d66a95a CDS_O365_P2 User Success 31b4e2fc-4cd6-4e7d-9c1b-41407303bd66 PROJECT_O365_P2 User Success 4ff01e01-1ba7-4d71-8cf8-ce96c3bbcf14 DYN365_CDS_O365_P2 User Success 199a5c09-e0ca-4e37-8f7c-b05d533e1ea2 MICROSOFTBOOKINGS User Success aebd3021-9f8f-4bf8-bbe3-0ed2f4f047a1 KAIZALA_O365_P3 Company Success 94065c59-bc8e-4e8b-89e5-5138d471eaff MICROSOFT_SEARCH ... |
To assign/ remove licenses I can do what I blogged about yesterday:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
# create an object as before of the single license type $License = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicense # if I want to add a license assign it to the SkuId property. this can take multiple GUIDs. $License.SkuId = "84a661c4-e949-4bd2-a560-ed7766fcaf2b 2bc9d149-a1dc-4d8f-bcd8-e9c5750a59b5" # create an object as before of the multiple license type $Licenses = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicenses # add the previously created license SKU as something to be added $Licenses.AddLicenses = $License # and to remove any licenses, I just assign them directly. $Licenses.RemoveLicenes = "05e9a617-0261-4cee-bb44-138d3ef5d965 ace9a617-0261-4cee-bb44-138d3ef5d964" Get-AzureADUser <upn of user> | Set-AzureADUserLicense -ObjectId $_.ObjectId -AssignedLicenses $Licenses |