Jet Mariano

Automating License Assignment in Entra ID (Azure AD) Using PowerShell

Written by

jetnmariano

in

Introduction

Managing user licenses in Microsoft Entra ID (formerly Azure AD) can be a repetitive task, especially in large organizations. Automating license assignment ensures efficiency, compliance, and cost optimization by assigning the correct licenses dynamically based on user attributes, such as department or group membership.

This blog will cover:
What is license automation in Entra ID?
How to assign licenses using PowerShell
Using Group-Based Licensing for automation
Best practices for license management

🔹 What is License Automation in Entra ID?

Microsoft Entra ID allows organizations to assign Microsoft 365 licenses automatically using:
1️⃣ PowerShell Scripts – Assign or remove licenses dynamically.
2️⃣ Group-Based Licensing – Automatically apply licenses based on Azure AD group membership.
3️⃣ Microsoft Graph API – Programmatic license management for advanced automation.

Manual license assignment can lead to errors, compliance risks, and wasted licenses. Automation helps streamline user onboarding and offboarding.

🛠️ Assigning Licenses Using PowerShell

🔹 Prerequisites

Before running PowerShell scripts, ensure you have:
Global Admin or License Administrator role in Microsoft Entra ID
Installed Microsoft Graph PowerShell module
A valid Microsoft 365 license SKU

🔹 Step 1: Connect to Microsoft Graph PowerShell

Run the following command to authenticate:

powershellCopyEditConnect-MgGraph -Scopes "User.ReadWrite.All", "Directory.ReadWrite.All"

Sign in with admin credentials.

🔹 Step 2: Get Available Licenses

To list all available Microsoft 365 license SKUs:

powershellCopyEditGet-MgSubscribedSku | Select-Object SkuPartNumber, SkuId

Example output:

diffCopyEditSkuPartNumber       SkuId
---------------     ---------------------------------
ENTERPRISEPREMIUM   a1b2c3d4-xxxx-xxxx-xxxx-xxxxxxxxxxxx
O365_BUSINESS      e5f6g7h8-xxxx-xxxx-xxxx-xxxxxxxxxxxx

Note the SkuId for the license you want to assign.

🔹 Step 3: Assign a License to a User

To assign a license, use:

powershellCopyEditSet-MgUserLicense -UserId [email protected] -AddLicenses @{SkuId="a1b2c3d4-xxxx-xxxx-xxxx-xxxxxxxxxxxx"} -RemoveLicenses @()

✅ Replace [email protected] with the actual User Principal Name (UPN)
✅ Replace "a1b2c3d4-xxxx-xxxx-xxxx-xxxxxxxxxxxx" with the correct SkuId

This command assigns a license without removing existing ones.

🔹 Step 4: Remove a License from a User

To remove a specific license:

powershellCopyEditSet-MgUserLicense -UserId [email protected] -AddLicenses @() -RemoveLicenses @("a1b2c3d4-xxxx-xxxx-xxxx-xxxxxxxxxxxx")

Use this to revoke access when offboarding users.

🔹 Step 5: Assign Licenses in Bulk

If you need to assign licenses to multiple users from a CSV file, use this approach:

1️⃣ Create a CSV file (users.csv) with the following format:

nginxCopyEditUserPrincipalName
[email protected]
[email protected]
[email protected]

2️⃣ Run the bulk assignment script:

powershellCopyEdit$users = Import-Csv -Path "C:\path\to\users.csv"
$license = "a1b2c3d4-xxxx-xxxx-xxxx-xxxxxxxxxxxx"

foreach ($user in $users) {
    Set-MgUserLicense -UserId $user.UserPrincipalName -AddLicenses @{SkuId=$license} -RemoveLicenses @()
    Write-Output "Assigned license to $($user.UserPrincipalName)"
}

This script loops through the CSV file and assigns the specified license to each user.

🚀 Automate with Group-Based Licensing

Group-Based Licensing allows automatic license assignment when users join an Azure AD security group.

🔹 Steps to Enable Group-Based Licensing

1️⃣ Go to Microsoft Entra Admin Center
2️⃣ Navigate to Groups > New Group
3️⃣ Set the Group Type to Security
4️⃣ Assign members (manual or dynamic)
5️⃣ Under Licenses, click Assign Licenses
6️⃣ Select the license and click Save

Users who join the group automatically receive the license, and if they leave, the license is revoked.

✅ Best Practices for License Management

Use Group-Based Licensing – Reduces manual work and errors.
Monitor License Usage – Run PowerShell reports to track active/inactive licenses:

powershellCopyEditGet-MgUser | Select DisplayName, UserPrincipalName, AssignedLicenses

Automate Offboarding – Ensure licenses are revoked when users leave using a script.
Regularly Audit License Consumption – Check unused licenses to optimize costs.
Implement Dynamic Groups – Auto-assign licenses based on departments, job roles, or locations.

📌 Conclusion

Managing licenses manually in Microsoft Entra ID can be time-consuming and error-prone. By automating license assignments using PowerShell and Group-Based Licensing, organizations can improve efficiency, reduce costs, and enhance compliance.

🚀 Next Steps:
🔹 Set up Power Automate workflows for further automation
🔹 Use Microsoft Graph API for advanced license management
🔹 Monitor and optimize license costs using PowerShell reports

How do you manage license assignments in your organization? Let’s discuss best practices! 💬

More posts

error: Content is protected !!