Updated 1 week ago

Find & Export Microsoft 365 User License Assignment Paths Using PowerShell

by AIMA

5 min read

No Comments

As an admin, you can assign licenses to Microsoft 365 users using various methods. They can be either directly assigned to individual users or inherited through group memberships. When a license is assigned to a user directly, it means that a specific user has been explicitly granted access to the features and services included in that license. On the other hand, when a license is assigned to a group, any user who is a member of that group inherits the license.

Understanding how Microsoft 365 licenses are assigned to users—whether directly assigned or inherited from groups—is necessary for effective license management. This is because situations may arise where a user receives the same product license both individually and through a group. In such cases, only one license is consumed by the user. However, ensuring that users receive the appropriate access privileges without complications arising from multiple overlapping licenses is necessary.

Let’s explore the methods available to check if a particular product license is assigned from a group or assigned directly.

How to Check if a User License is Assigned Directly or Inherited from a Group?

The following are the available methods to check user license assignment types in Microsoft 365.

Microsoft Entra Admin Center: Sign in to the Microsoft Entra admin center and navigate to Identity -> Billing -> Licenses -> All Products. Next, choose the name of the product license. Here, you can review the values listed under ‘Assignment Paths’ column to distinguish licenses assigned either directly or through group-based licensing. It’s important to note that the results are grouped by subscription. To get a complete picture of all licenses assigned to a specific user, you’ll need to navigate through each individual subscription and search for the user’s name. This can be difficult if you have a larger organization.

Graph PowerShell: You can use the ‘LicenseAssignmentStates’ property in the ‘Get-MgBetaUser’ cmdlet to retrieve user license assignment path details. However, it requires checking multiple conditions and looping through all users to generate the desired result. It will take more effort and be time-consuming.

To simplify the responsibilities of Microsoft 365 admins, we’ve developed a PowerShell script. This script efficiently determines whether a user’s license is directly assigned or inherited from a group. It provides comprehensive insights into the license assignment process, aiding administrators in managing licenses effectively.


Script Highlights
:

  1. The script uses MS Graph PowerShell and installs MS Graph PowerShell SDK (if not installed already) upon your confirmation.
  2. The script can be executed with MFA enabled account too.
  3. Exports directly assigned licenses alone.
  4. Exports group-based license assignments alone.
  5. Helps to identify users with license assignment errors.
  6. Converts SKU name into user-friendly name
  7. Produces a list of disabled service plans for the assigned license.
  8. Exports report results as a CSV file.
  9. The script is scheduler friendly.
  10. It can be executed with certificate-based authentication (CBA) too.

M365 User License Assignment Path Report – Sample Output

The script exports all direct-assigned licenses and group-based licensing assignments of Office 365 users with the following attributes.

  • Display Name
  • UPN
  • License Assignment Path
  • SKU Name
  • SKU Friendly Name
  • Disabled Plans
  • Assigned via (group name)
  • State
  • Error
  • Last Sign-in Time
  • Inactive Days
  • Account Status
  • Department
  • Job Title

The exported report on user license assignment type looks like the screenshot below.

Microsoft 365 User License Assignment Paths

Microsoft 365 Direct VS Inherited License Assignment Report – Script Execution Steps:

  1. Download the script.
  2. Start the Windows PowerShell.
  3. Select any of the methods provided to execute the script.

Method 1: You can run the script with MFA and non-MFA accounts.

This example enables you to export all the licensed users and their license assignment path into a CSV file.

Method 2: You also have the option to run the script using certificate-based authentication, which is scheduler-friendly. When you want to run the script unattended, you can choose this method.
To use certificates, you must register the app in Microsoft Entra and connect to MS Graph using certificate.

Note – Depending on your requirements, you can create a self-signed certificate. Before employing certificate-based authentication, it is crucial to register an application in Azure AD.

Discover What the Script Can Really Do!

The script comes equipped with preset filtering options tailored to your specific requirements. Below, you’ll find various scenarios where it can be effectively employed:

  1. Get all Microsoft 365 users with direct license assignments
  2. Get all M365 users with group-based license assignments
  3. Find a list of licenses assigned to disabled users
  4. Get all users with license assignment errors

1. Get All Microsoft 365 Users with Direct License Assignments

In many organizations, group-based licensing is preferred. However, there are instances where administrators must identify users with direct license assignments and subsequently remove them. In such cases, admins can run the script with theShowDirectlyAssignedLicenses switch to generate a report specifically highlighting directly assigned licenses, bypassing group-assigned licenses.

The exported report contains a list of all Microsoft 365 users with directly assigned licenses.

2. Get All Microsoft 365 Users with Group-Based License Assignments

Group-based license assignments provide consistency across users with similar roles or permissions. Tracking ensures that users within the same group consistently receive access to required resources, preventing oversights in license allocations.

Run the script with –ShowGrpBasedLicenses switch to identify licenses assigned through groups.

The report lists all Microsoft 365 users with licenses inherited from a group.

Note: Inherited license assignments cannot be removed from the user directly. You need to remove them from the group first.

3. Find a List of Licenses Assigned to Disabled Users

It’s essential to reclaim licenses from disabled users to optimize license utilization and cost-effectiveness. Run the script with DisabledUsersOnly switch to create a list of licenses assigned to disabled users, potentially highlighting inactive accounts with allocated licenses.

The resulting report will display licenses assigned to users whose accounts are disabled.

4. Get All Users with License Assignment Errors

In case of any issues with license assignments, such as mismatched licenses or violations, you can troubleshoot them efficiently by running the script with the FindUsersWithLicenseAssignmentErrors switch. This identifies issues with license assignments, aiding in troubleshooting potential licensing inconsistencies.

The exported report contains a list of all users with errors in their license assignment.

We hope that this blog has provided you with the necessary information needed to report M365 user license assignment path using PowerShell, thereby simplifying the Microsoft 365 license management. Thanks for reading. If you have any further queries, feel free to reach out to us through the comment section.

Share article