Managing Microsoft 365 licenses is a common challenge for admins. To simplify this process, Microsoft introduced group-based licensing. This feature automates the distribution of licenses by allowing admins to assign one or more product licenses to a group. The licenses are then automatically assigned to all members of the respective licensed groups in Microsoft 365.
However, simply assigning licenses to users isn’t enough; efficient management is also crucial. Since licenses can grant access to sensitive features or data, it’s important to monitor group-based assignments to ensure that only authorized groups and their members have access. This helps prevent accidental data breaches or unauthorized actions. Regular review of cost spent on users’ licenses also help optimize license usage.
For example, you might find users who haven’t logged in for a long time and can have their licenses removed from the group. To do this, you just need to remove the user from the group, and Entra ID will automatically remove the licenses from the account.
Now, let’s explore the methods available to check users and their group-based license assignment.
How to Report on Microsoft Licenses Assigned via Groups?
The following are the methods available to check the list of users whose licenses are assigned through group-based licensing.
Microsoft Entra Admin Center: Sign in to the Microsoft Entra admin center and navigate to Identity -> Billing -> Licenses -> All Products. Select the product license name & review the ‘Assignment Paths’ column to find licenses assigned via group-based licensing. Results are grouped by subscription. To see all licenses assigned to users via groups, you’ll need to check each subscription separately and search for the group name. This can be a complex process.
Graph PowerShell: You can use the ‘AssignedLicenses’ property in the ‘Get-MgGroup’ cmdlet to find all groups with license assignments. However, there is no direct cmdlet available to retrieve all users with group-based license assignments.
To make it easier for Microsoft 365 admins, we’ve created a PowerShell script that quickly lists users and their licenses assigned via groups.
Download Script: M365GroupBasedLicenseReport
Script Highlights
- Exports group-based license assignments.
- Exports licenses assigned to disabled users alone.
- Helps to identify users with license assignment errors.
- Converts SKU name into user-friendly name.
- Produces a list of disabled service plans for the assigned license.
- The script uses MS Graph PowerShell and installs MS Graph PowerShell SDK (if not installed already) upon your confirmation.
- The script can be executed with MFA enabled account too.
- Exports report results as a CSV file.
- The script is scheduler friendly.
- It can be executed with certificate-based authentication (CBA) too.
Group-Based License Assignment Report – Sample Output
The script exports all group-based licensing assignments of Office 365 users with the following attributes.
- Display Name
- UPN
- Assigned via (group name)
- SKU Name
- SKU Friendly Name
- Disabled Plans
- State
- Error
- Last Sign-in Time
- Inactive Days
- Account Status
- Department
- Job title
The exported report on Azure AD group-based license assignment looks like the screenshot below.
Microsoft 365 Group-Based License Report – Script Execution Steps
- Download the script.
- Start the Windows PowerShell.
- Select any of the methods provided to execute the script.
Method 1: You can run the script with MFA and non-MFA accounts.
1 |
./M365GroupBasedLicenseReport.ps1 |
This example extracts the group-based licensing assignment of users into a CSV file.
Note: To determine if a user’s license is assigned directly or inherited through a group, use the PS script to find license assignment paths. In cases of overlapping direct and group-based licenses, remove the direct licenses to avoid duplication.
Method 2: You also have the option to run the script using certificate-based authentication, which is scheduler-friendly. When you want to run the script unattended, you can choose this method.
To use certificates, you must register the app in Microsoft Entra and connect to MS Graph using certificate.
1 |
./M365GroupBasedLicenseReport.ps1 -TenantId <TenantId> -ClientId <ClientId> -CertificateThumbprint <CertThumbprint> |
Note – Depending on your requirements, you can create a self-signed certificate.
Explore the Script’s Full Capabilities
The script includes preset filtering options designed to meet your specific needs. Here are some scenarios where it can be effectively used:
1. Get All Users with License Assignment Errors
If you encounter issues with group-based license assignments due to insufficient licenses, mismatched licenses or violations, you can effectively troubleshoot them by executing the script using the –FindUsersWithLicenseAssignmentErrors switch.
1 |
./M365GroupBasedLicenseReport.ps1 -FindUsersWithLicenseAssignmentErrors |
With the delicensing resiliency feature, admins can also prevent unintended consequences, such as accidental mailbox deletions, when resolving licensing issues.
2. Find a List of Licenses Assigned to Disabled Users
Ensuring optimal license utilization and cost-effectiveness involves reclaiming licenses from users who are no longer active or utilizing them. You can execute the script with the –DisabledUsersOnly switch to generate a list of licenses assigned to disabled users, which may help identify inactive accounts with allocated licenses.
1 |
./M365GroupBasedLicenseReport.ps1 -DisabledUsersOnly |
The resulting report will display licenses assigned to users whose accounts are disabled.
Free AdminDroid Reports to Simplify Your M365 License Management
Tired of wrestling with complex PowerShell scripts just to understand your Microsoft 365 license usage? There’s a better way! Introducing AdminDroid, your one-stop shop for free M365 license reporting. No more cryptic commands or endless maintenance. Just valuable insights at your fingertips. License reports in AdminDroid are categorized based on,
Users and licenses
- Licensed users
- Unlicensed users
- Regainable licenses
- Users with specific subscription
- Users with free & trial subscription
Audit license changes
- Audit license assignment
- Audit license removal
License expiry
- Purchased subscription expiring users
- Purchased subscription expired users
- Trial-expiring & expired users
- Users with suspended subscription
Subscription reports
- Subscription usage report
- Expired subscription
- Unused subscription
- Purchased subscription
- Trial subscription
AdminDroid offers a free Azure AD reporting tool that delivers comprehensive insights into Microsoft 365 user data. This tool provides detailed reports on user activities, passwords, group actions, licenses, and subscriptions. It empowers administrators to gain complete visibility and track changes across Microsoft 365 accounts and groups with a suite of over 190 reports within Azure AD management.
With 1800+ pre-built reports and 30+ dashboards covering all Microsoft 365 services, AdminDroid is your shortcut to streamlined, efficient reporting.
Don’t settle for complexity. Embrace simplicity with AdminDroid. Download now and transform your Microsoft 365 management experience!
We hope that this blog has provided you with the necessary information needed to report M365 group-based licensing using PowerShell. Additionally, generating a user license report will help you manage and track all licensing needs in your organization. Thanks for reading. If you have any further queries, feel free to reach out to us through the comment section.