Remove all Office 365 licenses for a group of users from CSV file via the Azure AD PowerShell module

Seems like licensing questions never end, so as a follow up to my previous post on how to remove any and all licenses assigned to a group of users via the good old MSOnline PowerShell module, in this article we will cover how to do the same via Azure AD cmdlet. Actually, I did already cover all the building block in my previous articles, but I suppose a full sample makes things that much easier for some folks.

So, as with the previous example, the code starts with importing the list of users from a CSV file. Make sure to use a proper identifier, such as UserPrincipalName or ObjectId. You can use other identifiers as needed, but in that case make sure to adjust the code below.

Once we have a list of users, we iterate over each user, fetch the list of currently assigned licenses and run the Set-AzureADUserLicense cmdlet to adjust the currently assigned SKUs. Unlike the MSOnline cmdlets though, using the Azure AD counterparts doesn’t reveal any information as to whether the license was assigned via the group-based licensing feature, so we cannot handle this scenario. Instead, we’re telling Azure AD to remove any and all licenses, which will result in an error message whenever a group-assigned license is encountered. I’ve added some basic error handling to address this, but if you want to expand on that, you’d add a check as to which license is assigned by group and remove it from the list of SKUs to be processed.

Here’s the script itself, have fun:

$users = Import-Csv .\Users-to-disable.csv

foreach ($user in $users) {
Write-Verbose "Processing licenses for user $($user.UserPrincipalName)"
try { $user = Get-AzureADUser -ObjectId $user.UserPrincipalName -ErrorAction Stop }
catch { continue }

$SKUs = @($user.AssignedLicenses)
if (!$SKUs) { Write-Verbose "No Licenses found for user $($user.UserPrincipalName), skipping..." ; continue }

$userLicenses = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicenses
foreach ($SKU in $SKUs) {
$userLicenses.RemoveLicenses += $SKU.SkuId
}

Write-Verbose "Removing license(s) $($userLicenses.RemoveLicenses -join ",") from user $($user.UserPrincipalName)"
try {
Set-AzureADUserLicense -ObjectId $user.ObjectId -AssignedLicenses $userLicenses -ErrorAction Stop
}
catch {
if ($_.Exception.ErrorContent.Message.Value -eq "User license is inherited from a group membership and it cannot be removed directly from the user.") {
Write-Verbose "At least one of the user's licenses is assigned via group-based licensing feature, use the Azure AD blade to remove it"
continue
}
else {$_ | fl * -Force; continue} #catch-all for any unhandled errors
}
}

 

This entry was posted in Azure AD, Microsoft 365, Office 365, PowerShell. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.