Seems like licensing questions never end, so as a follow up to my previous post on how to remove any and all licenses assigned to a group of users via the good old MSOnline PowerShell module, in this article we will cover how to do the same via Azure AD cmdlet. Actually, I did already cover all the building block in my previous articles, but I suppose a full sample makes things that much easier for some folks.
So, as with the previous example, the code starts with importing the list of users from a CSV file. Make sure to use a proper identifier, such as UserPrincipalName or ObjectId. You can use other identifiers as needed, but in that case make sure to adjust the code below.
Once we have a list of users, we iterate over each user, fetch the list of currently assigned licenses and run the Set-AzureADUserLicense cmdlet to adjust the currently assigned SKUs. Unlike the MSOnline cmdlets though, using the Azure AD counterparts doesn’t reveal any information as to whether the license was assigned via the group-based licensing feature, so we cannot handle this scenario. Instead, we’re telling Azure AD to remove any and all licenses, which will result in an error message whenever a group-assigned license is encountered. I’ve added some basic error handling to address this, but if you want to expand on that, you’d add a check as to which license is assigned by group and remove it from the list of SKUs to be processed.
Here’s the script itself, have fun:
$users = Import-Csv .\Users-to-disable.csv foreach ($user in $users) { Write-Verbose "Processing licenses for user $($user.UserPrincipalName)" try { $user = Get-AzureADUser -ObjectId $user.UserPrincipalName -ErrorAction Stop } catch { continue } $SKUs = @($user.AssignedLicenses) if (!$SKUs) { Write-Verbose "No Licenses found for user $($user.UserPrincipalName), skipping..." ; continue } $userLicenses = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicenses foreach ($SKU in $SKUs) { $userLicenses.RemoveLicenses += $SKU.SkuId } Write-Verbose "Removing license(s) $($userLicenses.RemoveLicenses -join ",") from user $($user.UserPrincipalName)" try { Set-AzureADUserLicense -ObjectId $user.ObjectId -AssignedLicenses $userLicenses -ErrorAction Stop } catch { if ($_.Exception.ErrorContent.Message.Value -eq "User license is inherited from a group membership and it cannot be removed directly from the user.") { Write-Verbose "At least one of the user's licenses is assigned via group-based licensing feature, use the Azure AD blade to remove it" continue } else {$_ | fl * -Force; continue} #catch-all for any unhandled errors } }
P.S. an updated version of the article that uses the Graph methods can be found here.
Thanks very much for your script, it works fine 🙂
Much appreciated 🙂
Hi Vasil, I am having issues getting this to work
I have amended first line to $users = Import-Csv c:\temp\licenceremoval.csv
It appears to run, but the licence hasnt been removed I have the csv with userprincipalname in temp as well
I am not getting any errors but the licence hasnt been removed , any ideas?