Office 365 Assigns Licenses to Groups Automatically

Office 365 Assigns Licenses to Groups Automatically

I want to automate as much as possible, and one of those recurring procedures in Microsoft 365 is licence assignment. The creation of users can be automated. PowerShell can even be used to assign an Office 365 licence. However, the majority of the time, it is still a manual procedure that is prone to errors.

The issue, which is especially prevalent in medium and large enterprises, is that users are created in the on-premise Active Directory. After new users have been synced to Azure AD (which we can require), a licence can be assigned.

But what if you don't have any licences left? You'll need to first raise the amount of licences or perhaps order additional licences through your MSP or finance department. That will take some time.

You'll need to log back into the Admin Center to assign the new licences once they've been added (which happens to be the part that I forget sometimes..)

What is the solution? In Office 365, you can assign licences to a group.

Starting at the beginning

To begin using Office 365 group-based licencing, we must first construct groups to which the licence can be assigned. The (security) group can be created in either your local AD or Azure Active Directory. It's also possible to use pre-existing groups, such as department groups, if you have them.

To use Azure AD, you must first log in to the Azure AD Admin Center.

  1. On the left, select Azure Active Directory.
  2. Groups should be chosen
  3. Select New Group from the drop-down menu.
  4. Select Security as the Group type.
  5. Give the group a name, such O365 E3 for example.

Adding users to the Group

I already had Office 365 E3 licences directly assigned to the users, so I clicked Create Adding members to the Group. So I created a tiny PowerShell script that gathered all E3 licence users and assigned them to the new security group.

For PowerShell, you'll need to have the Microsoft Online Service module installed. We'll start by obtaining the AccountSkuId for the licence we want to assign.

"# Connect to Microsoft Online Service

connect-MsolService

# Get all AccountSkuIds

Get-MsolAccountSku"


The AccountSkuId is created using your tenant's name and the product's ID. ENTERPRISEPACK is for Office 365, while ENTERPRISEPREMIUM is for E5.

The next step is to gather all E3 licence holders and add them to our newly formed group. Use the script below if you're using an on-premise Active Directory:

"$msolUsers = Get-MsolUser -EnabledFilter EnabledOnly | Where-Object {($_.licenses).AccountSkuId -eq 'lazydev:enterprisepack'} 

ForEach ($user in $msolUsers) {

  try {

    $ADUser = Get-ADUser -filter {UserPrincipalName -eq $user.UserPrincipalName} -ErrorAction stop

    Add-ADGroupMember -Identity O365_E3 -Members $ADUser -ErrorAction stop

    [PSCustomObject]@{

      UserPrincipalName = $user.UserPrincipalName

      Migrate           = $true

    }

  }

  catch {

      [PSCustomObject]@{

      UserPrincipalName = $user.UserPrincipalName

      Migrate           = $false

    }

  }

}"

You can use the following script if you're only utilising Azure Active Directory:

"# Get all users with the Office 365 E3 license

$msolUsers = Get-MsolUser -EnabledFilter EnabledOnly | Where-Object {($_.licenses).AccountSkuId -eq 'lazydev:enterprisepack'} | Select DisplayName,UserPrincipalName,ObjectId

# Get the Group Id of your new Group. Change searchString to your new group name

$groupId = Get-MsolGroup -SearchString O365_E3 | select ObjectId

ForEach ($user in $msolUsers) {

  try {

    # Try to add the user to the new group

    Add-MsolGroupMember -GroupObjectId $groupId.ObjectId -GroupMemberType User -GroupMemberObjectId $user.ObjectId -ErrorAction stop

    [PSCustomObject]@{

      UserPrincipalName = $user.UserPrincipalName

      Migrated          = $true

    }

  }

  catch {

      [PSCustomObject]@{

      UserPrincipalName = $user.UserPrincipalName

      Migrated          = $false

    }

  }

}"

Licensing for Office 365 Groups

Now that the new group has been created and the users have been copied (or manually added), we can begin assigning the Office 365 license to the group.

1.Log in to the Azure Active Directory Admin Center.

http://portal.azure.com

2.Groups that are not closed


3.You can find it on the left side of the screen under Azure Active Directory, and then click on it. Groups

4.Select Licenses from the drop-down menu in your new Group.


5.Locate the newly created group and pick licences from the left-hand menu.

To assign a new licence, go to Assignments.

Choose the licence that you want to give to the Group.


If you like, you can change the licence services. If you don't want to utilise Yammer or Sway, for example, uninstall them.

When you're finished, click Save and close the licence screen.

6.Licenses are given out.

It may take a few minutes for all of the users to be processed. After a couple of minutes, reload the screen to see if the licence adjustments have taken effect.


Direct vs. Inherited licences

Directly allocated licences and inherited licences are both options for users. The licences that you have manually assigned to the users are referred to as "directly assigned." The inherited licences are those that users receive as a result of their group membership.

You'll need to remove the directly allocated licence if you've already manually assigned licences to the users. Not because they now have two licences, but because they will retain the directly issued licence if you remove them from the group later.

  1. In Azure AD Admin Center, go to Azure Active Directory.
  2. All Products Select Licenses
  3. Open the group's licence that you've just assigned.


A list of all licenced users will now appear. You can see how the user obtained the licence in the column Assignment Paths, which includes Direct and Inherited. In addition to inherited, you can see which group the user inherited the licence from.


To remove the direct licence, select the users who have both direct and inherited licences and click Remove License.

As long as the licence and services remain the same, the users will not notice the removal. Otherwise, try it out on a small group of people first.

Final Thoughts

Users can be assigned to several groups, thus you could use Office 365 E3 to build a base group and PowerBI Pro to construct a separate group. When it comes to allocating licences to users in Microsoft 365, using numerous groups and each group for one licence gives you greater freedom.

It's simple to set up Office 365 Group Based Licensing, and it eliminates a step in the process of creating and managing users.

Please leave a remark below if you have any questions.