Managing User Licenses with PowerShell
Start course

Microsoft 365 offers Enterprise Mobility & Security (EMS), Windows 10, and Office 365 to enhance business productivity and security. Because Microsoft 365 offers a variety of services and features, not everything is in the same place. Therefore, we need to navigate within different portals, and familiarity with “what is where” gets really important over time.

In this course, we will have a look at some of the most common tasks to be performed by Microsoft 365 administrators related to Azure AD identities, how to secure your environment by assigning the correct permissions to your users, and how to reduce administrative overhead. We’ll do various tasks in different ways by using the Microsoft 365 Admin Center, the Azure portal, and even use Windows PowerShell for automating bulk actions.

Choosing the right type of identity for your current infrastructure is the first step for any successful Microsoft 365 deployment.

Learning Objectives

  • Plan Azure AD Identities
  • Manage Users and Groups
  • Manage User Access with Access Reviews
  • Manage Passwords and Password Policies
  • Implement Self-Service Password Reset (SSPR)
  • Manage Product Licenses

Intended Audience

  • People preparing for Microsoft’s MS-100 exam
  • Microsoft 365 Administrators


  • Experience with Microsoft 365
  • Experience with the Azure portal
  • Experience with PowerShell

Managing users' licenses with PowerShell is very common when you're an administrator for your tenant. A lot of companies have multiple users, so assigning licenses for more than 100 users, for instance, for the Microsoft 365 admin center, or the Azure portal, is just not an option. In this demonstration, we're gonna look at four different scenarios that are the most common when managing user licenses. 

The first step would be to connect to the Microsoft AzureAD module and provide your credentials. Then, we use the Get-AzureADSubscribedSku, and select a few properties, so we can get some information about our subscriptions. Currently, I have two subscriptions in my tenant. I have an EMSPREMIUM, and an ENTERPRISEPREMIUM, and those are the names for the E5 licenses. Also note the SkuID, which is a GUID, and is important because we are going to use it later. 

Now let's go into our first scenario. The first scenario that you may encounter is assigning the full subscription to your users. And for that, you're most likely to use a CSV file. Let's have a look at the CSV file. Here I have the UPN of the user, and also the UsageLocation, so it's a very basic CSV file. 

Let's go back to the script. We first import our users, by using the Import-Csv and providing the path. Next, what I have on the script here is not necessary to assign the licenses, but I wanna show you the state of the users, before we start assigning licenses. 

So, as we've seen, I have two users in this CSV file, and if we look at the CapabilityStatus column, we can see that everything is marked as Deleted, which you can translate by disabled. And that's the same for the second user. 

Now we are going to assign the licenses. We are going to use a foreach loop, and for each user that we have in our CSV file, which is stored in the allUsers1 variable, we are going to make sure that we set the UsageLocation. Most likely, when you assign the license to a user, this user has never been licensed before, and therefore the UsageLocation might not be set correctly. And this is very important for licensing. If you do not set the UsageLocation, then you will get an error when you license users. 

Then we create two new objects, where we are gonna store the licenses that we want to assign, we grab the SkuID that we've seen earlier, which is the GUID for your subscription, and so, in this case, we are going to assign the ENTERPRISEPREMIUM subscription, then we use the AddLicenses property for the new object, which will be equal to the userLicense variable. And finally, we use the Set-AzureADUserLicense, we provide the UserPrincipalName, with the ObjectId parameter, and we assign the licenses using the AssignedLicenses parameter. 

Now that this has been done, let's verify that our users have been licensed correctly. And for this, we use the Get-AzureADUser, provide the UserPrincipalName, and then we use the ExpandProperty parameter to see all the plans. At the end of the cmdlet, I'm using the Format-Table, so it's better formatted on the console. 

So let's have a look at our first user, and indeed, we can see that the CapabilityStatus is now set to Enabled. And same for the second user. 

Now let's go into scenario number two. Here, we are going to assign only specific plans, meaning that we are not gonna assign the full subscription. Let's have a look at our second set of users. And again, very simple CSV file, two different users, and the UsageLocation. 

Let's go back to the script. We import our users with the Import-Csv cmdlet, and then again we are gonna check the status of those users. Like the first set of users that we had, everything is set to Deleted, which means disabled. 

The first line is the same as scenario number one, where we need to make sure that the UsageLocation is set, so we use the Set-AzureADUser with the UsageLocation from the CSV file, and next we need to choose the plans that we want to assign to the users. So we create the variable, here it's called plansToEnable, and we provide the names for the plans. So here, I'm providing the friendly names, but you can also provide the GUID if you prefer. 

So we want to enable Exchange, SharePoint, and Microsoft Teams, and that means that everything else in the subscription needs to be disabled. We use the Get-AzureADSubscribedSku, with the GUID that we've seen earlier as well, and for the variable that's called plansToDisable, we are gonna look for the ServicePlans that we have in the subscription, and for each object that is passed through the pipeline, we are gonna look for the ServicePlanName that is not in the plansToEnable. So, in other words, look at the subscription, and everything that is not Exchange, SharePoint, or Microsoft Teams, we need to disable.

Then we create, again, our two new objects, grab the License.SkuID, use the DisabledPlans property for this new object, which is stored in the License variable, and like we did previously, we use the AddLicenses property which is equal to the licenseObject. 

The last command is the same as we used previously, the Set-AzureADUserLicense, provide the UserPrincipalName, and the AssignedLicenses parameter. 

Once done, let's have a look at the licensing. And we can see that for both users, the first three plans on the list, which are Exchange, Microsoft Teams, and SharePoint, are enabled, and the rest is still disabled. 

Now that we've seen how to assign licenses, it's time to see how we can remove those licenses. The first step, as always, is to import our users with the Import-Csv, and then we use the foreach loop again. We create our two objects, grab the SkuID for the subscription, and use the AddLicenses property, which, again, is equal to the licenseObject. 

Now before we can remove the entire subscription, we need to add all the plans into an array, and provide the SkuID property to this licenseObject variable, and note that this time, the property that we use here is called RemoveLicenses. 

And finally, we can use the Set-AzureADUserLicense, provide the UPN, and even though the parameter is called AssignedLicenses, it will remove the entire subscription. Let's make sure that everything is marked as Deleted, and, indeed, everything has been removed. 

In our last scenario, we are going to look at removing specific plans. So this script is the exact same as assigning specific plans for users, but the only difference is that in my plansToEnable, I only have SWAY, because that's the plan I want to assign to those users now. And so, by doing this, it will override what the users currently have. Let's have a look, if that worked as expected. And, indeed, we can see that now, only Sway is enabled.

About the Author

Veronique is a SharePoint and Office 365 consultant for an IT company based in Glasgow, UK. She loves photography, the outdoors, and long walks with her two dogs! You can follow Veronique on Twitter @veronicageek or read her blog at