Get 40% discount for the next four months on all Cloudways hosting plans with code BFCM2021. Read more here

Office 365 Automatically Assign License to Group

I like to automate as much as possible, and one of those repeating tasks is license assignment in Microsoft 365. You can automate the creation of users. It’s even possible to assign an Office 365 license with PowerShell. But most of the time it’s still a manual process, one that is prone to mistakes.

The problem, especially with medium or larger organizations, is that you create the users in the on-premise Active Directory. New users need to be synced to Azure AD (which we can force), after which we can assign a license.

But what if you are out of licences? You will first need to increase the amount of licenses or even order extra through your MSP or finance departement. That takes time.

And when the news licenses are added, you will need to log back into the Admin Center to assign the license (which happens to be the part that I forget sometimes..)

The solution? Assign licenses to a group in Office 365.

Getting started

To get started with Office 365 group based licensing, we first need to create groups to which we can assign the license to. You can create the (security) group in your local AD or in Azure Active Directory. It’s also possible to use existing groups, like department groups that you maybe already have.

For Azure AD you will need to login into Azure AD Admin Center.

  1. Select Azure Active Directory on the left side
  2. Choose Groups
  3. Click New group
  4. Set the Group type to Security
  5. Give the Group a name, for example, O365_E3
  6. Click on Create
office 365 group based licensing

Adding users to the Group

I already had Office 365 E3 licenses directly assigned to the users. So what I have done is used a small PowerShell script to get all the users with an E3 license and added them to the new security group.

You will need to have the Microsoft Online Service module installed for PowerShell. We are first going to get the AccountSkuId for the license that we want to assign.

# Connect to Microsoft Online Service
connect-MsolService

# Get all AccountSkuIds
Get-MsolAccountSku
Get Office 365 AccountSkuId

The AccountSkuId is buildup with your tenant name and an ID of the product. For Office 365 it’s ENTERPRISEPACK and for E5 ENTERPRISEPREMIUM

Next step is to get all users with the E3 license and add them to our new group. When you are using an on-premise Active Directory, then use the script below:

$msolUsers = Get-MsolUser -EnabledFilter EnabledOnly | Where-Object {($_.licenses).AccountSkuId -eq 'lazydev:enterprisepack'} 

ForEach ($user in $msolUsers) {
  try {
    $ADUser = Get-ADUser -filter {UserPrincipalName -eq $user.UserPrincipalName} -ErrorAction stop

    Add-ADGroupMember -Identity O365_E3 -Members $ADUser -ErrorAction stop

    [PSCustomObject]@{
      UserPrincipalName = $user.UserPrincipalName
      Migrate           = $true
    }
  }
  catch {
      [PSCustomObject]@{
      UserPrincipalName = $user.UserPrincipalName
      Migrate           = $false
    }
  }
}

If you are using only Azure Active Directory then you can use the following script:

# Get all users with the Office 365 E3 license
$msolUsers = Get-MsolUser -EnabledFilter EnabledOnly | Where-Object {($_.licenses).AccountSkuId -eq 'lazydev:enterprisepack'} | Select DisplayName,UserPrincipalName,ObjectId

# Get the Group Id of your new Group. Change searchString to your new group name
$groupId = Get-MsolGroup -SearchString O365_E3 | select ObjectId

ForEach ($user in $msolUsers) {
  try {
    # Try to add the user to the new group
    Add-MsolGroupMember -GroupObjectId $groupId.ObjectId -GroupMemberType User -GroupMemberObjectId $user.ObjectId -ErrorAction stop

    [PSCustomObject]@{
      UserPrincipalName = $user.UserPrincipalName
      Migrated          = $true
    }
  }
  catch {
      [PSCustomObject]@{
      UserPrincipalName = $user.UserPrincipalName
      Migrated          = $false
    }
  }
}

Office 365 Group Based Licensing

With the new group created and the users copied (or manually added) to the new group, we can now start with assign the Office 365 license to the Group.

  1. Login to Azure AD Admin Center

    http://portal.azure.com

  2. Open Groups

    You can find it under Azure Active Directory on the left side and then Groups office 365 assign license to group

  3. Open your new Group and select Licenses

    Find the new group that we have created and select licenses on the left side

  4. Select Assignments to assign a new license

    office 365 group based licensing

  5. Select the license you want to assign to the Group

    You can change the license services if you want. For example, remove Yammer or Sway if you don’t want to use it.

    Click on Save and close the license screen when done.
    group based license assignment office 365

  6. License are assigned

    It can take a couple of minutes until all the users are processed. If you refresh the screen after a couple of minutes you will see that the license changes have been applied

    Licenses are applied

Inherited vs Direct licenses

Users can have directly assigend licenses and inherited licenses. Directly assigned are the licenses that you have manually assigned to the users. The inherited are the licenses that the users gets based on the group membership.

If you already had manually assigned licenses to the users, then you will need to remove the directly assigned license. Not because they now have two licenses, but if you remove them from the group later, they will still have the directly assigned license.

  1. Open the Azure Active Directory in Azure AD Admin Center.
  2. Select Licenses
  3. All Products
  4. Open the license that you just have assigned to the group.
Office 365 licensing

You will now see a list of all licensed users. In the column Assignment Paths, you will see how the user has gotten the license, Direct, or Inherited. Behind inherited you will also see from which group the user has inherited the license.

Direct and inherited licenses

Select the users with the direct and inherited licenses and click Remove License to remove the direct license.

The users won’t notice anything from the removal as long as you keep the license and services the same. Otherwise test it first with a small group of users.

Wrapping Up

You can assign users to multiple groups, so you could create a base group with Office 365 E3 for exampe, and a seperate group with PowerBI Pro. Using multiple groups, and each group for one license, give you more flexibility when it comes to assigning licenses to user in Microsoft 365.

Using Office 365 Group Based Licensing is easy to set up and takes way another manual step in creating and managing your users.

If you have any questions, just drop a comment below.

Get more stuff like this

IT, Office365, Smart Home, PowerShell and Blogging Tips

I hate spam to, so you can unsubscribe at any time.

23 thoughts on “Office 365 Automatically Assign License to Group”

  1. Hello,
    Can we use PowerShell to configure Office 365 Group Based Licensing.
    I cannot find any option to assign a licenses to a dynamic group i created.

    New-AzureADMSGroup -DisplayName “Dynamic Group 01” -Description “Dynamic group created from PS” -MailEnabled $False -MailNickName “group” -SecurityEnabled $True -GroupTypes “DynamicMembership” -MembershipRule “(user.department -contains “”Marketing””)” -MembershipRuleProcessingState “On”

  2. Hi Rudy Mens, after running the script for on-premise Active Directory, all Users get the Migrate state “False”. Do you have any advice?

  3. Hi,

    in the azure script is a little error.
    The line:
    try {
    # Try to add the user to the new group
    Add-MsolGroupMember -GroupObjectId $groupId -GroupMemberType User -GroupMemberObjectId $user.ObjectId -ErrorAction stop

    Should be:
    try {
    # Try to add the user to the new group
    Add-MsolGroupMember -GroupObjectId $groupId.ObjectId -GroupMemberType User -GroupMemberObjectId $user.ObjectId -ErrorAction stop

    Thx for the post!

  4. Hi,
    This works well but how can we prevent users do become member of two groups. For example Microsoft Business Premium and Office E1?

    • You can first get all the existing users with one of the licenses and check if the user isn’t present in one of the two lists.

      With the code below you can get all users with a specific license
      # Get all users with the Office 365 E3 license
      $msolUsers = Get-MsolUser -EnabledFilter EnabledOnly | Where-Object {($_.licenses).AccountSkuId -eq 'lazydev:enterprisepack'} | Select DisplayName,UserPrincipalName,ObjectId

  5. Wondering if you have tried using powershell to assign a license to a group or is it only done through the GUI

  6. We have Office 365 E3 licenses. Do you happen to know if this will work for them? The documentation says “Office 365 Enterprise E3” which I think it technically different.

    • You can create different license groups in Azure. To assign the users to their groups you will need to use filters to select the correct users from the Active Directory.

Leave a Comment

0 Shares
Tweet
Pin
Share
Share