Office 365 Automatically Assign License to Group

I like to automate as much as possible, and one of those repeating tasks is license assignment in Microsoft 365. You can automate the creation of users. It’s even possible to assign an Office 365 license with PowerShell. But most of the time it’s still a manual process, one that is prone to mistakes.

The problem, especially with medium or larger organizations, is that you create the users in the on-premise Active Directory. New users need to be synced to Azure AD (which we can force), after which we can assign a license.

But what if you are out of licenses? You will first need to increase the number of licenses or even order extra through your MSP or finance department. That takes time.

And when the news licenses are added, you will need to log back into the Admin Center to assign the license (which happens to be the part that I forget sometimes..)

The solution? Assign licenses to a group in Office 365.

Getting started

To get started with Office 365 group-based licensing, we first need to create groups to which we can assign the license too. You can create the (security) group in your local AD or in Azure Active Directory. It’s also possible to use existing groups, like department groups that you maybe already have.

For Azure AD you will need to login into Azure AD Admin Center.

  1. Select Azure Active Directory on the left side
  2. Choose Groups
  3. Click New group
  4. Set the Group type to Security
  5. Give the Group a name, for example, O365_E3
  6. Click on Create
office 365 group based licensing

Adding users to the Group

I already had Office 365 E3 licenses directly assigned to the users. So what I have done is used a small PowerShell script to get all the users with an E3 license and added them to the new security group.

You will need to have the Microsoft Online Service module installed for PowerShell. We are first going to get the AccountSkuId for the license that we want to assign.

# Connect to Microsoft Online Service
connect-MsolService

# Get all AccountSkuIds
Get-MsolAccountSku
Get Office 365 AccountSkuId

The AccountSkuId is buildup with your tenant name and an ID of the product. For Office 365 it’s ENTERPRISEPACK and for E5 ENTERPRISEPREMIUM

The next step is to get all users with the E3 license and add them to our new group. When you are using an on-premise Active Directory, then use the script below:

$msolUsers = Get-MsolUser -EnabledFilter EnabledOnly | Where-Object {($_.licenses).AccountSkuId -eq 'lazydev:enterprisepack'} 

ForEach ($user in $msolUsers) {
  try {
    $ADUser = Get-ADUser -filter {UserPrincipalName -eq $user.UserPrincipalName} -ErrorAction stop

    Add-ADGroupMember -Identity O365_E3 -Members $ADUser -ErrorAction stop

    [PSCustomObject]@{
      UserPrincipalName = $user.UserPrincipalName
      Migrate           = $true
    }
  }
  catch {
      [PSCustomObject]@{
      UserPrincipalName = $user.UserPrincipalName
      Migrate           = $false
    }
  }
}

If you are using only Azure Active Directory then you can use the following script:

# Get all users with the Office 365 E3 license
$msolUsers = Get-MsolUser -EnabledFilter EnabledOnly | Where-Object {($_.licenses).AccountSkuId -eq 'lazydev:enterprisepack'} | Select DisplayName,UserPrincipalName,ObjectId

# Get the Group Id of your new Group. Change searchString to your new group name
$groupId = Get-MsolGroup -SearchString O365_E3 | select ObjectId

ForEach ($user in $msolUsers) {
  try {
    # Try to add the user to the new group
    Add-MsolGroupMember -GroupObjectId $groupId.ObjectId -GroupMemberType User -GroupMemberObjectId $user.ObjectId -ErrorAction stop

    [PSCustomObject]@{
      UserPrincipalName = $user.UserPrincipalName
      Migrated          = $true
    }
  }
  catch {
      [PSCustomObject]@{
      UserPrincipalName = $user.UserPrincipalName
      Migrated          = $false
    }
  }
}

Office 365 Group-Based Licensing

With the new group created and the users copied (or manually added) to the new group, we can now start with assigning the Office 365 license to the Group.

  1. Login to Azure AD Admin Center

    http://portal.azure.com

  2. Open Groups

    You can find it under Azure Active Directory on the left side and then Groups office 365 assign license to group

  3. Open your new Group and select Licenses

    Find the new group that we have created and select licenses on the left side

  4. Select Assignments to assign a new license

    office 365 group based licensing

  5. Select the license you want to assign to the Group

    You can change the license services if you want. For example, remove Yammer or Sway if you don’t want to use it.

    Click on Save and close the license screen when done.
    group based license assignment office 365

  6. License are assigned

    It can take a couple of minutes until all the users are processed. If you refresh the screen after a couple of minutes you will see that the license changes have been applied

    Licenses are applied

Inherited vs Direct licenses

Users can have directly assigned licenses and inherited licenses. Directly assigned are the licenses that you have manually assigned to the users. The inherited are the licenses that the users gets based on the group membership.

If you already had manually assigned licenses to the users, then you will need to remove the directly assigned license. Not because they now have two licenses, but if you remove them from the group later, they will still have the directly assigned license.

  1. Open the Azure Active Directory in Azure AD Admin Center.
  2. Select Licenses
  3. All Products
  4. Open the license that you just have assigned to the group.
Office 365 licensing

You will now see a list of all licensed users. In the column Assignment Paths, you will see how the user has gotten the license, Direct, or Inherited. Behind inherited you will also see from which group the user has inherited the license.

Direct and inherited licenses

Select the users with the direct and inherited licenses and click Remove License to remove the direct license.

The users won’t notice anything from the removal as long as you keep the license and services the same. Otherwise, test it first with a small group of users.

Wrapping Up

You can assign users to multiple groups, so you could create a base group with Office 365 E3 for example and a separate group with PowerBI Pro. Using multiple groups, and each group for one license, gives you more flexibility when it comes to assigning licenses to the user in Microsoft 365.

Using Office 365 Group Based Licensing is easy to set up and takes way another manual step in creating and managing your users.

If you have any questions, just drop a comment below.

35 thoughts on “Office 365 Automatically Assign License to Group”

  1. What about UsageLocation which can’t be specified with the group? How would we assign this? Some Licenses depend on this, and all licenses is not availble in certain countries.. 🙁

    • You will need to set the location of the user in Azure AD:

      – Sign in to the Azure portal in the User Administrator role.
      – Go to Azure AD > Users and select a user.
      – Select Edit properties.
      – Select the Settings tab and enter a location for the user.

      • Hi Rudy,
        I figured out you can automate this in AzureADConnect to automatically full this in based on the attribute ”c”, since it’s a common thing for Servicedesk/HR to fill out 🙂

  2. Hi! Did all the steps. It all worked out. Great article!

    But I don’t understand how to make when adding user to local group(AD on-prem) “License O365 E3” user will be added also to cloud group(Azure AD) and get license.

    That is, tech support engineers don’t have access to Azure, but have access to local AD. I want them to be able to assign licenses from local AD.

    • If you have created the groups in Local AD, then they should be available in Azure AD for the assignment. You should then be able to follow the steps under “Office 365 Group-Based Licensing”

      • -Created a group in AD.
        -Synchronized it, it appeared in Azure
        -Added a user (AD) to the group
        -Synchronize it with Azure

        The user did not show up in that group in Azure.

        What am I missing?

  3. You wrote: “But what if you are out of licenses? You will first need to increase the number of licenses or even order extra through your MSP or finance department. That takes time.”

    This step is not omitted? If too few licenses are available, they are not automatically purchased. Even with a group assignment, enough licenses must be purchased. This cannot be automated …?

    • No, not that I am aware of. As far as I know, Microsoft requires human interaction to purchase licenses. Otherwise, your script could accidentally buy 1000 licenses for example.

  4. Hi,
    I am using Power Automate to create a user and assign to group so that it will add the license automatically. However, it won’t generate any error if the license is not assigned because of license shortage. How can we set Azure to increase the number of license automatically? Or, at lease generate an error so that Power Automate can pick it up. Thank you.

    • I think your best option here is to first check how many licenses you have available and if that is 0 then send an email to purchase additional licenses. As far as I know you can’t purchase licenses through PowerShell.

  5. Hello,
    Can we use PowerShell to configure Office 365 Group Based Licensing.
    I cannot find any option to assign a licenses to a dynamic group i created.

    New-AzureADMSGroup -DisplayName “Dynamic Group 01” -Description “Dynamic group created from PS” -MailEnabled $False -MailNickName “group” -SecurityEnabled $True -GroupTypes “DynamicMembership” -MembershipRule “(user.department -contains “”Marketing””)” -MembershipRuleProcessingState “On”

  6. Hi Rudy Mens, after running the script for on-premise Active Directory, all Users get the Migrate state “False”. Do you have any advice?

  7. Hi,

    in the azure script is a little error.
    The line:
    try {
    # Try to add the user to the new group
    Add-MsolGroupMember -GroupObjectId $groupId -GroupMemberType User -GroupMemberObjectId $user.ObjectId -ErrorAction stop

    Should be:
    try {
    # Try to add the user to the new group
    Add-MsolGroupMember -GroupObjectId $groupId.ObjectId -GroupMemberType User -GroupMemberObjectId $user.ObjectId -ErrorAction stop

    Thx for the post!

  8. Hi,
    This works well but how can we prevent users do become member of two groups. For example Microsoft Business Premium and Office E1?

    • You can first get all the existing users with one of the licenses and check if the user isn’t present in one of the two lists.

      With the code below you can get all users with a specific license
      # Get all users with the Office 365 E3 license
      $msolUsers = Get-MsolUser -EnabledFilter EnabledOnly | Where-Object {($_.licenses).AccountSkuId -eq 'lazydev:enterprisepack'} | Select DisplayName,UserPrincipalName,ObjectId

  9. Wondering if you have tried using powershell to assign a license to a group or is it only done through the GUI

  10. We have Office 365 E3 licenses. Do you happen to know if this will work for them? The documentation says “Office 365 Enterprise E3” which I think it technically different.

    • You can create different license groups in Azure. To assign the users to their groups you will need to use filters to select the correct users from the Active Directory.

Leave a Comment

0 Shares
Tweet
Pin
Share
Share