Office 365

How To Maintain Licensing in Office 365 using Groups

Maintaining and administering licenses in Office 365 has historically been a time consuming and challenging task.  If you administer Office 365 you will almost certainly been exposed to PowerShell in one way or another. If you have a large number of users in you tenant you have probably written PowerShell to license users en-masse, for example granting them an E5, or modifying the – services that users or groups of users have access to. This can be frustrating when Microsoft adds a new service to Office 365 and you need to disable access to it for all your users; first you need to find the hidden service name, then modify your PowerShell and then finally execute to remove the license.

Microsoft recently released new functionality that enables this task to be more easily accomplished using the user interface. You can now assign licenses based on Azure Active Directory Groups; the group can either be created in Azure AD or in your on Premises AD and sync’d up. If you have Azure Active Directory Premium 1, (part of other products such as Enterprise Mobility & Security, you can create a “dynamic” group – based on properties in the user profile, such as department. These Dynamic groups can also be used to assign licenses.

One of the powerful features with this, is that the licenses assigned are additive – ie it is the union of licenses assigned. So if a user is assigned to a group that gets an E5 license with just the Email and SharePoint services enabled, and is then added to a group which grants an E5 license with just Yammer enabled, the user now has all three services enabled. This allows you to create targeted groups that enable discrete features and add the users as appropriate.

If a user is assigned a license via a  group and has previously been assigned a license “directly” the interface indicates that both types have been assigned. When you are confident that the users are all assigned licenses via groups correctly, you can use PowerShell to remove their “directly” assigned license – this will not remove the users license it will only remove the “directly assigned” license.

So how do you use this functionality, first login and navigate to the Azure Active Directory Management portal. From the choices, select Licenses


This will display a list a of the licenses that can be assigned in your tenant, for example:


 From the list click the license type you wish to assign via Group, this will display a list of users that have this license assigned to them, for example if we select E5:


From the left navigation, select Licensed Groups:

This will display a list of groups that are being used to assign this license type, for example


In the above image it shows that currently no groups are being assigned licenses. Click the Assign button to start to assign to a group.

From the left navigation select Users and Groups – Configure required settings


Enter the name of the group you wise to user, for example here I am using the group “Leadership”


Select the group and click OK.  
Next in the Left Navigation select Assignment Options
This will present the services which the selected license provides, for Example the E3 license



In this example we are granting all services. Notice that names presented are those show elsewhere in the UI, and unlike PowerShell you do not need to know the internal names.

 If you now navigate back to Azure Active Directory and select all users, and select a user who was in the group, you can now see the licenses they have assigned, for example:

This Shows that I have an E5 Directly assigned and inherited through membership in the Leadership group. The assignment of the inherited license can take a few minutes to propagate, so keep refreshing to ensure this has completed.

I can now use PowerShell to remove the directly assigned license.

The script below can be modified to get your tenant License IDs and can be used to remove all licenses of a given type from all users. Note that if you attempt to remove the license from a user who only has inherited license the script will error – this is expected behavior

# Script to Remove license users for XYZ corp

# Get Creds and login

$userCredential = Get-Credential

Connect-MsolService -Credential $userCredential

# Get All Unlicensed users 

# Get-MsolUser -All -UnlicensedUsersOnly

# get License Skus


 $eThree = “timlin:ENTERPRISEPACK”


Write-Host -ForegroundColor Cyan “Getting list of all users…”

# Get All users

$users = Get-MsolUser -All 

foreach ($user in $users)


    Write-host -ForegroundColor Green $user.DisplayName $user.UserPrincipalName

    if ($user.IsLicensed -eq $true)


        #Write-Host -ForegroundColor Yellow “removing license for ” $user.DisplayName $user.UserPrincipalName

        Set-MsolUserLicense -UserPrincipalName $user.UserPrincipalName -RemoveLicenses $eThree




        #Write-Host -ForegroundColor Yellow “removing license for ” $user.DisplayName $user.UserPrincipalName




Thats it!.   Hope this information helps.  If you have any questions, fill out the form below and we will be in touch to answer any questions or help with any issues.