Hello @EnterpriseArchitect , in order to allow users to assign licenses trough PowerShell you can leverage the Set-MgUserLicense cmdlet. Users do not need to belong to an administrative role. Just ensure to use an access token with the User.ReadWrite.All
scope and previously, to grant admin wide consent using the Connect-MgGraph cmdlet.
Here is an example:
Admin consent (one time):
Get-MsalToken -ClientId <CLIENT ID. EG: 14d82eec-204b-4c2f-b7e8-296a70dab67e for 'Microsoft Graph PowerShell'> -Scope "User.ReadWrite.All" -TenantId <TENANT ID>
Script content (Requires MSAL.PS):
$AccessToken=(Get-MsalToken -ClientId <SAME CLIENT ID AS BEFORE> -Scope "User.ReadWrite.All" -TenantId <TENANT ID>).AccessToken
Connect-MgGraph -AccessToken $AccessToken
Set-MgUserLicense -UserId '<TARGET USER ID>' -AddLicenses @{SkuId = <SKU ID>} -RemoveLicenses @()
As a security measure you can restrict access to the used client enterprise application to selected users.
Let us know if this answer was helpful to you or if you need additional assistance. If it was helpful, please remember to accept it and complete the quality survey so that others in the community with similar questions can more easily find a rated solution.