Manage user licenses in Microsoft 365

  • 5 minutes

Microsoft paid cloud services, such as Microsoft 365, Enterprise Mobility + Security, Dynamics 365, and other similar products, require licenses. These licenses are assigned to each user who needs access to these services. To manage licenses, administrators use one of the management portals (Microsoft 365 or Azure) and PowerShell cmdlets. Microsoft Entra ID is the underlying infrastructure that supports identity management for all Microsoft Cloud services. Microsoft Entra ID stores information about license assignment states for users.

One of the most basic tasks for Microsoft 365 Administrators is user management. To manage users, you must understand how to manage their licenses. Your organization’s users need licenses to use Microsoft 365 services, such as Microsoft Outlook and Microsoft SharePoint Online. When an administrator assigns a license to a user, the system automatically sets up the service for that user. For example, when you assign a SharePoint Online license to a user, the system assigns the user edit permissions on the default team site.

Only members of the Microsoft 365 Global admin and User Management admin roles can assign or remove licenses. They can assign or remove a license for single or multiple users.

Important

When an administrator removes a license from a user, the system deletes any service data that's associated with that user. You then have a 30-day grace period in which you can recover that data. After the grace period, the data isn't recoverable.

Viewing user license information

You can use the Microsoft 365 admin center to view important information about an organization's user license usage. For example, you can see how many licenses the organization used, how many are remaining, and which users are currently unlicensed.

To view the number of licenses remaining:

  1. In the Microsoft 365 admin center, on the left-hand navigation pane, select Billing and then select Licenses.
  2. In the Subscriptions tab, note how many licenses are available for each subscription and how many licenses the organization assigned.

To view any unlicensed users:

  1. In the Microsoft 365 admin center, on the left-hand navigation pane, select Users and then select Active users.
  2. In the menu bar, select Filter.
  3. In the drop-down menu that appears, note all the various options that you can select to view the users with these respective properties. To view unlicensed users, select Unlicensed users.

Assigning a license

Administrators can use both the Microsoft 365 admin center and Windows PowerShell to assign a license to a user. The prior unit provided instruction on how to edit the licenses for an individual user. However, administrators can maintain products licenses for multiple users at one time. To assign or remove licenses for multiple users in the Microsoft 365 admin center, complete the following steps:

  1. In the Microsoft 365 admin center, in the left-hand navigation pane, select Users and then select Active users.
  2. Select the check box for each user that you want to assign or remove licenses.
  3. On the menu bar, select Manage product licenses if it appears. If it doesn't appear due to the size of the screen, then select the ellipsis (More actions) icon. In the drop-down menu that appears, select Manage product licenses.
  4. On the Manage product licenses page, you must select one of the following options to apply to the selected users:
    • Replace. Unassign existing licenses and assign new ones.
    • Assign more. Keep the existing licenses and assign more.
    • Unassign all. Unassign all licenses for each selected user.

Using Microsoft Graph PowerShell to manage user licenses

Users can't use any Microsoft 365 services until an administrator assigns a license from a licensing plan to their account. If you prefer to use PowerShell rather than the Microsoft 365 admin center, you can assign a user license within Microsoft Graph PowerShell. You can use PowerShell to quickly assign licenses to unlicensed accounts.

Administrators must first assign a location to user accounts. The system requires a location when you create a new user account in the Microsoft 365 admin center. By default, accounts synchronized from an organization's on-premises Active Directory Domain Services (AD DS) don't have a location specified. You can configure a location for these accounts from:

  • The Microsoft 365 admin center
  • Microsoft Graph PowerShell
  • The Microsoft Entra admin center

Finding unlicensed accounts using Microsoft Graph PowerShell

Assigning and removing licenses for a user requires the User.ReadWrite.All permission scope or one of the other permissions listed in the 'Assign license' Microsoft Graph API reference page.

PowerShell requires the Organization.Read.All permission scope to read the licenses available in the tenant.

Connect-MgGraph -Scopes User.ReadWrite.All, Organization.Read.All

Run the Get-MgSubscribedSku command to view the available licensing plans and the number of available licenses in each plan in your organization. The number of available licenses in each plan is ActiveUnits - WarningUnits - ConsumedUnits. For more information about licensing plans, licenses, and services, see View licenses and services with PowerShell.

To find the unlicensed accounts in your organization, run the following command.

Get-MgUser -Filter 'assignedLicenses/$count eq 0' -ConsistencyLevel eventual -CountVariable unlicensedUserCount -All

To find the unlicensed synchronized users in your organization, run the following command.

Get-MgUser -Filter 'assignedLicenses/$count eq 0 and OnPremisesSyncEnabled eq true' -ConsistencyLevel eventual -CountVariable unlicensedUserCount -All -Select UserPrincipalName

You can only assign licenses to user accounts that have the UsageLocation property set to a valid ISO 3166-1 alpha-2 country/region code. For example, US for the United States, and FR for France. Some Microsoft 365 services aren't available in certain countries/regions. For more information, see About license restrictions.

To find accounts that don't have a UsageLocation value, run the following command.

Get-MgUser -Select Id,DisplayName,Mail,UserPrincipalName,UsageLocation,UserType | where { $_.UsageLocation -eq $null -and $_.UserType -eq 'Member' }

To set the UsageLocation value on an account, run the following command.

$userUPN="<user sign-in name (UPN)>"
$userLoc="<ISO 3166-1 alpha-2 country code>"

Update-MgUser -UserId $userUPN -UsageLocation $userLoc

For example:

Update-MgUser -UserId "belindan@litwareinc.com" -UsageLocation US

Note

If you use the Get-MgUser cmdlet without using the -All parameter, PowerShell only displays the first 100 user accounts.

Assigning licenses to user accounts

To assign a license to a user, use the following command in Microsoft Graph PowerShell.

Set-MgUserLicense -UserId $userUPN -AddLicenses @{SkuId = "<SkuId>"} -RemoveLicenses @()

The following example assigns a license from the SPE_E5 (Microsoft 365 E5) licensing plan to the unlicensed user belindan@litwareinc.com:

$e5Sku = Get-MgSubscribedSku -All | Where SkuPartNumber -eq 'SPE_E5'
Set-MgUserLicense -UserId "belindan@litwareinc.com" -AddLicenses @{SkuId = $e5Sku.SkuId} -RemoveLicenses @()

The following example assigns SPE_E5 (Microsoft 365 E5) and EMSPREMIUM (Enterprise Mobility + Security E5) to the user belindan@litwareinc.com:

$e5Sku = Get-MgSubscribedSku -All | Where SkuPartNumber -eq 'SPE_E5'
$e5EmsSku = Get-MgSubscribedSku -All | Where SkuPartNumber -eq 'EMSPREMIUM'
$addLicenses = @(
@{SkuId = $e5Sku.SkuId},
@{SkuId = $e5EmsSku.SkuId}
)

Set-MgUserLicense -UserId "belinda@litwareinc.com" -AddLicenses $addLicenses -RemoveLicenses @()

The following example assigns SPE_E5 (Microsoft 365 E5) with the MICROSOFTBOOKINGS (Microsoft Bookings) and LOCKBOX_ENTERPRISE (Customer Lockbox) services turned off:

$e5Sku = Get-MgSubscribedSku -All | Where SkuPartNumber -eq 'SPE_E5'
$disabledPlans = $e5Sku.ServicePlans | `
Where ServicePlanName -in ("LOCKBOX_ENTERPRISE", "MICROSOFTBOOKINGS") | `
Select -ExpandProperty ServicePlanId

$addLicenses = @(
@{
SkuId = $e5Sku.SkuId
DisabledPlans = $disabledPlans
}
)

Set-MgUserLicense -UserId "belinda@litwareinc.com" -AddLicenses $addLicenses -RemoveLicenses @()

The following example updates a user with SPE_E5 (Microsoft 365 E5) and turns off the Sway and Forms service plans while leaving the user's existing disabled plans in their current state:

$userLicense = Get-MgUserLicenseDetail -UserId "belinda@litwareinc.com"
$userDisabledPlans = $userLicense.ServicePlans | `
Where ProvisioningStatus -eq "Disabled" | `
Select -ExpandProperty ServicePlanId

$e5Sku = Get-MgSubscribedSku -All | Where SkuPartNumber -eq 'SPE_E5'
$newDisabledPlans = $e5Sku.ServicePlans | `
Where ServicePlanName -in ("SWAY", "FORMS_PLAN_E5") | `
Select -ExpandProperty ServicePlanId

$disabledPlans = ($userDisabledPlans + $newDisabledPlans) | Select -Unique

$addLicenses = @(
@{
SkuId = $e5Sku.SkuId
DisabledPlans = $disabledPlans
}
)

Set-MgUserLicense -UserId "belinda@litwareinc.com" -AddLicenses $addLicenses -RemoveLicenses @()View license information

Knowledge check

Choose the best response for the following question. Then select “Check your answers.”

Check your knowledge

1.

You're the Microsoft 365 Administrator for Tailspin Toys. When a member of the Sales team recently left the company, you removed the Microsoft 365 E3 license from the user's Microsoft 365 account. What happens to any service data associated with that user?