Removing Licenses from Groups with PowerShell in Azure Active Directory

Author by Jack Stabile

The below scripting process was done with the help of Ryan Gorski, a systems administrator for our corporate IT team. 

 

The first script that should be run will allow us to view our organizations licenses. In this case we used a simple command:

get-msolaccountksu

 

To make things easier to view we can have the script spit out the results in a .csv file by using:

Export-Csv -path C:\users\$env:UserName\Desktop\SKU.csv -NoTypeInformation

 

The SkuID's can be a little confusing to read too so look at: https://docs.Microsoft.com/en-us/azure/active-directory/users-groups-roles/licensing-service-plan-reference.

 

Now that we have the licenses our organization uses; we can run the next script that will remove licenses from a group in AAD.

 

Connect-MsolService

Get-ADGroupMember -identity “lic_MsBizCtnr” | select samaccountname | Export-csv -path C:\users\$env:UserName\Desktop\License\License.csv -NoTypeInformation

$CSVValues = Import-Csv "C:\users\$env:UserName\desktop\License\license.csv"

foreach ($CSVValues in $CSVValues)

{

$SAM = $CSVValues.samaccountname

$UPN = $SAM + "@Concurrency.com"

 

Set-MsolUserLicense -UserPrincipalName $UPN -RemoveLicenses "ConcurrencyInc:MICROSOFT_BUSINESS_CENTER"

}

 

 

The above script is loosely based on the following sytnax from Microsoft.

 

$x = Get-MsolUser -All <FilterableAttributes> | where {$_.isLicensed -eq $true} $x | foreach {Set-MsolUserLicense -UserPrincipalName $_.UserPrincipalName -RemoveLicenses "<AccountSkuId1>", "<AccountSkuId2>"...}

 

From <https://docs.microsoft.com/en-us/office365/enterprise/powershell/remove-licenses-from-user-accounts-with-office-365-powershell>

 

 

The first part of this script is connecting to Microsoft online services then getting the group member information from AD, in our case we are getting information from "lic_MsBizCtner", selecting the sam account name, then putting that information into a .csv file. Our .csv file gives sam account name as first initial last name and the user principal name should have our domain at the end, so the "foreach" command is setting "@concurrency.com" to the end of each sam account name.

 

Then the last part of the script is removing one or multiple licenses from the UPNs of a selected group. In our case we used, "lic_MsBizCtner" and only took away one license: "ConcurrencyInc:MICROSOFT_BUSINESS_CENTER".

 

Once the script is run, Azure AD should sync with AD and the group members will no longer have the license.