Managing Licenses in Microsoft Entra ID
Complete the full lesson to earn 25 points
Work through each section, then tap “Mark as Complete” on the last one.
✦ Skip the page breaks and see fewer ads — read each lesson on a single page with Pro
Managing Licenses in Microsoft Entra ID
Introduction: The Critical Role of Identity Licensing
In the modern enterprise environment, Microsoft Entra ID (formerly Azure Active Directory) serves as the central nervous system for identity and access management. While creating users and managing groups are the foundational steps of identity administration, the actual utility of those identities is often gated by licensing. Licensing in Microsoft Entra ID is not merely an administrative billing task; it is the mechanism that unlocks functionality, security features, and compliance capabilities for your users.
When you assign a license to a user, you are essentially granting them access to specific service plans. For example, a user might require a Microsoft 365 E3 license to access desktop applications, or an Entra ID P2 license to utilize risk-based conditional access policies and identity protection features. Without the correct license, users may find themselves locked out of essential tools, or worse, your organization might be operating in a state of non-compliance, leaving security gaps wide open.
Managing these licenses effectively is vital for cost control and security posture. Over-licensing leads to wasted budget, while under-licensing creates operational bottlenecks and security risks. This lesson will guide you through the intricacies of license management, from manual assignments to automated group-based licensing, ensuring you can maintain a lean, secure, and functional environment.
Understanding the Licensing Architecture
Before diving into the mechanics of assignment, it is important to understand how Microsoft structures its licensing model. Licenses are not assigned to identities in a vacuum; they are tied to a tenant and its associated subscriptions. A subscription is a commercial agreement that provides access to a set of services. When you purchase a subscription, you receive a pool of licenses that you can then distribute to your users.
The Hierarchy of Licensing
- Tenant: The top-level container representing your organization’s Microsoft 365 or Azure environment.
- Subscription: The billing entity that holds the licenses you have purchased.
- Service Plans: The individual features or applications included within a license (e.g., Exchange Online, SharePoint Online, or Entra ID P1).
- User/Group: The final destination where the license is applied to enable access to the service plans.
Callout: Licenses vs. Service Plans It is a common misconception that a license is a single entity. In reality, a license (like Microsoft 365 E5) is a bundle of many different service plans. You can actually toggle individual service plans off for specific users while keeping the overall license assigned. This granularity is essential when you want to provide a user with email access but restrict their access to other cloud services like Microsoft Planner or Sway.
Manual License Assignment
Manual assignment is the most straightforward method for managing licenses. It is ideal for small organizations or for handling exceptions in larger environments where specific users require unique configurations that do not fit into broader group-based policies.
Step-by-Step: Assigning a License via the Portal
- Access the Portal: Log in to the Microsoft Entra admin center.
- Navigate to Users: In the left-hand navigation pane, select Users, then click All users.
- Select the User: Click on the display name of the user you wish to manage.
- Locate Licenses: In the user’s profile menu, click on the Licenses blade.
- Assign: Click the + Assignments button at the top of the pane.
- Select Products: Choose the license you wish to assign from the available list of products.
- Refine Service Plans: If you need to disable specific features, click Assignment options and toggle off the service plans that are not required for this specific user.
- Save: Click Save to apply the configuration.
Tip: Always perform a quick audit of the service plans before clicking save. It is far easier to disable a service plan during the initial assignment than it is to troubleshoot why a user has access to a tool they should not be using later on.
Group-Based Licensing: The Enterprise Standard
In any environment with more than a few dozen users, manual assignment becomes unsustainable. It is error-prone, difficult to audit, and creates administrative overhead that distracts from more important tasks. Group-based licensing is the industry-standard approach for solving this problem. By assigning a license to a Microsoft Entra security group, any user added to that group automatically inherits the license. Conversely, when a user is removed from the group, their license is automatically released back into the pool.
Benefits of Group-Based Licensing
- Automatic Provisioning: New employees get access the moment they are added to the correct department group.
- Consistency: All users in a group have identical service plans, reducing configuration drift.
- Compliance: You can easily report on who has what access by simply checking group membership.
- Lifecycle Management: When a user leaves the organization and is removed from their groups, the license is reclaimed immediately, ensuring you stop paying for idle licenses.
Step-by-Step: Implementing Group-Based Licensing
- Create or Select a Group: Ensure you have a security group (e.g., "Finance_Team") ready.
- Navigate to Groups: In the Entra admin center, go to Groups > All groups.
- Select the Group: Click the name of the group you want to license.
- Manage Licenses: Select the Licenses blade from the left-hand menu.
- Assign: Click + Assignments, select the desired product, and configure any necessary service plan restrictions.
- Apply: Click Save.
Warning: Licensing Conflicts If a user is a member of two groups that both attempt to assign the same license, Microsoft Entra ID will not double-bill you, but it will create a "conflict" state. The system will process the license assignment, but you should monitor the group's "License errors" blade to ensure that all users are correctly provisioned.
Automating Licensing with PowerShell
For advanced administrators, the Microsoft Graph PowerShell SDK is the most efficient way to manage licensing at scale. While the portal is great for visual tasks, scripts allow you to perform bulk operations, audit license usage across thousands of users, and integrate licensing into your broader onboarding automation workflows.
Example: Assigning a License to a User via PowerShell
Before running these commands, ensure you have the Microsoft.Graph.Users and Microsoft.Graph.Identity.DirectoryManagement modules installed.
# 1. Connect to Microsoft Graph
Connect-MgGraph -Scopes "User.ReadWrite.All", "Directory.ReadWrite.All"
# 2. Get the SKU ID for the license you want to assign
# Replace 'Your-Subscription-Name' with your actual subscription
Get-MgSubscribedSku | Select-Object SkuId, SkuPartNumber
# 3. Assign the license to a specific user
$userId = "[email protected]"
$skuId = "your-sku-id-from-above"
$addLicenses = @(
@{ SkuId = $skuId }
)
Set-MgUserLicense -UserId $userId -AddLicenses $addLicenses -RemoveLicenses @()
Explanation of the Script
- Connect-MgGraph: This establishes the authenticated session. You must have the appropriate permissions defined in your app registration or session.
- Get-MgSubscribedSku: This is a crucial step. Licenses are identified by a unique
SkuId(a GUID), not by their human-readable name. Always fetch this ID dynamically to ensure your script is pointing at the correct product. - Set-MgUserLicense: This cmdlet is the workhorse. It accepts an array of licenses to add and an array of licenses to remove, allowing you to perform atomic swaps or updates in a single command.
Best Practices and Industry Standards
Managing licenses effectively requires a combination of technical configuration and administrative discipline. Follow these best practices to maintain a healthy environment:
1. Establish a "License-First" Onboarding Workflow
Do not wait for users to request access. Integrate license assignment into your identity lifecycle management. When a user is created in your HR system (like Workday or BambooHR) and synced to Entra ID, they should automatically be placed in an appropriate group that carries the necessary licenses.
2. Conduct Regular License Audits
At least once per quarter, run a report to identify:
- Unassigned Licenses: Licenses you are paying for but are not being utilized.
- Inactive Users: Users who have licenses but haven't logged in for 30+ days.
- Over-privileged Users: Users who have E5 licenses but only use basic email functionality.
3. Use "License Usage" Reports
Microsoft Entra ID provides built-in reports that show you which service plans are actually being used. If you find that 50% of your organization has an E5 license but never uses the Power BI or advanced security features, you may be overspending significantly. Downgrading these users to an E3 or F3 license can result in substantial annual savings.
4. Group-Based Licensing for Everything
Avoid manual assignment at all costs. Manual assignment is the primary cause of "license creep," where users keep licenses they no longer need because an administrator forgot to remove them when their job role changed. If a user moves departments, moving them between groups automatically handles their licensing transition.
5. Handle "Conflict" States Proactively
Check the license status of your groups regularly. If you see a notification about a licensing error, resolve it immediately. A user in a conflict state may lose access to critical services, which can cause immediate productivity loss.
Comparison: Manual vs. Group-Based Licensing
| Feature | Manual Assignment | Group-Based Licensing |
|---|---|---|
| Scalability | Low (Good for < 10 users) | High (Ideal for enterprise) |
| Maintenance | High (Individual updates) | Low (Inherited from group) |
| Consistency | Low (Prone to human error) | High (Policy-driven) |
| Auditability | Difficult | Simple (Check group membership) |
| Lifecycle | Manual removal required | Automatic removal |
Common Mistakes and How to Avoid Them
Mistake 1: Licensing Service Accounts
Administrators often assign full Microsoft 365 licenses to service accounts used for applications or automated tasks. Service accounts generally do not need a mailbox, a calendar, or an Office suite.
- The Fix: Use "Unlicensed" accounts for service tasks, or assign only the specific, low-cost license required for the authentication service.
Mistake 2: Ignoring "Disabled" Users
When a user leaves the company, their account is often disabled, but their license remains assigned. This is a common source of "license leakage."
- The Fix: Implement an automated cleanup script or a workflow that triggers when a user’s status is set to "Disabled." The script should remove the user from all licensed groups.
Mistake 3: Assigning Licenses to Guest Users
Sometimes, guest users are invited into the organization and accidentally added to a group that has a license assigned. Depending on your licensing agreement, this can lead to unexpected billing.
- The Fix: Use dynamic groups that explicitly exclude guest users (
user.userType -ne "Guest") to ensure licenses are only applied to internal employees.
Mistake 4: Not Utilizing "Assignment Options"
Many administrators assign a full suite (like E5) but fail to disable the apps the user doesn't need. This is a missed opportunity for security.
- The Fix: If a user only needs email, disable every other service plan in their license assignment. This reduces the "attack surface" of that user identity.
Callout: License Reclamation When you remove a license from a user, the data associated with that license (like their Exchange mailbox or OneDrive files) is not deleted immediately. Microsoft typically retains this data for 30 days before permanent deletion. This grace period is vital if you accidentally remove a license from an active employee.
Advanced Licensing Scenarios: Dynamic Groups
Dynamic groups are a powerful feature in Microsoft Entra ID that can take your licensing automation to the next level. Instead of manually adding users to a group, you define a rule based on user attributes.
Example: Automated Licensing by Department
Suppose you want to automatically license everyone in the "Sales" department.
- Create a security group named "Sales_Licensed".
- Set the Membership type to Dynamic User.
- Click Add dynamic query and set the rule:
user.department -eq "Sales". - Assign the appropriate license to this group.
Now, whenever HR adds a user to the "Sales" department in your source system, they are automatically added to the group and receive their license without any manual intervention from IT. This is the definition of "set it and forget it" identity management.
Troubleshooting License Issues
Even with the best planning, issues will arise. Here is a checklist for when a user reports that they cannot access a service:
- Check the User's License Blade: Does the user show the expected license? Is it listed as "Active" or "Warning"?
- Verify Service Plans: Ensure the specific service plan for the tool they are trying to use (e.g., "Exchange Online") is toggled to "On."
- Check for License Conflicts: If the user is in multiple groups, verify that the license assignments are not conflicting.
- Wait for Propagation: License changes can take anywhere from a few minutes to a few hours to propagate across Microsoft's global data centers. If you just assigned the license, wait 30 minutes before escalating.
- Check Group Membership: If using group-based licensing, ensure the user is actually a member of the group and that the group membership has synced.
FAQ: Frequently Asked Questions
Q: Can I assign a license to an empty group? A: Yes, you can. The license will simply sit unassigned until a user is added to the group. This is a great way to "pre-stage" licenses for a new department.
Q: What happens if I run out of licenses? A: If you attempt to assign a license to a user or a group when you have zero licenses remaining, the assignment will fail. You will need to purchase more licenses or free up existing ones by removing them from inactive users.
Q: Can I use PowerShell to see who is using a specific license?
A: Yes. You can use the Get-MgUser -Filter "assignedLicenses/any(x:x/skuId eq 'YOUR-SKU-ID')" command to list all users who currently have that specific license assigned.
Q: Does removing a user from a group immediately stop their access? A: It stops the license assignment immediately, but the user may retain access to certain cached services for a short period. It is recommended to also revoke their refresh tokens if you need an immediate security cutoff.
Key Takeaways
- Licensing is Security: Licensing is not just for billing; it controls access to security features like Conditional Access and Identity Protection. Treat license management as a security function.
- Standardize with Groups: Manual assignment is a bottleneck. Always move toward group-based licensing and dynamic groups to ensure consistency and reduce administrative overhead.
- Audit for Savings: Regularly review license usage reports. If you are paying for features your users aren't using, down-license them to optimize your organization's IT spend.
- Automate the Lifecycle: Integrate your HR system with Entra ID to ensure that when a user joins or leaves, their licensing is handled automatically without manual intervention.
- Granular Control: Use "Assignment options" to disable unused service plans. This helps in maintaining a cleaner interface for users and reduces the overall attack surface of your identity environment.
- Proactive Troubleshooting: Familiarize yourself with the "License errors" view in the Entra admin center. Identifying and fixing assignment conflicts early prevents user frustration and service outages.
- The 30-Day Rule: Remember that license removal and data deletion are not instantaneous. Use the 30-day grace period to your advantage if you need to recover a user's data after an accidental license removal.
By mastering these concepts, you transition from a reactive administrator to a proactive identity architect. The goal is to build a system where the right people have the right access at the right time, with the right licenses, all while minimizing the manual effort required to keep the lights on.
Enjoying the courses?
Everything stays free. Pro shows fewer ads, doubles your daily points limit so you progress twice as fast, and lets you read each lesson on one page.
- ✓ Fewer advertisements
- ✓ 2× daily points limit
- ✓ Distraction-free lessons