Recently I needed to assign a lot of Microsoft licenses to different Azure AD groups. Unfortunately Microsoft does currently not offer a solution to do this (yet). Instead of giving up on this I decided to analyze what actually happens when you assign a license to a group in the Azure portal and found some actions going on within the hidden portal API. As an outcome I built a PowerShell module to manage Azure AD group based licensing assignments.

Full functionality for group-based licensing is available through the Azure portal, and currently PowerShell and Microsoft Graph support is limited to read-only operations.
PowerShell and Graph examples for group-based licensing in Azure AD

The PowerShell module

The PowerShell module uses the “main.iam.ad.ext.azure” API for the license operations and the AzureRM module to get an access token for the API. Please note that the mentioned API is not officially supported or documented. Although the API is being used by the Azure Portal for settings you configure via the portal.

Kudos to Jos Lieben for his “pioneer work” documenting on how to get an access token for the API.

Availability

The PowerShell module can be installed directly via Install-Module -Name AzureADLicensing or manually downloaded from GitHub or the PowerShell Gallery.

Examples (graphical)

First install the Module as documented on GitHub.

List available licenses: Get-AADLicenseSku

Get assigned licenses for a specific group:
Get-AADGroupLicenseAssignment -groupId "0a918505-d0d5-4078-9891-0e8bec67cb65"

Get available service plans for a license:

1
2
$m365 = Get-AADLicenseSku | Where-Object {$_.name -match "Microsoft 365 E5"}
$m365.serviceStatuses.servicePlan

More examples are available on GitHub.

Happy Group Based Licensing.