Saturday, October 24, 2020
Home Microsoft 365 Remove all Office 365 licenses for a group of users from CSV...

Remove all Office 365 licenses for a group of users from CSV file

A recent question over at the Spiceworks community asked for a PowerShell sample that will go over a list of users imported via CSV file and remove any and all Office 365 licenses for each user. Since this is a question I’ve seen asked previously, I decided to write a quick blog post about it and add some additional notes besides the actual code.

The first step is to make sure we have a proper input file. You can easily prepare such by using the Get-MsolUser cmdlet and filtering out users based on specific criteria, or you can just populate it manually via Excel. The important thing is that you have at least one column that designates users unambiguously. The UserPrincipalName or ObjectId properties should do. You can use other properties as necessary, but make sure to adjust the code below to account for that, as it expects to see a column named UserPrincipalName in the input CSV file.

Once we have the list of users, the task of removing licenses is a simple one. The only tricky part is that we actually need to have a list of licenses to remove, as there is no -RemoveAllLicenses switch or similar. Thus, for each user we will first run the Get-MsolUser cmdlet and gather the list of currently assigned SKUs and store them in the $SKUs variable. If said variable is empty, say because the user has no licenses assigned or no matching user was found, we skip to the next user. Then, for each individual license we can go ahead and run the Set-MsolUserLicense cmdlet.

[ $users = Import-Csv .\Users-to-disable.csv
 
foreach ($user in $users) {
Write-Verbose "Processing licenses for user $($user.UserPrincipalName)"
try { $user = Get-MsolUser -UserPrincipalName $user.UserPrincipalName -ErrorAction Stop }
catch { continue }
 
$SKUs = @($user.Licenses)
if (!$SKUs) { Write-Verbose "No Licenses found for user $($user.UserPrincipalName), skipping..." ; continue }
 
foreach ($SKU in $SKUs) {
if (($SKU.GroupsAssigningLicense.Guid -ieq $user.ObjectId.Guid) -or (!$SKU.GroupsAssigningLicense.Guid)) {
Write-Verbose "Removing license $($Sku.AccountSkuId) from user $($user.UserPrincipalName)"
Set-MsolUserLicense -UserPrincipalName $user.UserPrincipalName -RemoveLicenses $SKU.AccountSkuId
}
else {
Write-Verbose "License $($Sku.AccountSkuId) is assigned via Group, use the Azure AD blade to remove it!"
continue
}
}
} ]

One last remark is due here – licenses can also be assigned by using the group-based licensing feature. If that’s the case, using the Set-MsolUserLicense cmdlet will throw an error, so we can add a simple check in the script to avoid that. Instead, you should use the Azure AD blade in the Azure portal to adjust the group-based license.

Without further ado, here’s the code that does the trick. Make sure to update it to reflect the path to the CSV file and make sure that the CSV file has a column named UserPrincipalName (or adjust that in the code below):

Most Popular

Microsoft 365 All Tenants in the admin center

More than one-third of admins that use the Microsoft 365 admin center manage multiple tenants. This applies to two-thirds of enterprise customers...

Windows Defender Advanced Threat Protection (ATP) software is undergoing some changes

Microsoft has announced that its Windows Defender Advanced Threat Protection (ATP) software is undergoing some changes. The antivirus program is expanding beyond...

Improvements to SharePoint news feeds and digests

The news feed delivers an intelligent view of news, targeted to you based on factors like your role or location, and further...

Microsoft Endpoint Management Deploy an application to a device

From the Microsoft Endpoint Management admin center, you can initiate an application install in real time for a tenant attached device.