🎉 Our Microsoft 365 Reporting & Management Tool is now available in Azure Marketplace 🚀
This website uses cookies to improve your experience. We'll assume you're ok with this. Know more.
Microsoft 365

How to List Users With Group-Based License Assignments in Microsoft 365

Group-based licensing in Microsoft 365 automatically assigns licenses to users based on their group membership. This makes license management more efficient, but when users inherit licenses from multiple groups verifying the source of assignments becomes tricky and can slow down audits. This guide explains how to list all users who inherit licenses through group-based assignments, along with the details of the groups providing them.

Solution 1
Solution 2
Solution 3
Solution 4
Important Tips
Errors and Resolution Steps
FAQs

Find Users with Inherited License Assignment Using M365 Admin Center

Microsoft 365 Permission Required
Global Reader Least Privilege
Global Admin Most Privilege
  • Navigate to Billing»Licenses in the Microsoft 365 admin center.
  • Under the Subscriptions tab, click the respective product and navigate to the Groups tab to view all groups assigned with licenses.
  • Click the respective group and go to the Successfully assigned tab to view the list of users who have inherited licenses from that group.
Find Users with Inherited License Assignment Using M365 Admin Center
  • Note: Currently, the admin center does not provide a single, comprehensive view of whether licenses are assigned directly or inherited by the users for a subscription. Instead, you must review each group individually to understand how licenses are applied.

List All M365 Users with Group-Based Licensing Using PowerShell

Microsoft 365 Permission Required
User.Read.All, Organization.Read.All Least Privilege
Directory.ReadWrite.All Most Privilege
  • Connect to the Microsoft Graph PowerShell using the cmdlet below.
  • Windows PowerShell Windows PowerShell 
     Connect-MgGraph  -Scopes  “User.Read.All” , “Organization.Read.All”
  • To find the license assignment details for a specific subscription, you must first know its SKU ID. To list all subscription SKU IDs in the organization, run the following cmdlet.
  • Windows PowerShell Windows PowerShell 
     Get-MgSubscribedSku -All | Format-Table SkuPartNumber, SkuID, ConsumedUnits
  • Then, run the below script by replacing the <SkuID> with the SKU ID of the respective subscription. This will retrieve all Microsoft 365 users who have inherited the license through group-based assignment.
  • Windows PowerShell Windows PowerShell 
     $subscription = Get-MgSubscribedSku -All | Where-Object SkuId -eq “<SkuID>”
$users = Get-MgUser -Filter "assignedLicenses/any(x:x/skuId eq $($subscription.SkuId) )"
$results = foreach ($user in $users) {
    $licenseDetails = Get-MgUser -UserId $User.Id -Property "licenseAssignmentStates" | Select-Object -ExpandProperty "licenseassignmentstates"
    $userSkus = [PSCustomObject]@{
        DisplayName = $user.DisplayName
        UserPrincipalName = $user.UserPrincipalName
        AssignedThroughGroups = ($licenseDetails | Where-Object { $_.SkuId -eq $subscription.SkuId -and $_.AssignedByGroup }).Count -gt 0
        AssignedDirectly = ($licenseDetails | Where-Object { $_.SkuId -eq $subscription.SkuId }).Count -gt ($licenseDetails | Where-Object { $_.SkuId -eq $subscription.SkuId -and $_.AssignedByGroup }).Count
    }
    if ($userSkus.AssignedThroughGroups) { $userSkus }
}
$results | Format-Table -AutoSize
  • This cmdlet checks all Microsoft 365 users with the specified license inherited from group(s) and lists their display name, user principal name, and whether the license is assigned directly or through a group.
List All M365 Users with Group-Based Licensing Using PowerShell

Export M365 Group-Based License Assignments Using PowerShell Script

Microsoft 365 Permission Required
User.Read.All, Group.Read.All, AuditLog.read.All, Organization.Read.All Least Privilege
Directory.ReadWrite.All Most Privilege
  • The PowerShell method can retrieve group-based license assignments for a single subscription but it requires manual effort to get the same data across all subscriptions especially in large environments.
  • To address this, we developed a script that retrieves the group-based licences assignment information for all the subscriptions in your tenant.
  • Download and execute the script to export details such as username, UPN, group name from which license is inherited, department, job title, and more.
  • Windows PowerShell Windows PowerShell 
     ./M365GroupBasedLicenseReport.ps1
Export M365 Group-Based License Assignments Using PowerShell Script
M365GroupBasedLicenseReport.zip
AdminDroid Microsoft 365 License Reporting

All-in-One Suite for Microsoft 365 Group-Based License Management with Visual Insights

Admindroid’s Microsoft Entra ID reporting tool simplifies the work of admins by providing an easy-to-use interface that enables you to identify users with group-based license assignments. Below are some of the powerful capabilities of the tool designed to streamline group-based licensing in your Microsoft 365 environment.

Monitor Group License Changes in Microsoft 365 to Maintain Access Control

Track group based license changes to detect unexpected modifications and maintain proper access control across Microsoft 365 services.

Track M365 Subscription Usage to Optimize Consumption

Monitor Microsoft 365 subscription usage report to identify actively consumed licenses, track unused units for each subscription, and review its subscription status & type.

Streamline Microsoft 365 Subscription Tracking with Reminders Agents

Leverage Admindroid reminder agents to get notified and follow up when a subscription’s consumption is nearing its limit, when there are lifecycle changes, and more.

Monitor Over-Allocated Subscriptions in M365 to Maintain Compliance

Identify subscriptions with usage over 100% caused by restored users in Entra ID who retain their previous licenses, and resolve them quickly by adjusting group memberships or reclaiming unused licenses.

Visualize Licenses Usage and Identify Unused Assignments

Utilize the Microsoft 365 license dashboard to identify disabled users who still hold active licenses.

Review License Assigned Guests to Control External Access

Analyze license assigned guests to prevent unnecessary access and ensure external users only have the services needed for secure collaboration.

Overall, the AdminDroid Entra ID management tool provides an efficient way to manage users with inherited licenses in Microsoft 365. In addition, it delivers actionable insights for securely managing all Entra ID objects and offers full governance visibility for improved control.

Explore a full range of reporting options
Download Live Demo

Important tips

Identify M365 inactive users who inherit licenses through group-based assignments and remove them from groups to prevent unnecessary license consumption.

Create access reviews in Microsoft 365 to reclaim unused licenses and maintain proper access control.

Use auto-claim policies in Microsoft 365 to automatically assign licenses to users when they access an app, which eliminates the need for manual license management.

Common Errors and Resolution Steps

The following are the possible errors and troubleshooting hints when listing users with group-based license assignments in Microsoft 365.

Error Set-MgGroupLicense : Resource does not exist or one of its queried reference-property objects are not present.

This error occurs when the provided groupID does not match any existing group, or the group has been deleted.

Fix Run the following cmdlet to verify that the groupID is correct and that the group exists by retrieving it using the group name. 
Get-MgGroup -Filter "displayName eq '<GroupName>'" | Select-Object Id, DisplayName

Error Get-MgSubscribedSku : One or more errors occurred.

This error occurs when multiple versions of the Microsoft Graph PowerShell module are installed in the system.

Fix Uninstall all the versions of Microsoft Graph module, and then reinstall the latest stable version of Microsoft Graph module. 
Get-InstalledModule | Where-Object { $.Name -like "Microsoft.Graph*" } | 
ForEach-Object { Uninstall-Module -Name $.Name -RequiredVersion $_.Version -Force }
#Install the latest stable Microsoft Graph module
Install-Module Microsoft.Graph -Scope CurrentUser -AllowClobber -Force

Error Set-MgUserLicense_AssignExpanded: User license is inherited from a group membership and it cannot be removed directly from the user.

This error occurs in Powershell when attempting to remove a license that was assigned through group-based licensing.

Fix To remove the inherited license, remove the user from the group through which the license was assigned, as this will automatically revoke the group-based license.

Error Failed to delete group. The group has an active license. So it cannot be deleted.

This error occurs in the Entra admin center when attempting to delete a Microsoft 365 group that still has active license assignments.

Fix Ensure that the active license assigned to the group is removed before attempting to delete the group.
Microsoft 365
Frequently Asked Questions

Smart Management of Group-based Licensing in Microsoft 365

What are the features of group based licensing in Microsoft 365?
How to assign group-based licences to users in Microsoft Entra ID?
How to remove users from group-based licensing in Microsoft 365?
When to assign a direct license and when to assign group-based licensing?
How does M365 handle app and service access for users with the same license from multiple sources?

1. What are the features of group based licensing in Microsoft 365?

Group-based licensing makes it easier to manage Microsoft 365 licenses by assigning them through groups. Beyond this, there are many additional capabilities to explore. The following are some of the key features.

  • Supports license assignment to security groups Licenses can be assigned to cloud-only security groups, on-premises synced groups via Microsoft Entra Connect. They can also be assigned to security enabled Microsoft 365 groups.
  • Customize service plans during assignment Administrators can disable specific services within a license, such as Yammer, when those services are not needed by the group members.
  • Supports all Microsoft cloud services Group-based licensing supports Microsoft 365 products, Dynamics 365, and Enterprise Mobility + Security (EMS).
  • Smart license usage across multiple groups Even though users may be members of multiple licensed groups or have direct license assignments they consume only one license per product preventing duplication.
  • License error reporting for failed assignments If a license can’t be assigned due to conflicts or lack of availability, Microsoft Entra ID flags the issue and gives admins the details needed to take corrective action.
  • Supports dynamic group membership Group-based license assignment supports dynamic group membership. This dynamic membership ensures that licenses are automatically assigned or removed as users join or leave groups based on their properties.
  • Usage location behavior Usage location is needed to know where the user will use the service, to ensure the license follows regional rules. If a user assigned with a group-based license does not have a usage location set, they automatically inherit the default location configured in Microsoft Entra directory.

2. How to assign group-based licences to users in Microsoft Entra ID?

Group-based license assignment in Azure AD simplifies user management by automatically applying licenses to all group members. This approach saves time and reduces errors compared to assigning licenses individually. It also ensures that new users added to the group receive the required licenses automatically which keeps access consistent and up to date.

Group-based license assignment in Microsoft 365 admin center

  • Navigate to Billing»Licenses in the Microsoft 365 admin center.
  • Click on the respective subscription, navigate to Groups, and click + Assign licenses. Then enter the group name in the field.
  • Manage the apps and services the user can access by expanding ‘Turn apps and services on or off’, and then click Assign licenses.
assign-license-via-groups

Check the assignment status of a group-based license in Microsoft 365

  • On the licenses page, select the respective license and navigate to the Groups tab.
  • Then, review the license status of each group. You will see one of the following statuses.
    • All licenses assigned – No issues detected.
    • In progress – Licenses are still being applied to users.
    • Errors and issues – Some users have problems with license assignment.

Note: If a group shows the status as ‘Errors and issues’, select the group name. Under the Action needed tab, you can view all affected users.

3. How to remove users from group-based licensing in Microsoft 365?

When a user with group-based licensing no longer needs certain services or leaves the organization, you can't remove the license directly from them. If you do so, you will get the error ‘User license is inherited from a group membership and it cannot be removed directly from the user’.

To overcome this, you need to remove the user from the group that assigns the license. Before doing so, keep in mind that removing a user from a group will also remove any security configurations or collaboration access tied to that membership.

Delete users from group license assignments in Microsoft 365

  • In the Entra admin center, navigate to Entra ID»Groups»All groups and click on the respective group to remove the member.
  • Go to the Members under Manage section, select the member, and choose Remove action.
  • In the confirmation prompt, choose Yes to remove the user.
remove-users-in-groups

Remove a user from group using PowerShell

Similarly, you can remove a user from a group by connecting to the Microsoft Graph PowerShell module with the 'Group.ReadWrite.All' scope.

To do so, run the cmdlet below replacing <GroupObjectID> with the group ID and <UserObjectID> with the user ID. 

Remove-MgGroupMemberByRef -GroupID "<GroupObjectId>" -DirectoryObjectId "<UserObjectId>"

Note: You can use the following cmdlets to fetch the group ID by replacing <GroupName> with the actual group name and fetch the user object ID by replacing <UPN> with the user principal name.

Get-MgGroup -Filter "displayName eq '<GroupName>'" | Select-Object Id, DisplayName

Get-MgUser -UserId '<UPN>' | Select-Object Id, DisplayName

Effortlessly remove group members in Microsoft 365 with AdminDroid!

  • Go to the group membership overview report in the Admindroid 365 portal, select the desired group from the entries and click Show Actions.
  • Navigate to Remove Member From Group under Group Membership and Ownership section.
  • Select the users from the dropdown to remove and click Delete.
remove-group-members-using-droid

4. When to assign a direct license and when to assign group-based licensing?

It is important to understand when to assign licenses directly and when to use group-based licensing in Microsoft 365, as it can make a big difference. The right method helps you save time, reduce admin tasks, and use your licenses more efficiently.

Direct license assignment

  • Direct license assignment means manually selecting users and assigning licenses to them.
  • When to use it: This is useful for small M365 tenants, individual users, or special cases that don’t align with group structures.
  • Example: A Microsoft 365 license can be directly assigned to a freelancer or contractor who is not part of any group that has a license assigned.

Group-based license assignment

  • Group-based licensing automatically applies licenses to all members of a specific Microsoft 365 group. This method ensures consistent license distribution and simplifies management.
  • When to use it: This method is ideal for larger teams or dynamic environments where grouping users by department, location, or job function ensures uniform assignment for the entire group.
  • Example: Microsoft 365 E3 licenses are assigned to everyone in the “Marketing Team” group without manual effort.

5. How does M365 handle app and service access for users with the same license from multiple sources?

If a user is assigned the same license through direct assignment or through multiple groups, Microsoft 365 counts it only once. The system evaluates all license assignment paths and applies the most permissive configuration. If any source enables a service, the user will have access to it.

  • Example 1 – Gaining access from a group license : A user has a direct E5 license with Sway disabled. If the user is added to a group with the same E5 license where Sway is enabled, they will gain access to Sway without any downtime.
  • Example 2 – Gaining access from a direct license : A user has a direct E5 license with all services enabled. If the user is added to a group with the same license but with Sway disabled, the group-based restriction will not apply. Direct licenses take priority over group-based restrictions, so the group’s limitation does not override the user’s direct license.
  • Example 3 – Assignment from multiple groups and a direct license : Group A assigns an E5 license with Bookings disabled. Group B assigns an E5 license with no restrictions. The user also has a direct E5 license with Sway disabled. The result is full, unrestricted E5 access. The effective license combines all sources. Direct license settings take priority, and any group license without restrictions will allow access to services disabled in other groups.

Key points:

  • A user never consumes more than one license per product, regardless of the number of assignments.
  • The most permissive configuration across all license paths applies.
  • This approach prevents license waste, reduces costs, and simplifies management.

Kickstart Your Journey With
AdminDroid

Your Microsoft 365 Companion with Enormous Reporting Capabilities

Download Now
Browse All Guides
User Help Manuals Compliance Docs
All Guides 99+
Microsoft 365
How to List Users With Group-Based License Assignments in Microsoft 365
Microsoft 365 Guides
x
Delivering Reports on Time
Delivering Reports on Time
Want a desired Microsoft 365 reports every Monday morning? Ensure automated report distribution and timely delivery with AdminDroid's Scheduling to your email anytime you need.
Delivering Reports on Time
Schedule tailored reports to execute automatically at the time you set and deliver straight to the emails you choose. In addition, you can customize report columns and add inteligent filtering to the activities just from the previous day to suit your Microsoft 365 report requirements.
Set It, Schedule It, See Results- Your Reports, Your Way, On Your Time!
Time Saving
Automation
Customization
Intelligent Filtering
Give Just the Right Access to the Right People
Give Just the Right Access to the Right People
Grant fine-tuned access to any Microsoft 365 user with AdminDroid’s Granular Delegation and meet your organization’s security and compliance requirements.
Give Just the Right Access to the Right People
Create custom roles loaded with just the right permissions and give access to admins or normal users within AdminDroid. The result? A streamlined Microsoft 365 management experience that aligns your organization's security protocols and saves your invaluable time and effort.
Align, Define, Simplify: AdminDroid's Granular Delegation
Smart Organizational Control
Effortless M365 Management
Simplified Access
Advanced Alerts at a Glance
Advanced Alerts at a Glance
Receive quick notifications for malicious Microsoft 365 activities. Engage with the AdminDroid’s real-time alert policies crafted to streamline your security investigations.
Advanced Alerts at a Glance
Stay informed of critical activities like suspicious emails and high-risk logins, bulk file sharing, etc. Through creating and validating ideal alert policies, AdminDroid provides a comprehensive approach to real-time monitoring and management of potential threats within your organization.
AdminDroid Keeps You Always Vigilant, Never Vulnerable!
Proactive Protection
Real-time Monitoring
Security Intelligence
Threat Detection
Merge the Required Data to One Place
Merge the Required Data to One Place
Combine multiple required columns into one comprehensive report and prioritize the information that matters most to you with AdminDroid’s Advanced Column Customization.
Merge the Required Data to One Place
This column merging capability offers a flexible way to add different columns from various reports and collate all the essential data in one place. Want to revisit the customized report? Save it as a 'View’, and your unique report is ready whenever you need it.
Merge with Ease and Save as Views!
Custom Reporting
Unique View
Desired Columns
Easy Data Interpretation
Insightful Charts and Exclusive Dashboards
Insightful Charts and Exclusive Dashboards
Get a quick and easy overview of your tenant's activity, identify potential problems, and take action to protect your data with AdminDroid’s Charts and Dashboards.
Insightful Charts and Exclusive Dashboards
With AdminDroid charts and dashboards, visualize your Microsoft 365 tenant in ways you've never thought possible. It's not just about viewing; it's about understanding, controlling, and transforming your Microsoft 365 environment.
Explore Your Microsoft 365 Tenant in a Whole New Way!
Executive overviews
Interactive insights
Decision-making
Data Visualization
Efficient Report Exporting for Microsoft 365
Efficient Report Exporting for Microsoft 365
Downloading your reports in the right file format shouldn’t be a hassle with AdminDroid’s Report Export. Experience seamless report exporting in various formats that cater to your needs.
Efficient Report Exporting for Microsoft 365
Navigate through diverse options and export Microsoft 365 reports flawlessly in your desired file format. Tailor your reports precisely as you need them and save them directly to your computer.
Take Control, Customize and Deliver- Your Office 365 Data, Exported in Your Way!
Easy Export
Seamless Downloading
Data Control
Manage Microsoft 365

Get AdminDroid Office 365 Reporter Now!

Free Download Live Demo