删除为具有组许可证的用户直接分配的许可证

组织应使用基于组的许可，而不是直接将许可证分配给用户。原因是它会让一切井井有条，当出现许可证错误时更容易排除故障并维护。如果您已直接分配许可证和分配给用户的基于组的许可证怎么办？在本文中，您将了解如何从具有组许可证的 Microsoft 365 用户中删除直接分配的许可证。

开始之前

您想导出所有用户及其分配路径吗？阅读文章检查 Microsoft 365 用户许可证是直接分配还是从组继承。

注意：为了确保用户不会失去对服务和数据的访问权限，请务必确认直接分配的许可证不会提供比继承的许可证更多的服务功能。目前无法使用 Microsoft Entra 365 管理中心或 PowerShell 来确定删除许可证时通过继承许可证与直接许可证启用哪些服务。

使用 PowerShell 删除直接分配的许可证

要批量删除已使用 PowerShell 继承基于组的许可的用户的直接分配的许可证，请按照以下步骤操作：

步骤 1. 安装 Microsoft Graph PowerShell

以管理员身份运行 Windows PowerShell 并安装 Microsoft Graph PowerShell。

Install-Module Microsoft.Graph -Force

Install-Module Microsoft.Graph.Beta -AllowClobber -Force

重要提示：始终安装 Microsoft Graph PowerShell 和 Microsoft Graph Beta PowerShell 模块。这是因为某些 cmdlet 在最终版本中尚不可用，并且无法运行。在运行 cmdlet 或脚本之前将两个模块更新到最新版本，以防止出现错误和不正确的结果。

步骤 2. 准备Remove-DirectLicense PowerShell 脚本

在(C:)驱动器上创建两个文件夹：

• 温度
• 脚本

下载Remove-DirectLicense.ps1 PowerShell 脚本并将其放置在C:\scripts 文件夹中。该脚本会将 CSV 文件导出到 C:\temp 文件夹。

确保文件未被阻止，以防止运行脚本时出现错误。请阅读文章运行 PowerShell 脚本时出现未数字签名错误来了解更多信息。

另一种选择是将以下代码复制并粘贴到记事本中。将其命名为 Remove-DirectLicense.ps1 并将其放置在 C:\scripts 文件夹中。

<#
    .SYNOPSIS
    Remove-DirectLicense.ps1

    .DESCRIPTION
    The script will remove unnecessary direct licenses from Microsoft 365 users who already inherit the same license from a group.
    For example, as part of a transition to group-based licensing. The script will output the results on the console and export it to CSV file.

    .LINK
    https://www.a-d.site/remove-direct-assigned-licenses-for-users-with-group-licenses/

    .NOTES
    Written by: ALI TAJRAN
    Website:    www.a-d.site
    LinkedIn:   linkedin.com/in/a-d

    .CHANGELOG
    V1.00, 03/31/2024 - Initial version
#>

# Connect to Microsoft Graph
Connect-MgGraph -Scopes "Directory.Read.All, User.ReadWrite.All, Group.Read.All, Organization.Read.All"

# Get all groups with licenses assigned
$groupsWithLicenses = Get-MgGroup -All -Property AssignedLicenses, DisplayName, Id | Where-Object { $_.assignedlicenses } |
Select-Object DisplayName, Id -ExpandProperty AssignedLicenses

$Report = [System.Collections.Generic.List[Object]]::new()

# Check if there is any group that has licenses assigned or not
if ($null -ne $groupsWithLicenses) {
    # Loop through each group
    foreach ($group in $groupsWithLicenses) {
        # Get the group's licenses
        $groupLicenses = $group.SkuId

        # Get the group's members
        $groupMembers = Get-MgGroupMember -GroupId $group.Id -All

        # Check if the group member list is empty or not
        if ($groupMembers) {
            # Loop through each member
            foreach ($member in $groupMembers) {
                # Check if the member is a user
                if ($member.AdditionalProperties.'@odata.type' -eq '#microsoft.graph.user') {
                    # Get the user's direct licenses
                    Write-Host "Fetching license details for $($member.AdditionalProperties.displayName)" -ForegroundColor Yellow

                    # Get User With Directly Assigned Licenses Only
                    $user = Get-MgUser -UserId $member.Id -Property AssignedLicenses, LicenseAssignmentStates, DisplayName |
                    Select-Object DisplayName, AssignedLicenses -ExpandProperty LicenseAssignmentStates |
                    Where-Object { $_.AssignedByGroup -eq $null }

                    $licensesToRemove = @()
                    if ($user) {
                        if ($user.count -ge 2) {
                            foreach ($u in $user) {
                                $userLicenses = $u.SkuId
                                $licensesToRemove += $userLicenses | Where-Object { $_ -in $groupLicenses }
                            }
                        }
                        else {
                            $userLicenses = $user.SkuId
                            $licensesToRemove = $userLicenses | Where-Object { $_ -in $groupLicenses }
                        }
                    }
                    else {
                        Write-Host "No conflicting licenses found for the user $($member.AdditionalProperties.displayName)" -ForegroundColor Green
                    }

                    # Remove the licenses from the user (remove the -WhatIf parameter)
                    if ($licensesToRemove) {
                        Write-Host "Removing the license $($licensesToRemove) from user $($member.AdditionalProperties.displayName) as inherited from group $($group.DisplayName)" -ForegroundColor Green
                        $null = Set-MgUserLicense -UserId $member.Id -AddLicenses @() -RemoveLicenses $licensesToRemove -WhatIf
                        $ReportLine = [PSCustomObject]@{
                            User                      = $member.AdditionalProperties.displayName
                            Id                        = $member.Id
                            LicensesRemoved           = $licensesToRemove
                            LicenseInheritedFromGroup = $group.DisplayName
                            GroupId                   = $group.Id
                        }

                        $Report.Add($ReportLine)

                    }
                    else {
                        Write-Host "No action required for $($member.AdditionalProperties.displayName)" -ForegroundColor Green
                    }

                }
            }
        }
        else {
            Write-Host "The licensed group $($group.DisplayName) has no members, exiting now!!" -ForegroundColor Yellow
        }
    }

    # Display the results
    $Report | Format-Table -AutoSize
    $Report | Export-Csv -Path "C:\temp\DirectLicenseRemoval.csv" -NoTypeInformation -Encoding utf8
}
else {
    Write-Host "No groups found with licenses assigned." -ForegroundColor Cyan
}

• 第 100 行：编辑 CSV 文件路径

步骤 3. 运行Remove-DirectLicense PowerShell 脚本

运行以下命令来运行脚本 Remove-DirectLicense.ps1。

c:\scripts\.\Remove-DirectLicense.ps1

重要提示： -WhatIf 参数已添加到脚本中，因此运行时环境不会发生任何变化。对结果感到满意后，删除 -WhatIf 参数并重新运行脚本。

PowerShell 输出显示将从哪些用户删除直接许可证以及从哪个组继承许可证。

The licensed group M365_Licenses_E3_Exchange has no members, exiting now!!
Fetching license details for Boris Campbell
Removing the license c42b9cae-ea4f-4ab7-9717-81576235ccac from user Boris Campbell as inherited from group M365_Licenses_E3_Base
What if: Performing the operation "Set-MgUserLicense_AssignExpanded" on target "Call remote 'POST /users/{user-id}/microsoft.graph.assignLicense' operation".
Fetching license details for Alison Bell
Removing the license c42b9cae-ea4f-4ab7-9717-81576235ccac from user Alison Bell as inherited from group M365_Licenses_E3_Base
What if: Performing the operation "Set-MgUserLicense_AssignExpanded" on target "Call remote 'POST /users/{user-id}/microsoft.graph.assignLicense' operation".
Fetching license details for Edward Lincoln
No conflicting licenses found for the user Edward Lincoln
No action required for Edward Lincoln
Fetching license details for Alysia Maverick
No conflicting licenses found for the user Alysia Maverick
No action required for Alysia Maverick
Fetching license details for Carol Baker
Removing the license c42b9cae-ea4f-4ab7-9717-81576235ccac from user Carol Baker as inherited from group M365_Licenses_E3_Base
What if: Performing the operation "Set-MgUserLicense_AssignExpanded" on target "Call remote 'POST /users/{user-id}/microsoft.graph.assignLicense' operation".
Fetching license details for Richard Grant
Removing the license c42b9cae-ea4f-4ab7-9717-81576235ccac from user Richard Grant as inherited from group M365_Licenses_E3_Base
What if: Performing the operation "Set-MgUserLicense_AssignExpanded" on target "Call remote 'POST /users/{user-id}/microsoft.graph.assignLicense' operation".
Fetching license details for Zoë Roberts
Removing the license c42b9cae-ea4f-4ab7-9717-81576235ccac from user Zoë Roberts as inherited from group M365_Licenses_E3_Base
What if: Performing the operation "Set-MgUserLicense_AssignExpanded" on target "Call remote 'POST /users/{user-id}/microsoft.graph.assignLicense' operation".
Fetching license details for Amanda Morgan
No conflicting licenses found for the user Amanda Morgan
No action required for Amanda Morgan

最后，它将在 PowerShell 控制台上的表格中显示所有信息。

User           Id                                   LicensesRemoved                      LicenseInheritedFromGroup GroupId
----           --                                   ---------------                      ------------------------- -------
Boris Campbell 4b350521-7006-4a9d-ab11-9127fa9563db c42b9cae-ea4f-4ab7-9717-81576235ccac M365_Licenses_E3_Base     62dee815-d5c9-44ce-9085-e17f2c80734d
Alison Bell    77f04d81-fdf0-4604-810a-3a90fe4030e3 c42b9cae-ea4f-4ab7-9717-81576235ccac M365_Licenses_E3_Base     62dee815-d5c9-44ce-9085-e17f2c80734d
Carol Baker    1e6461f3-b842-4891-bc57-cdea3d430b43 c42b9cae-ea4f-4ab7-9717-81576235ccac M365_Licenses_E3_Base     62dee815-d5c9-44ce-9085-e17f2c80734d
Richard Grant  03e95a20-3652-4895-af25-6deed0856081 c42b9cae-ea4f-4ab7-9717-81576235ccac M365_Licenses_E3_Base     62dee815-d5c9-44ce-9085-e17f2c80734d
Zoë Roberts    88db92fa-4a15-4e8f-a0c8-eeadd8fae52b c42b9cae-ea4f-4ab7-9717-81576235ccac M365_Licenses_E3_Base     62dee815-d5c9-44ce-9085-e17f2c80734d

一切看起来都不错后，我们从脚本中删除 -WhatIf 参数并重新运行脚本。

将出现以下输出。

The licensed group M365_Licenses_E3_Exchange has no members, exiting now!!
Fetching license details for Boris Campbell
Removing the license c42b9cae-ea4f-4ab7-9717-81576235ccac from user Boris Campbell as inherited from group M365_Licenses_E3_Base
Fetching license details for Alison Bell
Removing the license c42b9cae-ea4f-4ab7-9717-81576235ccac from user Alison Bell as inherited from group M365_Licenses_E3_Base
Fetching license details for Edward Lincoln
No conflicting licenses found for the user Edward Lincoln
No action required for Edward Lincoln
Fetching license details for Alysia Maverick
No conflicting licenses found for the user Alysia Maverick
No action required for Alysia Maverick
Fetching license details for Carol Baker
Removing the license c42b9cae-ea4f-4ab7-9717-81576235ccac from user Carol Baker as inherited from group M365_Licenses_E3_Base
Fetching license details for Richard Grant
Removing the license c42b9cae-ea4f-4ab7-9717-81576235ccac from user Richard Grant as inherited from group M365_Licenses_E3_Base
Fetching license details for Zoë Roberts
Removing the license c42b9cae-ea4f-4ab7-9717-81576235ccac from user Zoë Roberts as inherited from group M365_Licenses_E3_Base
Fetching license details for Amanda Morgan
No conflicting licenses found for the user Amanda Morgan
No action required for Amanda Morgan

User           Id                                   LicensesRemoved                      LicenseInheritedFromGroup GroupId
----           --                                   ---------------                      ------------------------- -------
Boris Campbell 4b350521-7006-4a9d-ab11-9127fa9563db c42b9cae-ea4f-4ab7-9717-81576235ccac M365_Licenses_E3_Base     62dee815-d5c9-44ce-9085-e17f2c80734d
Alison Bell    77f04d81-fdf0-4604-810a-3a90fe4030e3 c42b9cae-ea4f-4ab7-9717-81576235ccac M365_Licenses_E3_Base     62dee815-d5c9-44ce-9085-e17f2c80734d
Carol Baker    1e6461f3-b842-4891-bc57-cdea3d430b43 c42b9cae-ea4f-4ab7-9717-81576235ccac M365_Licenses_E3_Base     62dee815-d5c9-44ce-9085-e17f2c80734d
Richard Grant  03e95a20-3652-4895-af25-6deed0856081 c42b9cae-ea4f-4ab7-9717-81576235ccac M365_Licenses_E3_Base     62dee815-d5c9-44ce-9085-e17f2c80734d
Zoë Roberts    88db92fa-4a15-4e8f-a0c8-eeadd8fae52b c42b9cae-ea4f-4ab7-9717-81576235ccac M365_Licenses_E3_Base     62dee815-d5c9-44ce-9085-e17f2c80734d

步骤 4. 打开直接许可证删除报告

Remove-DirectLicense.ps1 PowerShell 脚本将直接许可证已删除的所有 Microsoft 365 用户导出到 CSV 文件。

在路径 C:\temp 中找到文件 DirectLicenseRemoval.csv。

使用您喜欢的应用程序打开 CSV 文件。在我们的示例中，它是 Microsoft Excel。

就是这样！

了解更多：在 Microsoft Entra 和 PowerShell 中获取 MFA 状态 »

结论

您了解了如何删除为具有组许可证的用户直接分配的许可证。运行 PowerShell 脚本以获取将从中删除直接许可证的用户的列表。完成后，从脚本中删除 -WhatIf 参数并重新运行它。

您喜欢这篇文章吗？您可能还喜欢如何在 PowerShell 中使用 Get-MgUser。不要忘记关注我们并分享这篇文章。