Back to Implement and Manage User Identities

License Assignment, Modification, and Reporting

5 minutes 5 Questions

License Assignment, Modification, and Reporting is a critical aspect of managing user identities in Microsoft Entra ID (formerly Azure AD). It involves allocating, adjusting, and tracking Microsoft 365 and other cloud service licenses across an organization. **License Assignment** can be performed…

License Assignment, Modification, and Reporting in Microsoft Entra ID (SC-300)

Why Is License Assignment, Modification, and Reporting Important?

License management is a foundational aspect of identity governance in Microsoft Entra ID (formerly Azure AD). Organizations invest heavily in Microsoft 365, Enterprise Mobility + Security (EMS), and other cloud services. Properly assigning, modifying, and reporting on licenses ensures that:

• Users have the right access: Users need appropriate licenses to use services like Exchange Online, Microsoft Teams, Intune, and Azure AD Premium features (Conditional Access, PIM, Identity Protection). Without the correct license, users cannot leverage these security and productivity features.
• Cost optimization: Over-licensing wastes budget, while under-licensing can cause compliance issues and service disruptions.
• Compliance and auditing: Organizations must demonstrate proper license usage during audits. Reporting capabilities help administrators track license consumption and identify discrepancies.
• Security posture: Many advanced security features in Microsoft Entra ID (such as Conditional Access, Identity Protection, and Privileged Identity Management) require Azure AD Premium P1 or P2 licenses. If these licenses are not properly assigned, critical security controls may not function.

What Is License Assignment in Microsoft Entra ID?

License assignment is the process of granting specific Microsoft service plans to users so they can access cloud-based applications and features. Microsoft uses a subscription-based licensing model where organizations purchase licenses (e.g., Microsoft 365 E3, E5, EMS E5) and assign them to individual users or groups.

There are two primary methods of license assignment:

1. Direct Assignment: An administrator manually assigns a license to a specific user through the Microsoft Entra admin center, Microsoft 365 admin center, or PowerShell/Microsoft Graph API.

2. Group-Based Licensing (GBL): Licenses are assigned to a Microsoft Entra ID security group or Microsoft 365 group. Any user who is a member of the group automatically receives the license. When a user is removed from the group, the license is automatically removed. This is the recommended approach for organizations at scale.

How License Assignment Works

Direct Assignment Process:
1. Navigate to Microsoft Entra admin center → Users → Select a user → Licenses
2. Click + Assignments
3. Select the desired license (e.g., Microsoft 365 E5)
4. Optionally toggle individual service plans on or off (e.g., disable Yammer but enable Teams)
5. Save the assignment

Group-Based Licensing Process:
1. Navigate to Microsoft Entra admin center → Groups → Select or create a group
2. Go to the Licenses blade of the group
3. Assign one or more license SKUs to the group
4. Optionally disable specific service plans within the license
5. All current and future members of the group automatically receive the assigned licenses
6. If a user is removed from the group, the license is automatically unassigned (unless they receive the same license from another group or direct assignment)

Key Concepts:

• Service Plans: Each license SKU (e.g., Microsoft 365 E5) contains multiple service plans (e.g., Exchange Online, SharePoint Online, Teams, Intune, Azure AD Premium P2). Administrators can enable or disable individual service plans.
• License Conflicts: When a user receives the same service plan from multiple sources (e.g., two different group assignments or a group + direct assignment), Microsoft Entra ID handles this gracefully — the user gets the service plan once. However, you should be aware of potential processing errors.
• Processing Errors: Group-based licensing can encounter errors such as insufficient licenses (not enough licenses available), conflicting service plans, or dependency issues (a required service plan is disabled). These errors are visible in the group's license processing status.
• License Assignment States: A license can be in an active, error, or disabled state depending on processing results.

How License Modification Works

Modifying licenses involves changing the service plans within an assigned license or switching a user from one license SKU to another:

• Toggling Service Plans: You can enable or disable specific service plans within an assigned license. For example, you may want to disable Power BI for certain users while keeping the rest of their Microsoft 365 E5 services active.
• Changing SKUs: If a user needs to move from E3 to E5, you can assign the new license and remove the old one. With group-based licensing, this involves moving the user from one group to another.
• Bulk Modifications: Using PowerShell (Microsoft Graph PowerShell SDK) or the Microsoft Graph API, administrators can modify licenses for many users simultaneously.

How License Reporting Works

Microsoft provides several tools for license reporting:

• Microsoft Entra Admin Center: Under Licenses → All Products, administrators can see the total number of licenses purchased, assigned, and available for each SKU. You can also drill into individual products to see which users have been assigned that license.
• Microsoft 365 Admin Center: The Billing → Licenses section provides an overview of license usage across all subscriptions.
• Microsoft Graph API: Programmatic access to license data using endpoints like /subscribedSkus (to list available licenses) and /users/{id}/licenseDetails (to see a user's assigned licenses).
• PowerShell: The Get-MgUserLicenseDetail and Get-MgSubscribedSku cmdlets allow administrators to generate reports on license assignments.
• Azure Monitor / Log Analytics: Audit logs capture license assignment and removal events, enabling historical reporting and alerting.
• Group-Based Licensing Reports: The group's Licenses blade shows processing status, including users with errors, making it easy to identify and remediate issues.

Common Reporting Scenarios:
• Identify users without a required license (e.g., users who need Azure AD Premium P2 for PIM)
• Find unused or underutilized licenses for cost optimization
• Audit license changes over time using sign-in and audit logs
• Detect and resolve group-based licensing errors

How to Answer Exam Questions on License Assignment, Modification, and Reporting

The SC-300 exam tests your practical understanding of license management as part of implementing and managing user identities. Here is how to approach these questions:

1. Understand the Scenario Context: Read the question carefully to determine whether it is asking about a single user, a group of users, or an entire organization. This helps you determine whether direct assignment, group-based licensing, or PowerShell/Graph is the best answer.

2. Know When to Use Group-Based Licensing: If the question describes a scenario involving dynamic or large-scale license management (e.g., "automatically assign licenses to all users in the Sales department"), the answer is almost always group-based licensing combined with dynamic groups.

3. Recognize Error Scenarios: Questions may describe a situation where users are not receiving expected services. Look for clues about insufficient licenses, conflicting service plans, or disabled dependencies. The resolution typically involves checking the group's license processing status.

4. Know the Tools: Be familiar with where to perform license operations — Microsoft Entra admin center, Microsoft 365 admin center, PowerShell, and Microsoft Graph. The exam may ask which tool or portal to use for a specific task.

5. Understand Prerequisites: Group-based licensing requires at least an Azure AD Premium P1 (Microsoft Entra ID P1) license. Direct assignment is available in all tiers.

Exam Tips: Answering Questions on License Assignment, Modification, and Reporting

✅ Tip 1: Group-Based Licensing requires Azure AD Premium P1. If a question asks about automating license assignment using groups and lists answer options, remember that this feature is not available in the free tier. The organization must have P1 or P2.

✅ Tip 2: Dynamic groups + group-based licensing = automation. A very common exam pattern involves creating a dynamic group based on a user attribute (e.g., department = "Engineering") and assigning licenses to that group. This combination ensures new hires automatically get the right licenses.

✅ Tip 3: Watch for "least administrative effort" questions. When the question asks for the solution that requires the least administrative effort, group-based licensing is preferred over direct assignment, and dynamic groups are preferred over manually managed groups.

✅ Tip 4: Understand license inheritance and conflicts. A user can receive the same license from both a direct assignment and a group assignment. Removing the group assignment does NOT remove the direct assignment. Be careful with questions that ask what happens when a user is removed from a group.

✅ Tip 5: Know where to find license errors. Group-based licensing errors are found on the group's Licenses blade in the Microsoft Entra admin center. Individual user licensing errors can also be seen on the user's Licenses blade. The exam may present a troubleshooting scenario.

✅ Tip 6: Service plan dependencies matter. Some service plans depend on others. For example, if you disable Exchange Online but try to enable a feature that depends on it, you will get a dependency error. If a question describes such a conflict, the answer involves enabling the prerequisite service plan.

✅ Tip 7: For reporting questions, know the difference between tools. The Microsoft Entra admin center Licenses blade shows current assignments. Audit logs (available in Azure Monitor or the Entra admin center under Audit Logs) show historical changes. Microsoft Graph API is used for programmatic/automated reporting.

✅ Tip 8: PowerShell cmdlets to know. Be familiar with Set-MgUserLicense (to assign or remove licenses), Get-MgUserLicenseDetail (to view a user's licenses), and Get-MgSubscribedSku (to view available licenses in the tenant). The exam may present PowerShell-based scenarios.

✅ Tip 9: Disabling service plans within a license. Both direct and group-based licensing allow you to selectively disable individual service plans. If a question asks how to assign Microsoft 365 E5 but prevent users from accessing a specific service, the answer is to disable that service plan within the license assignment — not to assign a different SKU.

✅ Tip 10: Reprocessing licenses. If group-based licensing encounters an error (e.g., not enough licenses), you can resolve the issue (e.g., purchase more licenses) and then reprocess the group to retry the assignment. The exam may test this workflow.

By mastering these concepts and practicing with scenario-based questions, you will be well-prepared to handle any license assignment, modification, and reporting questions on the SC-300 exam.

Test mode:

Exam (Timed)

Practice (With explanations)

Start practice test

Unlock Premium Access

Microsoft Identity and Access Administrator + ALL Certifications

Access to ALL Certifications: Study for any certification on our platform with one subscription
3060 Superior-grade Microsoft Identity and Access Administrator practice questions
Unlimited practice tests across all certifications
Detailed explanations for every question
SC-300: 5 full exams plus all other certification exams
100% Satisfaction Guaranteed: Full refund if unsatisfied
Risk-Free: 7-day free trial with all premium features!

More License Assignment, Modification, and Reporting questions

45 questions (total)

Start 45 question test