Azure Auditing – Licensed Vs Non-Licensed

Azure Auditing – Licensed Vs Non-Licensed

by | Feb 13, 2021 | Information Technology, PowerShell

Do you need to audit your azure tenant for Licensed users vs non-licensed users? There is a simple way to do this using the MSOnline module. If you don’t have the MSOline module installed, you will need to install it. The big thing is this module only works on Powershell 5.1. So, let’s install and import our Module

Install-Module -Name MSOnline -Force
Import-Module MSOnline

Next step is to connect to the tenant. We do this with connect-msolservice. If you are doing this via the console, you can use the -Credential flag. if you are using this from a script, you will need to setup the PS credential object yourself. In this example, we are going to use the default console. 

Connect-MsolService -Credential (Get-Credential)

Now we need to grab the users from the system. I want to grab all the users so we can audit accordingly. With the default Get-Msoluser you can select just the unlicensed users. You can even do the reconciled users. The way we get the all users is the -All flag. 

$Users = Get-MsolUser -All

To gather the difference between the licenses and the non-licensesd we will use a where-object command. 

$LicensedUsers = $Users | where-object {$_.islicensed -eq $true}
$UnLicensedUsers = $Users | where-object {$_.islicensed -eq $false}

Now we have a clear cut difference between the licensed and unlicensed users. We can continue to audit. If you just want the unlicensed users you can use the -UnlicensedUsersOnly flag. 

$UnLicensedUsers = Get-MsolUser -UnlicensedUsersOnly

Unlicensed users can contain things like contacts and service accounts. So be careful. However, it does show users that might need to be given licenses. To filter out the contacts, all you have to do is remove the UserType Guest.

$NoContactUnLicensedUsers = $UnlicensedUsers | where-object {$_.UserType -ne "Guest"}

If you want to see the contacts, then you can just reverse this command and use the -eq instead of -ne. 

$ContactUnLicensedUsers = $UnlicensedUsers | where-object {$_.UserType -eq "Guest"}

With the member only selected from the Unlicensed, you can review which ones needs the licenses and which ones do not.

Keep an look out, more azure auditing to come.