Cloud Licensing Aims to Make Microsoft 365 Licensing Data Easier to Access

Microsoft 365 licensing is much more complicated than it was even a few years ago. Microsoft’s page detailing product names and identifiers for licensing includes a CSV file with details of the various licenses. As of August 19, 2024, the CSV includes 555 different licenses and 714 individual service plans. To be clear, a license is a product (SKU) that Microsoft sells to customers, like Office 365 E3. A service plan is a licensable component within a product. For instance, Microsoft 365 E5 includes 86 service plans spanning everything from Mesh Avatars for Teams to Microsoft Defender for Identity.

The permutations and combinations of valid licenses that can be assigned to individual user accounts can slow down license processing. The Graph defines assigned licenses as a resource type and includes methods to list license details and assign licenses (including license removal or disablement of individual service plans). These methods have been available for several years and can also be called using Microsoft Graph PowerShell SDK cmdlets like Set-MgUserLicense (here’s an example).

Cloud Licensing Graph API

Administrative consoles like the Microsoft 365 admin center call the Graph APIs to list and assign licenses. Some of the sections of the console that deal with licenses are not particularly quick when fetching and displaying information, and this is what might be leading Microsoft to cloud licensing, a new Graph API currently in beta. The description for cloud licensing says that it “improves license management by breaking down licenses from various subscriptions into smaller, manageable pools called allotments. The association of licenses to their unique subscriptions enables more granular accounting and reporting for an organization.”

Cloud licensing includes the usageRight resource type to fetch information about the licenses and service plans available to user accounts and to the groups used for group-based assignment.

Retrieving Usage Rights

For example, here’s how to list the usage rights available to a group used for group-based assignment. The results show that licenses for 3 products are granted. Anyone receiving licenses through this method has usage rights to the services covered by the licenses.

$Uri = “https://graph.microsoft.com/beta/groups/ebe02ef6-c696-4cdb-92d1-011a6c2a02d2/cloudlicensing/usagerights”
$Data = Invoke-MgGraphRequest -Uri $Uri -Method GET | Select-Object -ExpandProperty Value
$Data

Name Value
—- —–
services {EXCHANGE_S_FOUNDATION, Microsoft Stream}
skuPartNumber STREAM
id lotmbw4kyvnj36bhtnji6lftbjgddctboeksk3gct4iz3eku3zq4
skuId 1f2f344a-700d-42c9-9427-5cea1d5d7ba6
services {EXCHANGE_S_FOUNDATION, DYN365_CDS_VIRAL, FLOW_P2_VIRAL}
skuPartNumber FLOW_FREE
id l2zmjxukqup5r7lgtib563ftbnocbw3veqacc6gd35iytrkvtj2z
skuId f30db892-07e9-47e9-837c-80727f46fd3d
services {PURVIEW_DISCOVERY, EXCHANGE_S_FOUNDATION, BI_AZURE_P0}
skuPartNumber POWER_BI_STANDARD
id l6tyltw2qbpmtllcr5lm42hdb4gcldrfefkgioed35kztriazjyz
skuId a403ebcc-fae0-4ca2-8c8c-7a907fd6c235

This command finds the usage rights available to a user account. Note that the URI requires the user account identifier. You cannot refer to the user account by its user principal name.

$Uri = “https://graph.microsoft.com/beta/users/aff4cd58-1bb8-4899-94de-795f656b4a18/cloudLicensing/usageRights”
$Data = Invoke-MgGraphRequest -Uri $Uri -Method GET | Select-Object -ExpandProperty Value

Name Value
—- —–
services {COPILOT_STUDIO_IN_COPILOT_FOR_M365, M365_COPILOT_SHAREPOINT, GRAPH_CONNECTORS_COPILOT, M365_COP…
skuPartNumber Microsoft_365_Copilot
id inwf6tzow4n4v6f4cr6pyldtbfgcgwr7q6utok5dqi3ytjsyquwf
skuId 639dec6b-bb19-468b-871c-c5c441c4b0cb
…

The usage rights data returned by the request is exactly the same as can be retrieved through the licenseDetails resource type (or the Get-MgUserLicenseDetail cmdlet, as used in the Microsoft 365 licensing report script, which covers both direct and group-based assignments):

$Uri = “https://graph.microsoft.com/beta/users/eff4cd58-1bb8-4899-94de-795f656b4a18/licenseDetails”
$Data = Invoke-MgGraphRequest -Uri $Uri -Method GET | Select-Object -ExpandProperty Value
$Data

Name Value
—- —–
servicePlans {COPILOT_STUDIO_IN_COPILOT_FOR_M365, M365_COPILOT_SHAREPOINT, GRAPH_CONNECTORS_COPILOT, M365_COP…
skuPartNumber Microsoft_365_Copilot
id PzFitvwUokOaetLif080eGvsnWMZu4tGhxzFxEHEsMs
skuId 639dec6b-bb19-468b-871c-c5c441c4b0cb

Some of the documented uses don’t work. For example, this command should find if the specified user account has a usage right for Teams:

$Uri = “https://graph.microsoft.com/beta/users/aff4cd58-1bb8-4899-94de-795f656b4a18/cloudLicensing/usageRights?`$filter=services/any(c:c/planId eq 57ff2da0-773e-42df-b2af-ffb7a2317929)”

However, any attempt to find usage rights with a filter against a specific service plan results in a 403 forbidden error. Some of the error text refers to a private preview, so this command might not yet be available in the wild.

Puzzled by the Cloud Licensing API

I’m puzzled by the new API because I don’t know what extra Microsoft wants to achieve from usage rights over the current licensing APIs. It might be that a usage right is a faster way to lookup if a user account has the license required to access a feature. This would be valuable especially in large tenants where hundreds of thousands of licenses might be present. It could be that allotments of licenses could be managed by administrative units or geographies in a multi-geo Microsoft 365 tenant to enable more granular control over license allocation and spend.

All of this is guesswork. In time, no doubt Microsoft will explain the value and intent of the Cloud Licensing API (platform), usage rights, and allotments.

Support the work of the Office 365 for IT Pros team by subscribing to the Office 365 for IT Pros eBook. Your support pays for the time we need to track, analyze, and document the changing world of Microsoft 365 and Office 365.