Find who assigned licenses to users

Iron Contributor

Hi,

I need to get a report of who is assigning licenses to users. 
We're using AAD groups to manage licensing, but a lot of licensing is done directly and we need to find that.

I've tried to search in AzureAD on audit logs and also used a script to get the same date with the command:

 

Search-UnifiedAuditLog -StartDate $StartDate -EndDate $EndDate -Formatted -ResultSize 5000 -Operations "Change user license"

 

I've gave my own user a PowerBI Pro license directly to check the logs after, but I can't find a way to understand what was the license type that was added or removed from a user based on the audit log.

Has anyone found a way to get this kind of information?
Thanks

4 Replies
You have to include "related" events too, as "change user license" does not expose the full details. Just one of many, many quirks you have to live with...

As taken from: https://learn.microsoft.com/en-us/microsoft-365/compliance/audit-log-activities?view=o365-worldwide#...

Changed user license Change user license. The license assigned to a user what changed. To see what licenses were changes, see the corresponding Updated user activity.

@VasilMichev 

Hi,

Thanks for the feedback. Well, based on the link you posted, I made 3 types of tests, but still trying to figure out how to extract the information I need.

1st - I went to compliance.microsoft.com and created an audit search for the activities 

"Change user license" and "Update User", for my user. As a result I can see 3 "Update User" activities and 1 "Change user license" activity. When I open each activity to see it's details, I can see the basic data, and some JSON values on "ExtendedProperties", "ModifiedProperties", "Actor" and "Target". I would say that the values that would of interest (the license that was issued) should be on "ModifiedProperties", but that field is always empty. Also, I cannot see PowerBI anywhere.
2nd - I found a nice script here: https://office365itpros.com/2022/10/14/azure-ad-license-assignment-report/ for my purpose. I run the script, but the results are a bit inconsistent and in the end the column that should display the license is empty. Screenshot attached. Screenshot_2_censored.jpg
3rd - I went to AzureAD, to my user and to Audit Logs. I can see the same 3 "Update User" activities and 1 "Change user license" activity. In this case the "Update user" activity has some populated fields on "Additional Details", on a field named "b", with a lot of information. I can see the text "PowerBI" there, but I don't know how to parse this information. Screenshot attached.
Screenshot_3.png
 
So my conclusion is that only on Azure AD I have the correct information. Do you know how to parse this information?
Thanks
Modified Properties should contain the AssignedLicenses blob and its values before and after the changes. If you want to do a search, use the SKU GUID, not the name.
You mean "Modified Properties" in what of the above scenarios? 1st, 2nd or 3rd?