Set-MGUserLicense allows administrators to utilize Microsoft Graph to set a users licenses. https://learn.microsoft.com/en-us/powershell/module/microsoft.graph.users.actions/set-mguserlicense?view=graph-powershell-1.0 Set-MGUserLicense leverages the user:AssignLicense graph interface to manage the users licenses. https://learn.microsoft.com/en-us/graph/api/user-assignlicense?view=graph-rest-1.0&tabs=http
I recently worked a customer escalation where when executing set-MGUserLicense the following error was noted:
Authorization_RequestDenied,Microsoft.Graph.PowerShell.Cmdlets.SetMgUserLicense_AssignExpanded
Set-MgUserLicense : Insufficient privileges to complete the operation.
Status: 403 (Forbidden)
ErrorCode: Authorization_RequestDenied
When Microsoft Graph returns an insufficient privileges error message this generally means that the permissions scopes required either do not exist on the user or graph application registration running the command. According to the user:AssignLicense interface documentation the minimum required permission is LicenseAssignment.ReadWrite.All and the maximum permissions are User.ReadWrite.All and Directory.ReadWrite.All.
Graph provides a method to review the context of the authentication as well as the scopes authorized using Get-MGContext. https://learn.microsoft.com/en-us/powershell/module/microsoft.graph.authentication/get-mgcontext?view=graph-powershell-1.0. When reviewing the scopes post authentication the following was displayed:
Get-MgContext | Select-Object -ExpandProperty Scopes
DeviceManagementManagedDevices.Read.All
UserAuthenticationMethod.Read.All
User.ReadWrite.All
Policy.ReadWrite.ApplicationConfiguration
Application.ReadWrite.All
Group.Read.All
Directory.ReadWrite.All
Directory.Read.All
User.Read.All
GroupMember.Read.All
DeviceManagementRBAC.Read.All
DeviceManagementManagedDevices.ReadWrite.All
Mail.Send
Organization.Read.All
AuditLog.Read.All
Policy.Read.All
DeviceManagementManagedDevices.PrivilegedOperations.All
The maximum scopes required are present for the graph connection, yet the insufficient privileges error continues. The following command was being utilized to set the users licenses:
Set-MGUserLicense -userID 'ObjectID' -AddLicenses @{SkuId = '38b434d2-a15e-4cde-9a98-e737c75623e1'} -RemoveLicenses @()
When reviewing the SKU ID this SKU ID is associated with a Visio Plan 2 sku. (https://learn.microsoft.com/en-us/entra/identity/users/licensing-service-plan-reference). If you pay close attention to the table, you will see that the product name is Visio Plan 2, but the String ID is Visio_Plan2_Dept. The insufficient privileges is actually a red herring in terms of how we would normally interpret this error. In this case the insufficient privileges are not derived from lacking graph scopes but rather from the fact that this sku cannot be directly assigned to a user. A department sku can only be assigned by the Microsoft License Manager which is a self-service license acquisition process by the user.
To correct the insufficient privileges error the correct Visio Plan 2 sku was specified.