LicenseAssignment.ReadWrite.All
Export JSON
Export CSV
Copy URL
Print
ApplicationDelegated
Read/Write
All Resources
Allows an app to manage license assignments for users and groups, without a signed-in user.
Permission data: April 6, 2026 at 4:06 AM UTC
Delegated Access
App-Only Access
Permission Details
Application Permission
Manage all license assignments
Allows an app to manage license assignments for users and groups, without a signed-in user.
Permission ID:
5facf0c1-8979-4e95-abcf-ff3d079771c0
Delegated Permission
Admin consent required
Manage all license assignments
Allows an app to manage license assignments for users and groups, on behalf of the signed-in user.
User sees: Allows the app to manage all license assignments, on your behalf.
Permission ID:
f55016cc-149c-447e-8f21-7cf3ec1d6350
Properties
Microsoft Graph v1.0
endpoint-derived-docs
Properties is shown from stable Microsoft Graph v1.0 metadata.
| Property | Type | Description |
|---|---|---|
allowExternalSenders |
BooleanNullable |
Indicates if people external to the organization can send messages to the group. The default value is false. , , Returned only on $select. Supported only on the Get group API (GET /groups/{ID}). |
assignedLabels |
assignedLabel collection |
The list of sensitivity label pairs (label ID, label name) associated with a Microsoft 365 group. , , Returned only on $select. This property can be updated only in delegated scenarios where the caller requires both the Microsoft Graph permission and a supported administrator role. |
assignedLicenses |
assignedLicense collection |
The licenses that are assigned to the group. , , Returned only on $select. Supports $filter (eq). Read-only. |
autoSubscribeNewMembers |
BooleanNullable |
Indicates if new members added to the group are autosubscribed to receive email notifications. You can set this property in a PATCH request for the group; don't set it in the initial POST request that creates the group. Default value is false. , , Returned only on $select. Supported only on the Get group API (GET /groups/{ID}). |
classification |
StringNullable |
Describes a classification for the group (such as low, medium, or high business impact). Valid values for this property are defined by creating a ClassificationList setting value, based on the template definition., , Returned by default. Supports $filter (eq, ne, not, ge, le, startsWith). |
createdDateTime |
DateTimeOffsetNullable |
Timestamp of when the group was created. The value can't be modified and is automatically populated when the group is created. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on January 1, 2014 is 2014-01-01T00:00:00Z. , , Returned by default. Read-only. |
deletedDateTime |
DateTimeOffsetNullable |
For some Microsoft Entra objects (user, group, application), if the object is deleted, it's first logically deleted, and this property is updated with the date and time when the object was deleted. Otherwise this property is null. If the object is restored, this property is updated to null. Inherited from directoryObject. |
description |
StringNullable |
An optional description for the group. , , Returned by default. Supports $filter (eq, ne, not, ge, le, startsWith) and $search. |
displayName |
StringNullable |
The display name for the group. This property is required when a group is created and can't be cleared during updates. Maximum length is 256 characters. , , Returned by default. Supports $filter (eq, ne, not, ge, le, in, startsWith, and eq on null values), $search, and $orderby. |
expirationDateTime |
DateTimeOffsetNullable |
Timestamp of when the group is set to expire. It's null for security groups, but for Microsoft 365 groups, it represents when the group is set to expire as defined in the groupLifecyclePolicy. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC. For example, midnight UTC on January 1, 2014 is 2014-01-01T00:00:00Z. , , Returned by default. Supports $filter (eq, ne, not, ge, le, in). Read-only. |
groupTypes |
String collection |
Specifies the group type and its membership. , , If the collection contains Unified, the group is a Microsoft 365 group; otherwise, it's either a security group or a distribution group. For details, see groups overview., , If the collection includes DynamicMembership, the group has dynamic membership; otherwise, membership is static. , , Returned by default. Supports $filter (eq, not). |
hasMembersWithLicenseErrors |
BooleanNullable |
Indicates whether there are members in this group that have license errors from its group-based license assignment. , , This property is never returned on a GET operation. You can use it as a $filter argument to get groups that have members with license errors (that is, filter for this property being true). See an example. , , Supports $filter (eq). |
hideFromAddressLists |
BooleanNullable |
True if the group isn't displayed in certain parts of the Outlook UI: the Address Book, address lists for selecting message recipients, and the Browse Groups dialog for searching groups; otherwise, false. The default value is false. , , Returned only on $select. Supported only on the Get group API (GET /groups/{ID}). |
hideFromOutlookClients |
BooleanNullable |
True if the group isn't displayed in Outlook clients, such as Outlook for Windows and Outlook on the web; otherwise, false. The default value is false. , , Returned only on $select. Supported only on the Get group API (GET /groups/{ID}). |
id |
String |
The unique identifier for the group. , , Returned by default. Inherited from directoryObject. Key. Not nullable. Read-only., , Supports $filter (eq, ne, not, in). |
Showing 15 of 74 properties.
JSON Representation
Microsoft Graph v1.0
endpoint-derived-docs
JSON representation is shown from stable Microsoft Graph v1.0 metadata.
JSON representation
{
"allowExternalSenders": "Boolean",
"acceptedSenders": [
{
"@odata.type": "microsoft.graph.directoryObject"
}
],
"assignedLicenses": [
{
"@odata.type": "microsoft.graph.assignedLicense"
}
],
"autoSubscribeNewMembers": "Boolean",
"calendar": {
"@odata.type": "microsoft.graph.calendar"
},
"calendarView": [
{
"@odata.type": "microsoft.graph.event"
}
],
"classification": "String",
"conversations": [
{
"@odata.type": "microsoft.graph.conversation"
}
],
"createdDateTime": "String (timestamp)",
"createdOnBehalfOf": {
"@odata.type": "microsoft.graph.directoryObject"
},
"deletedDateTime": "String (timestamp)",
"description": "String",
"displayName": "String",
"drive": {
"@odata.type": "microsoft.graph.drive"
},
"events": [
{
"@odata.type": "microsoft.graph.event"
}
],
"groupTypes": [
"String"
],
"hasMembersWithLicenseErrors": "Boolean",
"hideFromAddressLists": "Boolean",
"hideFromOutlookClients": "Boolean",
"id": "String (identifier)",
"isAssignableToRole": "Boolean",
"isManagementRestricted": "Boolean",
"isSubscribedByMail": "Boolean",
"licenseProcessingState": "String",
"mail": "String",
"mailEnabled": "Boolean",
"mailNickname": "String",
"memberOf": [
{
"@odata.type": "microsoft.graph.directoryObject"
}
],
"members": [
{
"@odata.type": "microsoft.graph.directoryObject"
}
],
"membersWithLicenseErrors": [
{
"@odata.type": "microsoft.graph.user"
}
],
"onPremisesDomainName": "String",
"onPremisesLastSyncDateTime": "String (timestamp)",
"onPremisesNetBiosName": "String",
"onPremisesProvisioningErrors": [
{
"@odata.type": "microsoft.graph.onPremisesProvisioningError"
}
],
"onPremisesSecurityIdentifier": "String",
"onPremisesSyncEnabled": "Boolean",
"owners": [
{
"@odata.type": "microsoft.graph.directoryObject"
}
],
"preferredDataLocation": "String",
"proxyAddresses": [
"String"
],
"photo": {
"@odata.type": "microsoft.graph.profilePhoto"
},
"photos": [
{
"@odata.type": "microsoft.graph.profilePhoto"
}
],
"rejectedSenders": [
{
"@odata.type": "microsoft.graph.directoryObject"
}
],
"renewedDateTime": "String (timestamp)",
"resourceBehaviorOptions": [
"String"
],
"resourceProvisioningOptions": [
"String"
],
"securityEnabled": "Boolean",
"securityIdentifier": "String",
"serviceProvisioningErrors": [
{
"@odata.type": "microsoft.graph.serviceProvisioningXmlError"
}
],
"sites": [
{
"@odata.type": "microsoft.graph.site"
}
],
"threads": [
{
"@odata.type": "microsoft.graph.conversationThread"
}
],
"uniqueName": "String",
"unseenCount": "Int32",
"visibility": "String"
}Relationships
Microsoft Graph v1.0
endpoint-derived-docs
Relationships is shown from stable Microsoft Graph v1.0 metadata.
| Relationship | Type | Description |
|---|---|---|
acceptedSenders |
directoryObject collection |
The list of users or groups allowed to create posts or calendar events in this group. If this list is nonempty, then only users or groups listed here are allowed to post. |
appRoleAssignments |
appRoleAssignment collection |
Represents the app roles granted to a group for an application. Supports $expand. |
calendar |
calendar |
The group's calendar. Read-only. |
calendarView |
event collection |
The calendar view for the calendar. Read-only. |
conversations |
conversation collection |
The group's conversations. |
createdOnBehalfOf |
directoryObject |
The user (or application) that created the group. NOTE: This property isn't set if the user is an administrator. Read-only. |
drive |
drive |
The group's default drive. Read-only. |
drives |
drive collection |
The group's drives. Read-only. |
events |
event collection |
The group's calendar events. |
extensions |
extension collection |
The collection of open extensions defined for the group. Read-only. Nullable. |
groupLifecyclePolicies |
groupLifecyclePolicy collection |
The collection of lifecycle policies for this group. Read-only. Nullable. |
memberOf |
directoryObject collection |
Groups that this group is a member of. HTTP Methods: GET (supported for all groups). Read-only. Nullable. Supports $expand. |
members |
directoryObject collection |
The members of this group, who can be users, devices, other groups, or service principals. Supports the List members, Add member, and Remove member operations. Nullable. , Supports $expand including nested $select. For example, /groups?$filter=startsWith(displayName,'Role')&$select=id,displayName&$expand=members($select=id,userPrincipalName,displayName). |
membersWithLicenseErrors |
User collection |
A list of group members with license errors from this group-based license assignment. Read-only. |
onenote |
Onenote |
Read-only. |
owners |
directoryObject collection |
The owners of the group who can be users or service principals. Limited to 100 owners. Nullable. <liIf this property isn't specified when creating a Microsoft 365 group the calling user (admin or non-admin) is automatically assigned as the group owner. <liA non-admin user can't explicitly add themselves to this collection when they're creating the group. For more information, see the related known issue. <liFor security groups, the admin user isn't automatically added to this collection. For more information, see the related known issue., , Supports $filter (/$count eq 0, /$count ne 0, /$count eq 1, /$count ne 1); Supports $expand including nested $select. For example, /groups?$filter=startsWith(displayName,'Role')&$select=id,displayName&$expand=owners($select=id,userPrincipalName,displayName). |
photo |
profilePhoto |
The group's profile photo |
photos |
profilePhoto collection |
The profile photos owned by the group. Read-only. Nullable. |
planner |
plannerGroup |
Entry-point to Planner resource that might exist for a Unified Group. |
rejectedSenders |
directoryObject collection |
The list of users or groups not allowed to create posts or calendar events in this group. Nullable |
settings |
groupSetting collection |
Settings that can govern this group's behavior, like whether members can invite guests to the group. Nullable. |
sites |
site collection |
The list of SharePoint sites in this group. Access the default site with /sites/root. |
team |
channel collection |
The team associated with this group. |
threads |
conversationThread collection |
The group's conversation threads. Nullable. |
transitiveMemberOf |
directoryObject collection |
The groups that a group is a member of, either directly or through nested membership. Nullable. |
transitiveMembers |
directoryObject collection |
The direct and transitive members of a group. Nullable. |
assignedLabels |
assignedLabel collection |
The list of sensitivity label pairs (label ID, label name) associated with a Microsoft 365 group. Returned only on $select. This property can be updated only in delegated scenarios where the caller requires both the Microsoft Graph permission and a supported administrator role. |
assignedLicenses |
assignedLicense collection |
The licenses that are assigned to the group. Returned only on $select. Supports $filter (eq). Read-only. |
groupTypes |
string collection |
Specifies the group type and its membership. If the collection contains Unified, the group is a Microsoft 365 group; otherwise, it's either a security group or a distribution group. For details, see groups overview.If the collection includes DynamicMembership, the group has dynamic membership; otherwise, membership is static. Returned by default. Supports $filter (eq, not). |
onPremisesProvisioningErrors |
onPremisesProvisioningError collection |
Errors when using Microsoft synchronization product during provisioning. Returned by default. Supports $filter (eq, not). |
permissionGrants |
resourceSpecificPermissionGrant collection |
Related permissionGrants data exposed by this resource. |
proxyAddresses |
string collection |
Email addresses for the group that direct to the same group mailbox. For example: ['SMTP: [email protected]', 'smtp: [email protected]']. The any operator is required to filter expressions on multi-valued properties. Returned by default. Read-only. Not nullable. Supports $filter (eq, not, ge, le, startsWith, endsWith, /$count eq 0, /$count ne 0). |
Graph Methods
Delegated access
App-only access
Exact Microsoft Learn match
Microsoft Graph v1.0 endpoints are mapped directly from refreshed Microsoft Learn permissions tables.
| Methods |
|---|
POST
/groups/{id}/assignLicense
|
POST
/users/{id | userPrincipalName}/assignLicense
|
Exact Microsoft Learn match
Microsoft Graph beta endpoints are mapped directly from refreshed Microsoft Learn permissions tables.
| Methods |
|---|
POST
/groups/{id}/assignLicense
|
POST
/users/{id | userPrincipalName}/assignLicense
|
Exact Microsoft Learn PowerShell match
Microsoft Graph PowerShell v1.0 commands are mapped directly from refreshed Microsoft Learn PowerShell snippets.
| Commands |
|---|
Set-MgGroupLicense
/groups/{id}/assignLicense
group: assignLicense
|
Set-MgUserLicense
/users/{id | userPrincipalName}/assignLicense
user: assignLicense
|
Exact Microsoft Learn PowerShell match
Microsoft Graph PowerShell beta commands are mapped directly from refreshed Microsoft Learn PowerShell snippets.
| Commands |
|---|
Set-MgBetaGroupLicense
/groups/{id}/assignLicense
group: assignLicense
|
Set-MgBetaUserLicense
/users/{id | userPrincipalName}/assignLicense
user: assignLicense
|
Code Examples
C# / .NET SDK
group: assignLicense
// Code snippets are only available for the latest version. Current version is 5.x
// Dependencies
using Microsoft.Graph.Groups.Item.AssignLicense;
using Microsoft.Graph.Models;
var requestBody = new AssignLicensePostRequestBody
{
AddLicenses = new List<AssignedLicense>
{
new AssignedLicense
{
DisabledPlans = new List<Guid?>
{
Guid.Parse("113feb6c-3fe4-4440-bddc-54d774bf0318"),
Guid.Parse("14ab5db5-e6c4-4b20-b4bc-13e36fd2227f"),
},
SkuId = Guid.Parse("b05e124f-c7cc-45a0-a6aa-8cf78c946968"),
},
new AssignedLicense
{
DisabledPlans = new List<Guid?>
{
Guid.Parse("a413a9ff-720c-4822-98ef-2f37c2a21f4c"),
},
SkuId = Guid.Parse("c7df2760-2c81-4ef7-b578-5b5392b571df"),
},
},
RemoveLicenses = new List<string>
{
},
};
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.Groups["{group-id}"].AssignLicense.PostAsync(requestBody);
JavaScript
group: assignLicense
const options = {
authProvider,
};
const client = Client.init(options);
const group = {
addLicenses: [
{
disabledPlans: [
'113feb6c-3fe4-4440-bddc-54d774bf0318',
'14ab5db5-e6c4-4b20-b4bc-13e36fd2227f'
],
skuId: 'b05e124f-c7cc-45a0-a6aa-8cf78c946968'
},
{
disabledPlans: [
'a413a9ff-720c-4822-98ef-2f37c2a21f4c'
],
skuId: 'c7df2760-2c81-4ef7-b578-5b5392b571df'
}
],
removeLicenses: []
};
await client.api('/groups/1132b215-826f-42a9-8cfe-1643d19d17fd/assignLicense')
.post(group);
PowerShell
group: assignLicense
Import-Module Microsoft.Graph.Groups
$params = @{
addLicenses = @(
@{
disabledPlans = @(
"113feb6c-3fe4-4440-bddc-54d774bf0318"
"14ab5db5-e6c4-4b20-b4bc-13e36fd2227f"
)
skuId = "b05e124f-c7cc-45a0-a6aa-8cf78c946968"
}
@{
disabledPlans = @(
"a413a9ff-720c-4822-98ef-2f37c2a21f4c"
)
skuId = "c7df2760-2c81-4ef7-b578-5b5392b571df"
}
)
removeLicenses = @(
)
}
Set-MgGroupLicense -GroupId $groupId -BodyParameter $params
Python
group: assignLicense
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph import GraphServiceClient
from msgraph.generated.groups.item.assign_license.assign_license_post_request_body import AssignLicensePostRequestBody
from msgraph.generated.models.assigned_license import AssignedLicense
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = AssignLicensePostRequestBody(
add_licenses = [
AssignedLicense(
disabled_plans = [
UUID("113feb6c-3fe4-4440-bddc-54d774bf0318"),
UUID("14ab5db5-e6c4-4b20-b4bc-13e36fd2227f"),
],
sku_id = UUID("b05e124f-c7cc-45a0-a6aa-8cf78c946968"),
),
AssignedLicense(
disabled_plans = [
UUID("a413a9ff-720c-4822-98ef-2f37c2a21f4c"),
],
sku_id = UUID("c7df2760-2c81-4ef7-b578-5b5392b571df"),
),
],
remove_licenses = [
],
)
result = await graph_client.groups.by_group_id('group-id').assign_license.post(request_body)App Registration
1
Navigate to Azure Portal
Go to App registrations in Microsoft Entra admin center
2
Add API Permission
Select your app → API permissions → Add a permission → Microsoft Graph
3
Select Permission Type
Choose Application permissions or delegated permissions and search for LicenseAssignment.ReadWrite.All
4
Grant Admin Consent
Application permissions always require admin consent.