Muokkaa

Jaa


Assign licenses to users so they can enroll devices in Intune

Whether you manually add users or synchronize from your on-premises Active Directory, you must first assign each user an Intune Plan 1 license before users can enroll their devices in Intune. For a list of licenses, see Microsoft Intune licensing.

Note

Users assigned Intune app protection policy and not enrolling their devices into Microsoft Intune will also require an Intune license to receive policy.

Assign an Intune license in the Microsoft Intune admin center

You can use the Microsoft Intune admin center to manually add cloud-based users and assign licenses to both cloud-based user accounts and accounts synchronized from your on-premises Active Directory to Microsoft Entra ID.

  1. In the Microsoft Intune admin center, select Users > All Users > choose a user > Licenses > Assignments.

  2. Choose the box for Intune > Save. If you want to use the Enterprise Mobility + Security E5 or other license, choose that box instead.

    Screenshot of the Microsoft 365 admin center Product licenses section.

  3. The user account now has the permissions needed to use the service and enroll devices into management.

Assign an Intune license by using Microsoft Entra ID

You can also assign Intune licenses to users by using Microsoft Entra ID. For more information, see the License users in Microsoft Entra article.

Use School Data Sync to assign licenses to users in Intune for Education

If you are an educational organization, you can use School Data Sync (SDS) to assign Intune for Education licenses to synced users. Just choose the Intune for Education checkbox when you're setting up your SDS profile.

Screenshot of SDS profile setting

When you assign an Intune for Education license, make sure that Intune A Direct license is also assigned.

Screenshot of product license set up

See this overview of School Data Sync to learn more about SDS.

How user and device licenses affect access to services

  • Each user that you assign a user software license to may access and use the online services and related software (including System Center software) to manage applications and up to 15 MDM devices.
  • You can purchase licenses for any devices separately from user licenses. Device licenses do not need to be assigned to the devices. Each device that accesses and uses the online services and related software (including System Center software) must have a device license available in the Microsoft 365 tenant.
  • If a device is used by more than one user, each device requires a device based software license or all users require a user software license.
  • If you remove a license from a user that has managed devices, it may affect the compliance or management of those devices.

How to restore users accidentally unlicensed

  • If you have accidentally removed the license for one or more users, you can restore their device compliance and management by re-assigning the license for those users. For more information, see Assign Microsoft Intune licenses.

Understanding the type of licenses you have purchased

How you purchased Intune determines your subscription information:

  • If you purchased Intune through an Enterprise Agreement, you can find your subscription information in the Volume License portal under Subscriptions.
  • If you purchased Intune through a Cloud Solution Provider, check with your reseller.
  • If you purchased Intune with a CC# or Invoice, then your licenses will be user-based.

Look up current licenses using PowerShell

To view the number of free and used licenses on a Microsoft Intune subscription, you can use the following steps to run PowerShell commands.

  1. From a PowerShell prompt, run the following command:

    $creds = Get-Credential
    
  2. A pop-up window will prompt for credentials. Enter your Microsoft Intune credentials.

  3. Run the following command:

    Connect-MgGraph -Credential $creds
    
  4. Run the following command:

    Get-MgSubscribedSku
    

A list of the Account ID, the Active Units, and the Consumed Units will appear. Note that this will also display any Microsoft Office 365 licenses on the subscription.

Note

To confirm your Microsoft Entra ID P1 or P2 and Microsoft Intune using Microsoft Intune admin center, see Confirm your licenses.

Use PowerShell to selectively manage EMS user licenses

Organizations that use Microsoft Enterprise Mobility + Security (formerly Enterprise Mobility Suite) might have users who only require Microsoft Entra ID P1 or P2 or Intune services in the EMS package. You can assign one or a subset of services using Microsoft Graph PowerShell cmdlets.

To selectively assign user licenses for EMS services, open PowerShell as an administrator on a computer with the Microsoft Graph PowerShel installed. You can install PowerShell on a local computer or on an ADFS server.

You must create a new license SKU definition that applies only to the desired service plans. To do this, disable the plans you don't want to apply. For example, you might create a license SKU definition that does not assign an Intune license. To see a list of available services, type:

(Get-MgSubscribedSku | Where {$_.SkuPartNumber -eq "EMS"}).ServiceStatus

You can run the following command to exclude the Intune service plan. You can use the same method to expand to an entire security group or you can use more granular filters.

Example 1
Create a new user on the command line and assign an EMS license without enabling the Intune portion of the license:

Connect-MgGraph

New-MgUser -DisplayName "Test User" -FirstName FName -LastName LName -UserPrincipalName user@<TenantName>.onmicrosoft.com –Department DName -UsageLocation US

$CustomEMS = 	Set-MgUserLicense -AccountSkuId "<TenantName>:EMS" -DisabledPlans INTUNE_A
Set-MgUserLicense -UserPrincipalName user@<TenantName>.onmicrosoft.com -AddLicenses <TenantName>:EMS -LicenseOptions $CustomEMS

Verify with:

(Get-MgUser -UserPrincipalName "user@<TenantName>.onmicrosoft.com").Licenses.ServiceStatus

Example 2
Disable the Intune portion of EMS license for a user that is already assigned with a license:

Connect-MgGraph

$CustomEMS = 	Set-MgUserLicense -AccountSkuId "<TenantName>:EMS" -DisabledPlans INTUNE_A
Set-MgUserLicense -UserPrincipalName user@<TenantName>.onmicrosoft.com -LicenseOptions $CustomEMS

Verify with:

(Get-MgUser -UserPrincipalName "user@<TenantName>.onmicrosoft.com").Licenses.ServiceStatus

Command line sample of PowerShell verification alt-text="Command line sample"