Remove Windows 365 licenses if a cloud PC is not used anymore.
This script will revoke licenses from users that have not used their Windows 365 Cloud PC for a certain amount of days. By default, it will run in simulation mode to notify you of the changes you want to make. Disable simulation mode to actually remove the users from the group. By default, it will only check to remove a license if the cloud PC is not used for more than 30 days. You can change this value by providing the -daysSinceLastConnection
parameter.
This script does not work if the license is assigned directly to a user.
Make sure to register an app in Entra ID and give it these Graph Permissions:
DeviceManagementManagedDevices.Read.All
(To fetch identifiers from Intune)GroupMember.ReadWrite.All
(To read and remove the groupmembership where the license is assigned)CloudPC.Read.All
(To fetch the last connection date from the Cloud PCs)
It also requires permissions on Entra ID as well:
-
Create a custom role :
microsoft.directory/groups/members/read
-
OR use the built in role:
Directory Readers
Provide the app ID of the Entra AD app that has the required permissions.
Provide the app secret of the Entra AD app that has the required permissions.
Provide the tenant ID of the tenant where the app is registered.
provide the amount of days since the last connection of the cloud pc to revoke the license, default is 30
provide if the script should run in simulation mode or not, default is true
None
Output is written to console.
- Version: 1.0
- Author: Dieter Kempeneers
- Creation Date: 2024-07-14
- Purpose/Change: Initial script development
.\Windows365-RevokeUnusedLicense.ps1 -app_id "<app_id>" -app_secret "<app_secret>" -tenantId "<tenantId>"
.\Windows365-RevokeUnusedLicense.ps1 -app_id "<app_id>" -app_secret "<app_secret>" -tenantId "<tenantId>" -daysSinceLastConnection 60
.\Windows365-RevokeUnusedLicense.ps1 -app_id "<app_id>" -app_secret "<app_secret>" -tenantId "<tenantId>" -simulationMode $false
Run the script to actually remove the users from the group with another amount of days since last connection
.\Windows365-RevokeUnusedLicense.ps1 -app_id "<app_id>" -app_secret "<app_secret>" -tenantId "<tenantId>" -simulationMode $false -daysSinceLastConnection 60