Unable to remove user license assignment.

[HenryEZ]

Describe the bug

I am unable to remove the users license assignment.

Expected behavior

Licenses that are not group assigned will be removed.

How to reproduce

$upn = "atola@cimgroup.com"
$licencesToRemove = (get-mguser -userid $upn -Property AssignedLicenses,LicenseAssignmentStates).LicenseAssignmentStates | where {$null -eq $_.AssignedByGroup} | Select -ExpandProperty SkuId

$jsonBody
$jsonBody = @{
addLicenses = @() # Must be explicitly empty
removeLicenses = $licencesToRemove
} | ConvertTo-Json -Depth 10
Invoke-MgGraphRequest -Method POST -Uri "https://graph.microsoft.com/v1.0/users/$($upn)/assignLicense" -Body $jsonBody -ContentType "application/json" -Verbose -debug

or

Set-MgUserLicense -UserId $upn -RemoveLicenses $licencesToRemove -AddLicenses @{} -verbose -Debug

SDK Version

2.26.1

Latest version known to work for scenario above?

No

Known Workarounds

none

Debug output

Loading personal and system profiles took 927ms.
VM-ENSANCHEZ\C:> get-module -name Microsoft.graph*
VM-ENSANCHEZ\C:> connect-mgGraph -Scopes "User.Read.All", "Reports.Read.All"
Welcome to Microsoft Graph!

Connected via delegated access using 14d82eec-204b-4c2f-b7e8-296a70dab67e
Readme: https://aka.ms/graph/sdk/powershell
SDK Docs: https://aka.ms/graph/sdk/powershell/docs
API Docs: https://aka.ms/graph/docs

NOTE: You can use the -NoWelcome parameter to suppress this message.

VM-ENSANCHEZ\C:> $upn = "atola@cimgroup.com"
VM-ENSANCHEZ\C:> $licencesToRemove
VM-ENSANCHEZ\C:> $licencesToRemove = (get-mguser -userid $upn -Property AssignedLicenses,LicenseAssignmentStates).LicenseAssignmentStates | where {$null -eq $_.AssignedByGroup} | Select -ExpandProperty SkuId
VM-ENSANCHEZ\C:> $licencesToRemove
19ec0d23-8335-4cbd-94ac-6050e30712fa
VM-ENSANCHEZ\C:> $jsonBody
VM-ENSANCHEZ\C:> $jsonBody = @{

                    addLicenses    = @()  # Must be explicitly empty
                    removeLicenses = $licencesToRemove
                } | ConvertTo-Json -Depth 10

VM-ENSANCHEZ\C:> Invoke-MgGraphRequest -Method POST -Uri "https://graph.microsoft.com/v1.0/users/$($upn)/assignLicense" -Body $jsonBody -ContentType "application/json" -Verbose -debug
VERBOSE: POST https://graph.microsoft.com/v1.0/users/atola@cimgroup.com/assignLicense with 86-byte payload
DEBUG: POST /v1.0/users/atola@cimgroup.com/assignLicense HTTP/1.1
HTTP: graph.microsoft.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Microsoft Windows 10.0.22631; en-US) PowerShell/7.5.2 Invoke-MgGraphRequest
Content-Length: 86
Content-Type: application/json

{
"addLicenses": [],
"removeLicenses": "19ec0d23-8335-4cbd-94ac-6050e30712fa"
}
VERBOSE: received -byte response of content type application/json
DEBUG: POST https://graph.microsoft.com/v1.0/users/atola@cimgroup.com/assignLicense
HTTP/2.0 400 Bad Request
Cache-Control: no-cache
Vary: Accept-Encoding
Strict-Transport-Security: max-age=31536000
request-id: 0985f4ad-a20c-437d-a0da-8468bd212ac8
client-request-id: 61ff2e99-9f69-4a1b-9b50-dad91c8075ae
x-ms-ags-diagnostic: {"ServerInfo":{"DataCenter":"West US","Slice":"E","Ring":"4","ScaleUnit":"002","RoleInstance":"BY3PEPF00015C03"}}
x-ms-resource-unit: 1
Date: Mon, 14 Jul 2025 16:13:26 GMT
Content-Type: application/json

{"error":{"code":"Request_BadRequest","message":"When trying to read a null collection parameter value in JSON Light, a node of type 'PrimitiveValue' with the value '19ec0d23-8335-4cbd-94ac-6050e30712fa' was read from the JSON reader; however, a primitive 'null' value was expected.","innerError":{"date":"2025-07-14T16:13:26","request-id":"0985f4ad-a20c-437d-a0da-8468bd212ac8","client-request-id":"61ff2e99-9f69-4a1b-9b50-dad91c8075ae"}}}
Invoke-MgGraphRequest: POST https://graph.microsoft.com/v1.0/users/atola@cimgroup.com/assignLicense
HTTP/2.0 400 Bad Request
Cache-Control: no-cache
Vary: Accept-Encoding
Strict-Transport-Security: max-age=31536000
request-id: 0985f4ad-a20c-437d-a0da-8468bd212ac8
client-request-id: 61ff2e99-9f69-4a1b-9b50-dad91c8075ae
x-ms-ags-diagnostic: {"ServerInfo":{"DataCenter":"West US","Slice":"E","Ring":"4","ScaleUnit":"002","RoleInstance":"BY3PEPF00015C03"}}
x-ms-resource-unit: 1
Date: Mon, 14 Jul 2025 16:13:26 GMT
Content-Type: application/json

{"error":{"code":"Request_BadRequest","message":"When trying to read a null collection parameter value in JSON Light, a node of type 'PrimitiveValue' with the value '19ec0d23-8335-4cbd-94ac-6050e30712fa' was read from the JSON reader; however, a primitive 'null' value was expected.","innerError":{"date":"2025-07-14T16:13:26","request-id":"0985f4ad-a20c-437d-a0da-8468bd212ac8","client-request-id":"61ff2e99-9f69-4a1b-9b50-dad91c8075ae"}}}
VM-ENSANCHEZ\C:> Set-MgUserLicense -UserId $upn -RemoveLicenses $licencesToRemove -AddLicenses @{} -verbose -Debug

Confirm
Are you sure you want to perform this action?
Performing the operation "Set-MgUserLicense_AssignExpanded" on target "Call remote 'POST /users/{user-id}/microsoft.graph.assignLicense' operation".
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"): a
DEBUG: ============================ HTTP REQUEST ============================

HTTP Method:
POST

Absolute Uri:
https://graph.microsoft.com/v1.0/users/atola%40cimgroup.com/microsoft.graph.assignLicense

Headers:
FeatureFlag : 00000003
Cache-Control : no-store, no-cache
User-Agent : Mozilla/5.0,(Windows NT 10.0; Microsoft Windows 10.0.22631; en-US),PowerShell/7.5.2
SdkVersion : graph-powershell/2.26.1
client-request-id : 35d87182-96be-4725-b8f7-466a24000fab
Accept-Encoding : gzip,deflate,br

Body:
{
"removeLicenses": [
"19ec0d23-8335-4cbd-94ac-6050e30712fa"
]
}

DEBUG: ============================ HTTP RESPONSE ============================

Status Code:
BadRequest

Headers:
Cache-Control : no-cache
Vary : Accept-Encoding
Strict-Transport-Security : max-age=31536000
request-id : c71145f2-8474-487e-b6bf-dc5ce63467e1
client-request-id : 35d87182-96be-4725-b8f7-466a24000fab
x-ms-ags-diagnostic : {"ServerInfo":{"DataCenter":"South India","Slice":"E","Ring":"2","ScaleUnit":"001","RoleInstance":"MA1PEPF000095FA"}}
x-ms-resource-unit : 1
Date : Mon, 14 Jul 2025 16:14:05 GMT

Body:
{
"error": {
"code": "Request_BadRequest",
"message": "One or more parameters of the operation 'assignLicense' are missing from the request payload. The missing parameters are: addLicenses.",
"innerError": {
"date": "2025-07-14T16:14:05",
"request-id": "c71145f2-8474-487e-b6bf-dc5ce63467e1",
"client-request-id": "35d87182-96be-4725-b8f7-466a24000fab"
}
}
}

Set-MgUserLicense_AssignExpanded: One or more parameters of the operation 'assignLicense' are missing from the request payload. The missing parameters are: addLicenses.

Status: 400 (BadRequest)
ErrorCode: Request_BadRequest
Date: 2025-07-14T16:14:05

Headers:
Cache-Control : no-cache
Vary : Accept-Encoding
Strict-Transport-Security : max-age=31536000
request-id : c71145f2-8474-487e-b6bf-dc5ce63467e1
client-request-id : 35d87182-96be-4725-b8f7-466a24000fab
x-ms-ags-diagnostic : {"ServerInfo":{"DataCenter":"South India","Slice":"E","Ring":"2","ScaleUnit":"001","RoleInstance":"MA1PEPF000095FA"}}
x-ms-resource-unit : 1
Date : Mon, 14 Jul 2025 16:14:05 GMT

Recommendation: See service error codes: https://learn.microsoft.com/graph/errors
DEBUG: [CmdletEndProcessing]: - Set-MgUserLicense end processing.
VM-ENSANCHEZ\C:> Set-MgUserLicense -UserId $upn -RemoveLicenses $licencesToRemove -verbose -Debug
DEBUG: [CmdletBeginProcessing]: - Set-MgUserLicense begin processing with parameterSet 'AssignExpanded'.
DEBUG: [Authentication]: - AuthType: 'Delegated', TokenCredentialType: 'InteractiveBrowser', ContextScope: 'CurrentUser', AppName: 'Microsoft Graph Command Line Tools'.
DEBUG: [Authentication]: - Scopes: [Application.Read.All, AppRoleAssignment.ReadWrite.All, AuditLog.Read.All, BitlockerKey.Read.All, Device.Read.All, Device.ReadWrite.All, DeviceManagementApps.ReadWrite.All, DeviceManagementManagedDevices.Read.All, DeviceManagementManagedDevices.ReadWrite.All, DeviceManagementServiceConfig.ReadWrite.All, Directory.AccessAsUser.All, Directory.Read.All, Directory.ReadWrite.All, Domain.ReadWrite.All, EntitlementManagement.ReadWrite.All, Group.ReadWrite.All, GroupMember.ReadWrite.All, OnPremDirectorySynchronization.ReadWrite.All, openid, Organization.Read.All, Organization.ReadWrite.All, Policy.Read.All, Policy.ReadWrite.AuthenticationMethod, profile, Reports.Read.All, RoleManagement.ReadWrite.Directory, User.Read, User.Read.All, User.ReadWrite.All, email].

Confirm
Are you sure you want to perform this action?
Performing the operation "Set-MgUserLicense_AssignExpanded" on target "Call remote 'POST /users/{user-id}/microsoft.graph.assignLicense' operation".
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"): a
DEBUG: ============================ HTTP REQUEST ============================

HTTP Method:
POST

Absolute Uri:
https://graph.microsoft.com/v1.0/users/atola%40cimgroup.com/microsoft.graph.assignLicense

Headers:
FeatureFlag : 00000003
Cache-Control : no-store, no-cache
User-Agent : Mozilla/5.0,(Windows NT 10.0; Microsoft Windows 10.0.22631; en-US),PowerShell/7.5.2
SdkVersion : graph-powershell/2.26.1
client-request-id : 370da759-a6a0-4621-8383-8222aff6ce84
Accept-Encoding : gzip,deflate,br

Body:
{
"removeLicenses": [
"19ec0d23-8335-4cbd-94ac-6050e30712fa"
]
}

DEBUG: ============================ HTTP RESPONSE ============================

Status Code:
BadRequest

Headers:
Cache-Control : no-cache
Vary : Accept-Encoding
Strict-Transport-Security : max-age=31536000
request-id : 91abc8bf-48c9-4a1c-932b-9a66f012664c
client-request-id : 370da759-a6a0-4621-8383-8222aff6ce84
x-ms-ags-diagnostic : {"ServerInfo":{"DataCenter":"South India","Slice":"E","Ring":"2","ScaleUnit":"001","RoleInstance":"MA1PEPF000095FA"}}
x-ms-resource-unit : 1
Date : Mon, 14 Jul 2025 16:14:39 GMT

Body:
{
"error": {
"code": "Request_BadRequest",
"message": "One or more parameters of the operation 'assignLicense' are missing from the request payload. The missing parameters are: addLicenses.",
"innerError": {
"date": "2025-07-14T16:14:39",
"request-id": "91abc8bf-48c9-4a1c-932b-9a66f012664c",
"client-request-id": "370da759-a6a0-4621-8383-8222aff6ce84"
}
}
}

Set-MgUserLicense_AssignExpanded: One or more parameters of the operation 'assignLicense' are missing from the request payload. The missing parameters are: addLicenses.

Status: 400 (BadRequest)
ErrorCode: Request_BadRequest
Date: 2025-07-14T16:14:39

Headers:
Cache-Control : no-cache
Vary : Accept-Encoding
Strict-Transport-Security : max-age=31536000
request-id : 91abc8bf-48c9-4a1c-932b-9a66f012664c
client-request-id : 370da759-a6a0-4621-8383-8222aff6ce84
x-ms-ags-diagnostic : {"ServerInfo":{"DataCenter":"South India","Slice":"E","Ring":"2","ScaleUnit":"001","RoleInstance":"MA1PEPF000095FA"}}
x-ms-resource-unit : 1
Date : Mon, 14 Jul 2025 16:14:39 GMT

Recommendation: See service error codes: https://learn.microsoft.com/graph/errors
DEBUG: [CmdletEndProcessing]: - Set-MgUserLicense end processing.

Configuration

OS: Windows 11
x64
Powershell 7

Other information

No response

[12Knocksinna]

There were many license problems in V2.26 and V2.26.1. Have you tried the code in V2.28 or V2.29 (latest). The code worked for me in V2.29.

[HenryEZ]

@12Knocksinna
Yes, I tried v2.28 the other day and the Set-MgUserLicense works but does not work via the Invoke-MgGraphRequest -Method POST -Uri "https://graph.microsoft.com/v1.0/users/$($upn)/assignLicense" -Body $jsonBody -ContentType "application/json" . My issues have been pretty consistent the last few versions having to switch back and forth between these two in my off-boarding scripts.

[12Knocksinna]

How did you compose the JSON payload? It might have an error in its formatting. The SDK cmdlets seem more forgiving about input payloads… Tony Redmond (from a mobile device)

…

________________________________ From: HenryEZ ***@***.***> Sent: Wednesday, July 16, 2025 6:12:45 PM To: microsoftgraph/msgraph-sdk-powershell ***@***.***> Cc: 12 Knocksinna (Gmail) ***@***.***>; Mention ***@***.***> Subject: Re: [microsoftgraph/msgraph-sdk-powershell] Unable to remove user license assignment. (Issue #3361) [https://avatars.githubusercontent.com/u/39198871?s=20&v=4]HenryEZ left a comment (microsoftgraph/msgraph-sdk-powershell#3361)<#3361 (comment)> @12Knocksinna<https://github.com/12Knocksinna> Yes, I tried v2.28 the other day and the Set-MgUserLicense works but does not work via the Invoke-MgGraphRequest -Method POST -Uri "https://graph.microsoft.com/v1.0/users/$($upn)/assignLicense" -Body $jsonBody -ContentType "application/json" . My issues have been pretty consistent the last few versions having to switch back and forth between these two in my off-boarding scripts. — Reply to this email directly, view it on GitHub<#3361 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AK45CIX25LKHQGBZLXYOQPL3I2BY3AVCNFSM6AAAAACBQBAHFOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZTANZZGUYTQMRTGM>. You are receiving this because you were mentioned.Message ID: ***@***.***>

[HenryEZ]

@12Knocksinna
This is what I use.
$jsonBody = @{
addLicenses = @() # Must be explicitly empty
removeLicenses = $licencesToRemove
}

[12Knocksinna]

This works for me. A payload is basically a hash table made up of arrays... $Parameters = @{} [array]$AddLicenses = $null $Parameters.Add("AddLicenses", $AddLicenses) [array]$RemoveLicenses = 'f30db892-07e9-47e9-837c-80727f46fd3d' $Parameters.Add("RemoveLicenses", $RemoveLicenses) Invoke-MgGraphRequest -Method POST -Uri https://graph.microsoft.com/v1.0/users/$($upn)/assignLicense -Body $Parameters From: HenryEZ ***@***.***> Sent: Wednesday, July 16, 2025 10:44 PM To: microsoftgraph/msgraph-sdk-powershell ***@***.***> Cc: 12 Knocksinna (Gmail) ***@***.***>; Mention ***@***.***> Subject: Re: [microsoftgraph/msgraph-sdk-powershell] Unable to remove user license assignment. (Issue #3361) [https://avatars.githubusercontent.com/u/39198871?s=20&v=4]HenryEZ left a comment (microsoftgraph/msgraph-sdk-powershell#3361)<#3361 (comment)> @12Knocksinna<https://github.com/12Knocksinna> This is what I use. $jsonBody = @{ addLicenses = @() # Must be explicitly empty removeLicenses = $licencesToRemove } - Reply to this email directly, view it on GitHub<#3361 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AK45CISPQ5KHTUK7ZLILIJ33I3BRTAVCNFSM6AAAAACBQBAHFOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZTAOBRGEZDMMBYGM>. You are receiving this because you were mentioned.Message ID: ***@***.******@***.***>>