Managing the allocation of Office 365 licenses has been a pain point for many customers. For smaller tenants with simple requirements, the allocation of licensing can either be handled manually on an as-needed basis using the Office 365 admin portal, or built in to a provisioning script or system. For larger tenants, automation is essential, as manual methods are far too time-consuming for any environment with a high rate of change (e.g. dealing with new and departed users, or licensing sub-features and extra applications). In fact, quite a few Office 365 customers have remarked to me recently that managing licenses is one of their biggest challenges, and they've invested quite a lot of time into scripting solutions based on Active Directory group membership.
Well the good news, or perhaps bad news considering the investment of time they've already made, is that Microsoft has now released Azure AD group-based license management for Office 365. The feature is currently in Preview.
Getting Started with Azure AD Group-Based License Management
Microsoft has made group-based license management available through the Azure portal. Choose Azure Active Directory from the list of services in the portal, and then select Licenses.
The groups that you can assign licenses to can be created in Azure AD, or synchronized from on-premises Active Directory. The license assignments can be static (i.e. to the members of a group) or dynamic (e.g. based on user attributes such as ExtensionAttribute1). For this demonstration I'm using groups synchronized from on-premises Active Directory with static membership.
The groups I have created will allow me to demonstrate basic license assignment, as well as a more granular approach, and how license assignment is cumulative for users who are members of multiple groups. I've created groups named:
My goals are:
- To assign Office 365 E3 licenses with what my organization considers “base” functionality, which is all E3 features except for Yammer, Sway, StaffHub, and Teams
- To assign Teams access only to specific users in the organization, due to Teams currently being in Preview
- To assign EMS (Enterprise Mobility + Security) E3 licenses to specific users only
My tenant currently has licenses assigned to users, so I will need to transition users from direct license assignment to groups-based licensing without disrupting their existing services (e.g. Exchange Online mailboxes).
Assigning Licenses to Groups
After navigating to the Licenses section of Azure Active Directory in the Azure portal, you can view the list of products that your organization currently has licenses for.
Select a product license and click on the Assign button. From the Users and Groups selection, choose the group that you want to assign licenses to, and then click on Select. You can select multiple groups at this stage, for example if you were using department-based groups to assign product licenses to users. I am using product-based groups instead. Either approach will work, it really just depends on how your organization views license management.
In the Assignment options you can select the sub-features for the license that you've chosen to assign to the group. I've turned off StaffHub, Teams, Sway, and Yammer for this demonstration.
Click OK when you're happy with your selections, and then click Assign to create the license assignment. If there's any errors at this stage you'll receive a notification in your Azure portal. On my first run through this feature I was getting a notification that “Licenses could not be assigned or removed due to an error”, which I was unable to work out a solution for.
It appears that the problem was that I was using a Microsoft Account associated with my Azure subscription, and even though the account has access to the Office 365 tenant's Azure AD (and is a Global Admin) it is not able to be used for administering groups-based license management. Logging on to the Azure portal with the Office 365 tenant admin account allowed me to continue without errors. A strange issue that might impact partner or delegated permissions scenarios, but nonetheless I was able to proceed with the correct account.
After completing the steps above I went back through the same steps to create a license assignment for Teams only, and another for EMS E3. For Teams, I created a license assignment that only enables Teams, which will allow me to fully demonstrate the cumulative nature of groups-based license management.
Transitioning from Direct to Groups-Based License Management
A few minutes after setting up my group license assignments the Azure portal showed my users' license status as below. Notice how most of the users have both direct and inherited assignment paths. The names of the groups that licenses are being inherited from, such as Licensing_Office365_E3_Base, are also displayed. Notice also that most users have the fully 13/13 services included in an E3 license showing as enabled.
To transition from direct to groups-based licensing, all we need to do is remove the direct license assignment. This is as simple as selecting one or multiple users who are assigned a specific type of license, and then clicking the Remove button. In the example below, the list of E3 license holders is shown, and I'm removing the direct assignment from the users who also have an inherited assignment via a Group.
After clicking Remove you'll get one final prompt before the change is made.
This transition is best performed in stages so that you can be confident that you're not disrupting your users' access to services. If you're transitioning a full E3 direct license to a full E3 group-based assignment, then the risk is fairly small. However in cases where you're adjusting the number of services that the user has access to, you should be more cautious.
Cumulative License Assignments
As I mentioned already, I am using multiple groups to assign licenses. Most of the users in my organization will have a subset of the E3 license features, and a select few will also get access to Teams. After removing the direct license assignments, the groups-base licensing is in full effect. You can see below that:
- Users who are only members of the Licensing_O365_E3_Base group get 9/13 services, for example Alannah Shaw
- Users who are members of both Licensing_O365_E3_Base and Licensing_O365_E3_Teams get 10/13 services, for example Dave Bedrat
- Users who are only members of the Licensing_O365_E3_Teams group get 1/13 services, for example David Abbott
This is the level of control that customers have been asking for, so it's great to see Microsoft delivering on it.
The license assignments are also visible in the Office 365 admin portal, and reflect the same sub-feature license assignment that you can see in Azure. For example, Alannah Shaw has access to most E3 features except for Teams, Sway, StaffHub, and Yammer.
FAQs, Limitations and Caveats
Group-based license management is currently in Preview, and as I'm writing this article the following limitations and caveats apply:
- The features, behaviors, or availability of group-based license management may change between now and when it becomes generally available.
- If a user is assigned a license directly as well as via group membership, they only consume a single license.
- An Azure subscription (trial or paid) is currently required to use group-based license management.
- Although new and modified license assignments take effect within minutes (e.g. enabling Sway in an existing license assignment), there are situations where a license will not assign automatically, for example if you have more members of a group than available licenses, or when license assignments conflict. Notifications in the portal will advise you of how to remediate the issues, and there's a Reprocess button available as well to reapply assignments after fixing issues.
- Membership changes to groups synchronized from on-premises Active Directory will not take effect until after the next sync cycle.
- Users can have a mix of direct and group-based licenses assigned, for example an E3 license that is group-based, and an EMS license that is directly assigned. Group-based license assignments can only be managed via the Azure portal, and will cause an error if you attempt to modify them via the Office 365 admin portal (at least for now).
- When new sub-features (or sub-SKU features) are released, Microsoft may enable them automatically by default, requiring you to revisit your group-based license assignments to disable new features from time to time. This should encourage you to keep your group-based license assignments as simple as possible.
- Nested groups are not currently supported.
- Removing a user from a license group will result in services being set to a “suspended” stage instead of disabled. Microsoft is using this approach to avoid data loss issues due to accidental removal of group members. You can expect in future that suspended services will eventually age out to a disabled state and data will eventually purge as it does today for de-licensed users.