Home » Blog » Simplifying Office 365 License Control with Azure AD Group-Based License Management

Simplifying Office 365 License Control with Azure AD Group-Based License Management

Managing the allocation of Office 365 licenses has been a pain point for many customers. For smaller tenants with simple requirements, the allocation of licensing can either be handled manually on an as-needed basis using the Office 365 admin portal, or built in to a provisioning script or system. For larger tenants, automation is essential, as manual methods are far too time-consuming for any environment with a high rate of change (e.g. dealing with new and departed users, or licensing sub-features and extra applications). In fact, quite a few Office 365 customers have remarked to me recently that managing licenses is one of their biggest challenges, and they’ve invested quite a lot of time into scripting solutions based on Active Directory group membership.

Well the good news, or perhaps bad news considering the investment of time they’ve already made, is that Microsoft has now released Azure AD group-based license management for Office 365. The feature is currently in Preview.

Getting Started with Azure AD Group-Based License Management

Microsoft has made group-based license management available through the Azure portal. Choose Azure Active Directory from the list of services in the portal, and then select Licenses.

The groups that you can assign licenses to can be created in Azure AD, or synchronized from on-premises Active Directory. The license assignments can be static (i.e. to the members of a group) or dynamic (e.g. based on user attributes such as ExtensionAttribute1). For this demonstration I’m using groups synchronized from on-premises Active Directory with static membership.

The groups I have created will allow me to demonstrate basic license assignment, as well as a more granular approach, and how license assignment is cumulative for users who are members of multiple groups. I’ve created groups named:

  • Licensing_Office365_E3_Base
  • Licensing_Office365_E3_Teams
  • Licensing_Office365_EMS_E3

My goals are:

  • To assign Office 365 E3 licenses with what my organization considers “base” functionality, which is all E3 features except for Yammer, Sway, StaffHub, and Teams
  • To assign Teams access only to specific users in the organization, due to Teams currently being in Preview
  • To assign EMS (Enterprise Mobility + Security) E3 licenses to specific users only

My tenant currently has licenses assigned to users, so I will need to transition users from direct license assignment to groups-based licensing without disrupting their existing services (e.g. Exchange Online mailboxes).

Assigning Licenses to Groups

After navigating to the Licenses section of Azure Active Directory in the Azure portal, you can view the list of products that your organization currently has licenses for.

Select a product license and click on the Assign button. From the Users and Groups selection, choose the group that you want to assign licenses to, and then click on Select. You can select multiple groups at this stage, for example if you were using department-based groups to assign product licenses to users. I am using product-based groups instead. Either approach will work, it really just depends on how your organization views license management.

In the Assignment options you can select the sub-features for the license that you’ve chosen to assign to the group. I’ve turned off StaffHub, Teams, Sway, and Yammer for this demonstration.

Click OK when you’re happy with your selections, and then click Assign to create the license assignment. If there’s any errors at this stage you’ll receive a notification in your Azure portal. On my first run through this feature I was getting a notification that “Licenses could not be assigned or removed due to an error”, which I was unable to work out a solution for.

It appears that the problem was that I was using a Microsoft Account associated with my Azure subscription, and even though the account has access to the Office 365 tenant’s Azure AD (and is a Global Admin) it is not able to be used for administering groups-based license management. Logging on to the Azure portal with the Office 365 tenant admin account allowed me to continue without errors. A strange issue that might impact partner or delegated permissions scenarios, but nonetheless I was able to proceed with the correct account.

After completing the steps above I went back through the same steps to create a license assignment for Teams only, and another for EMS E3. For Teams, I created a license assignment that only enables Teams, which will allow me to fully demonstrate the cumulative nature of groups-based license management.

Transitioning from Direct to Groups-Based License Management

A few minutes after setting up my group license assignments the Azure portal showed my users’ license status as below. Notice how most of the users have both direct and inherited assignment paths. The names of the groups that licenses are being inherited from, such as Licensing_Office365_E3_Base, are also displayed. Notice also that most users have the fully 13/13 services included in an E3 license showing as enabled.

To transition from direct to groups-based licensing, all we need to do is remove the direct license assignment. This is as simple as selecting one or multiple users who are assigned a specific type of license, and then clicking the Remove button. In the example below, the list of E3 license holders is shown, and I’m removing the direct assignment from the users who also have an inherited assignment via a Group.

After clicking Remove you’ll get one final prompt before the change is made.

This transition is best performed in stages so that you can be confident that you’re not disrupting your users’ access to services. If you’re transitioning a full E3 direct license to a full E3 group-based assignment, then the risk is fairly small. However in cases where you’re adjusting the number of services that the user has access to, you should be more cautious.

Cumulative License Assignments

As I mentioned already, I am using multiple groups to assign licenses. Most of the users in my organization will have a subset of the E3 license features, and a select few will also get access to Teams. After removing the direct license assignments, the groups-base licensing is in full effect. You can see below that:

  • Users who are only members of the Licensing_O365_E3_Base group get 9/13 services, for example Alannah Shaw
  • Users who are members of both Licensing_O365_E3_Base and Licensing_O365_E3_Teams get 10/13 services, for example Dave Bedrat
  • Users who are only members of the Licensing_O365_E3_Teams group get 1/13 services, for example David Abbott

 

This is the level of control that customers have been asking for, so it’s great to see Microsoft delivering on it.

The license assignments are also visible in the Office 365 admin portal, and reflect the same sub-feature license assignment that you can see in Azure. For example, Alannah Shaw has access to most E3 features except for Teams, Sway, StaffHub, and Yammer.

 

FAQs, Limitations and Caveats

Group-based license management is currently in Preview, and as I’m writing this article the following limitations and caveats apply:

  • The features, behaviors, or availability of group-based license management may change between now and when it becomes generally available.
  • If a user is assigned a license directly as well as via group membership, they only consume a single license.
  • An Azure subscription (trial or paid) is currently required to use group-based license management.
  • Although new and modified license assignments take effect within minutes (e.g. enabling Sway in an existing license assignment), there are situations where a license will not assign automatically, for example if you have more members of a group than available licenses, or when license assignments conflict. Notifications in the portal will advise you of how to remediate the issues, and there’s a Reprocess button available as well to reapply assignments after fixing issues.
  • Membership changes to groups synchronized from on-premises Active Directory will not take effect until after the next sync cycle.
  • Users can have a mix of direct and group-based licenses assigned, for example an E3 license that is group-based, and an EMS license that is directly assigned. Group-based license assignments can only be managed via the Azure portal, and will cause an error if you attempt to modify them via the Office 365 admin portal (at least for now).
  • When new sub-features (or sub-SKU features) are released, Microsoft may enable them automatically by default, requiring you to revisit your group-based license assignments to disable new features from time to time. This should encourage you to keep your group-based license assignments as simple as possible.
  • Nested groups are not currently supported.
  • Removing a user from a license group will result in services being set to a “suspended” stage instead of disabled. Microsoft is using this approach to avoid data loss issues due to accidental removal of group members. You can expect in future that suspended services will eventually age out to a disabled state and data will eventually purge as it does today for de-licensed users.
Paul is a Microsoft MVP for Office Servers and Services. He works as a consultant, writer, and trainer specializing in Office 365 and Exchange Server. Paul is a co-author of Office 365 for IT Pros and several other books, and is also a Pluralsight author.
Category: Blog

17 comments

  1. SANKARASUBRAMAN PARAMESWARAN says:

    Hi,

    We want to set up F5 Load balancer for the office 365 SMTP traffic. Please let us know if there is any solution to implement this

  2. Jordi says:

    When I’m at the group selection window I can’t find any of my On-premises AD Groups. We have an hybrid configuration and only have Dirsync. Is it possible that this feature only works with Azure native groups?

  3. Slesire says:

    Hi Guy
    Do we need azure ad license to assign this policy (Office 365 License Control with Azure AD Group-Based License ) ?
    Thanks

  4. Roger says:

    Paul,

    Great article. We have a few test environments here that we would like to time box the use of licenses in. For example, allow the user to have access to a license for 180 days and then reclaim it, or reclaim a license that has not been used in 180 days. Have you come across a way to do this with Azure Ad Group Based Licensing?

    • Groups-based licensing assigns and removes licenses based on group membership. If you can orchestrate the adding/removing of group members based on those 180 day blocks of time, then groups-based licensing will handle the licensing back end stuff for you. But right now it doesn’t have timer-based licensing as a native capability.

  5. Peter Sheridan says:

    Hi Paul,
    Great Article. Just one question that you might know the answer to.

    Lets say Exchange on-prem is setup in a hybrid environment with Exchange Online. In this case it is best practise to create all mailboxes on-prem first and then migrate to Exchange Online. Otherwise if the mailbox is created directly in Exchange Online, the on-prem exchange doesn’t know anything about the mailbox.

    Picture the scenario where Group Based Licensing is setup. In this case members of the group get assigned an Exchange Online license.

    The user account gets created on-prem and added to the appropriate security group that assigns a license. Prior to their mailbox being created on-prem, Azure AD Sync runs, and syncs the user to Azure AD. A license then gets assigned through the automatic group membership. Since there is no on-prem mailbox for the user (yet anyway), Office 365 automatically provisions a Exchange Online mailbox. the IT team finish the new user setup by creating a mailbox on-prem, and attempt to migrate. But now you end up in the situation whereby there is both a mailbox on-prem and in Exchange Online.

    In an ideal world, the setup procedure on-prem would be scripted so that it creates a AD user and mailbox at the same time. But lets say it’s not. Do you see a way around the above scenario?

    Regards,
    Peter

    • There’s no real magic here. Either change your provisioning workflow to assign them to a licensing group after the mailbox is created, or change your provisioning workflow to account for the mailbox being created in EXO instead of on-prem.

      There’s nothing that says mailboxes should be created on-prem then moved to EXO as a best practice. Create them wherever you want them to live. The only caveat is shared mailboxes, which don’t need a license anyway so that’s not applicable to your situation.

  6. David says:

    How often does Azure Ad process the license assignment?
    How do you edit or remove the group based assignment?
    How did you get to where it displays the users and their licenses?
    I did not see where I could choose an extensionattribute only groups. Is that a licensing feature? Did you use Azure AD Premium? I only have Azure AD Basic perhaps it is less functional?

  7. Andrew Kemp says:

    I’ve started using this where customers have multiple profile groups of users who have various different licensing requirements or have thousands of users world wide.

    Its great as when you create the on prem user and remote mbx you no longer need to then log into the portal to assign the license or script it like i had in the past.

    1 question tho… a customer of mine had a paid Azure AD Subscription for 200 users, however this feature was then available to all 13,000 users in Azure AD. I looked through the above link but cannot see what the caveat is here. is there one? ie if I have a paid Azure AD Sub for even 1 user is this feature available for all users in the tenant?
    Thanks

    • Yeah for some features a single license is all it takes to light up a feature. But that isn’t the same thing as being license compliant, so your customer still needs to make sure they have the right number of licenses for the users they are using a feature with.

Leave a Reply

Your email address will not be published. Required fields are marked *