Group-based license management involves setting up groups of users, and then defining the license assignment that should be applied to each group. For smaller tenants with simple requirements license management is not a big deal but for larger tenants, automation is essential, as manual methods are far too time-consuming and assigning licenses to a large group of users is a real pain. One solution to solve this is to create custom scripts but this approach becomes challenging with more complex licensing scenarios such as adding sub-SKU features and assigning multiple products to an individual user. The license assignments can either be static (assigned to the members of a group) or dynamic (based on user attributes such as ExtensionAttribute1). For some organizations, a department-based model will be the preferred approach, with licenses assigned to groups representing the different departments within the organization.
INFO! When you enable group-based licensing assignment you may notice that users have both a direct and group license assignment listed for their account and that is perfectly fine. In this case they will consume only one license and we can remove the direct license assignment later to ensure that there are no unexpected results.
Before we go and configure this, there are few requirements we have to meet and there are also limitations that we need to be familiar with.
If we would like to use group-based licensing we need to have:
- Paid or trial subscription for Azure AD Basic
- Paid or trial edition of Office 365 Enterprise E3 or Office 365 A3 and above
- Required number of licenses
Limitations and good to know
- Nested Groups –> are not supported. If you try to apply a license to a nested group, only the first-level user members of the group will have the licenses applied.
- Security Groups –> You can ONLY assign license to security groups. Security groups can be synced from on-premises or you can create security groups directly in Azure AD.
- Inheritance –> Inherited group licenses cannot be modified directly on a user.
- Office 365 Admin Portal –> no support for group-based licensing. You will have to administer it through Azure Portal
- Conflicting service plans –> Some service plans are configured in a way that they can’t be assigned to the same user as another, related service plan. For example: The E3 product contains service plans that can’t overlap with the plans that are included in E1, so the group license assignment will fail. To resolve this issue, you need to disable conflicting features.
- Dependencies –> for example, licencing group could have a feature enabled that was dependent on another that wasn’t enabled.
For this capability, we’re actually going to break out of the Office 365 portal and make use of the Azure Active Directory Admin Center (https://aad.portal.azure.com).
Click on the Azure Active Directory and Groups
The first thing we’re going to need is a group, at least one of them, so that we can use that for the group-based license assignment. You can call the group anything you like, but obviously, if you’re going to have multiple groups, it’s a good idea to come up with some sort of naming scheme so that the purpose of the groups is clear. (as i mentioned earlier, we can sync on-prem groups as well) Click on the New Group
Give it a name and add some members to the groups.
I created 2 groups, one for E3 and one for E5. I added users who already have a license and those who doesn’t, so that we see the difference between direct assignment and through the group.
Once done, we need to go back to the main Azure AD view and go to the Licenses section.
In the All Products list we can see the product licenses available in our tenant, how many are assigned, and how many are expiring soon. Click on All Products
Now to create a group-based assignment we have to tick the license and then we need to assign it. Another approach is to click on the license (which will open another blade) and click on the Assign.
The next step is to configure the assignment options. This is where we pick those sub-license or sub-sku features, similar to how we get to choose them in the Office 365 admin portal. I will disable few features and click OK. Once done click on the Assign
You can assign a license to more than one group. I’ve only assigned it to one group. If your organization was large and complex, you might choose to assign the license to groups for multiple departments or multiple geographic regions, or any approach that makes sense for your scenario.
Click on the Licensed Users. We can see something interesting here. I added 2 users to this group. One with direct assigned license and one without license. The third user is added to this group because this user have E3 license. So even if you don’t add users in the group, if the user have a license it will appear here.
You will notice under Assignment Path that we have a mix of Direct assignments, Direct plus Inherited assignments and only Direct (stand-alone Direct will appear if a user is not added to the group). Direct license assignments are those users that have had their license assignment specifically configured through the Office 365 admin portal or through the Azure AD portal. The license is directly assigned to those users either individually or as a bulk. The inherited assignments are the group-based assignments, and in brackets here is the name of the group that the assignment is targeted to. So we’ve got these users that have both direct and inherited assignments.
Now what we can do here is that we can remove direct license assignment and leave group-based assighment only. To do this mark the user that has both assignments and click on Remove License
When we do that, a warning message will pop-up that will tell us that the direct license assignment will be remove. The inherited license assignments will remain in place because they’re being enforced by the group-based license configuration. Click on YES and click on Refresh
This time we will notice that the direct license assignment is removed and the inherited license, managed by the group-based license assignment, is the only one in effect now for this user.
Let’s switch to Office 365 Portal and check how it looks like there. I will click on Blake Nair user and as you can see here, the licenses that the user has enabled match what was configured in the Azure Portal for the group-based assignment. The subsku features have been turned off, just as we configured in the Azure AD group-based license assignment.
If I go and turn off the license for this user, I will get an error.
Now for the users that have both assignements (direct and group-based), because both license assignments are in place, all of the sub-sku features will be enabled (if they was enabled before configuring group-based assignment and even if those sub-features as disabled through the group-assignment). The ones that have been turned off in the group-based license are being overridden by the direct license that has everything enabled. I added Nedim Mehic user to E3 group just for this demonstration.
Group-based license management is very simple to set up and for organizations of really any size it makes license assignment much simpler because it all happens automatically for you as users are added or removed from those security groups that you set up at the beginning for your license assignments.
I hope this has been informative for you.