Group Based Licensing now in Preview in Azure AD!


If you are involved with mail migrations to Office 365 or enabling other Azure Active Directory/Office 365 services, you will need to set licenses for your users. For a project with 1 to 50 users this can be done fairly easy with some manual configuration. However if you have more than 100 or even thousands of users with the E3 or E5 SKU this becomes fast a complex task. Scripting with PowerShell and triggering on a successful event of AD Connect sync for example. I think everyone has thought:

“Why do we need to create complex PowerShell scripts as this should be an easy to configure option”

Well Microsoft has just released a preview for Group Based licensing which was announced at Ignite 2016! Expecting that this feature will be shortly being released for GA, I would advise you to give it a try. Especially if you are almost ready to get started with a new project/migration. For the preview you need Azure Active Directory basic or higher. After GA it will be included in the Office 365 Enterprise E3 and E5 plans.  You can set license SKU’s and individual license options per AD/Azure AD group. Synchronized AD groups and cloud only groups are supported. Dynamic groups in Azure are also supported.

How does it work?

First create groups with users. Depending on the departments and how many differentiation you want to make between those departments you need to create new groups. If all users will have the same licenses, just create one group.

I will show in the example, an AD synced group and a dynamic group in O365. First create an AD group with your users and sync it to Azure AD. I will create 2 users with the attribute Department filled with “Marketing”.

Note: Dynamic grouping is an AD premium feature and the users will need this license. https://docs.microsoft.com/en-us/azure/active-directory/active-directory-accessmanagement-manage-groups

In the Azure Portal create a new “Dynamic group”. As you can see I used the department which contains “Marketing”. Lots of attributes can be used here and even advanced rules can be created. For example, User has department “Marketing” and Extensionattribute05 is filled with “Internal Contractor”.

Make sure you don’t select the “Enable Office features” when creating the group. In that case it’s not a security group and you won’t be able to select this group when setting the licenses.

Go to https://ms.portal.azure.com and browse to “Azure Active Directory” and Licenses. Select products. You will see all your license products. You will have to set the license options per product separately.

Click on the License SKU you want you want to set to your users. In my case I will choose the Enterprise Mobility + Security E3 SKU.

You will see the current licenses set. In my case I did it manually as you can see in the screenshot. Select assign to configure the group based licensing.

In this case this is the AD synced group which I will use for the admin accounts. This group will receive all licenses within the EM+S E3 suite.

 

I will do the same for the Office 365 E3 Enterprise product. And use different settings for my dynamic group.

Select all the licenses you want with just simply clicking for On and Off and click Assign.  In the license part of the portal you will see the assignment path changes from Direct to Direct, Inherited with the group shown which was applied. Users can be added to multiple groups. For example, you can create a base group with Only Exchange Online and have an extended group where the same user is added for extended O365 plans such as Yammer and Flow. If the user is located in both groups he will receive all the 3 licenses. When a user is removed from a group the license will be removed as well. Keep this in mind if a backup was needed before removing users from license groups.

And as a note: Keep it as simple as possible for your business!

Browse to your specific group and you will see the licenses applied successfully.

Dynamic group licenses set.

If you try to assign licenses to a group and you don’t have enough spare licenses you will receive an error message.

As you can see this is simple and fast! Give it a try.

For more details have a look at : https://docs.microsoft.com/en-us/azure/active-directory/active-directory-licensing-whatis-azure-portal

Leave a Reply