Introduction to Office 365 Group-Based Licensing

As a Microsoft cloud service customer, licenses are required to operate and access your suite of solutions such as Office 365. It is necessary that these licenses be controlled across your organization to effectively monitor user access.

A common challenge associated with administering licenses to users in Office 365 is ensuring that the appropriate licenses are assigned to the right users. In the past, it was necessary to administer licenses on a user-by-user basis. There were very few PowerShell scripts that could assist, and it still worked on a per-user basis. With Azure Group-Based Licensing, licenses can be assigned to groups rather than to individual users. When users are added a group, the license or licenses assigned to the group will be applied to individual users. Likewise, if a user is removed from a group that granted them a license, that license will be removed from the user. This not only applies to the overall license SKUs (ie. Office 365 E1, Office 365 A3, Enterprise Mobility + Security E5, etc.), but also to the individual services (ie. Exchange, SharePoint, Skype For Business, etc.). 

Office 365 Licensed Users

The groups themselves can be the following: 

  • Traditional Azure security groups
  • Azure dynamic security groups (requires additional Azure AD licensing)
  • AD security groups synced from on-premises Active Directory via AAD Connect. These groups can be automated via an on-premise application such as Microsoft Identity Manager. 

Pre-Requisites

You must have at least one of the following: 

  • Paid or trial edition of Office 365 Enterprise E3 or Office 365 A3 and above
  • Paid or trial subscription for Azure AD Basic

Configuration

Group-based licensing is configured in the Azure Active Directory Admin Center, https://aad.portal.azure.com/. It is available to all Office 365 subscribers, not just those with Azure Active Directory licensing.

Azure Active Directory Admin Center

Once logged into the Azure Active Directory Admin Center, select Azure Active Directory > Licenses > All Products. On this page, you will see a list of all available licenses. Click on one of the licenses you want to assign to a group. Once the license has been selected, go to Licensed Groups and click Assign. 

Enterprise Mobility + Security E3 Licensed groups

Under Assign License, you will be able to select the group or groups to which you would like to assign the license. At this point, you will also be able to select the individual components of the license to enable or disable. 

Assign license - license options

These steps can be repeated for multiple groups, or to assign multiple licenses to the same group. If a user is assigned more than one license group, they will gain the license and components from each group; however, if more than one group assigns the same license, a user will still only consume one of the available licenses. 

licenses

Azure Group-Based Licensing has been configured to add or remove Office 365 licensing by simply modifying group memberships. This can easily be incorporated into existing onboarding and offboarding processes to ensure you effectively control your user environments. Designed Role-Based Access Control Policies can be configured to grant technicians rights to modify the new licensing groups without having the rights to assign licenses directly. This will help ensure users have access to the approved licenses and components assigned to them. 

 Try implementing this today and let us know how it works!

Reference

https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-licensing-whatis-azure-portal  

 

Contact Us to Learn More About Implementing Office 365 Group-Based User Licensing!

[Form id=”1″]

 

 

 

 

 

 

One Comment

  1. Stefanie Dunn

    Great content, Evan! Thank you

Leave a Reply

You must be logged in to post a comment.

This site uses Akismet to reduce spam. Learn how your comment data is processed.