Getty Images

Tip

Consider Azure AD group-based licensing for Office 365 users

Administrators who manage many users can go one step further toward streamlining license assignments by taking advantage of a new feature from Microsoft.

When it comes to license assignments for Microsoft's collaboration platform, there's a better automation method than PowerShell.

PowerShell can help with certain jobs, but the license assignment process for Microsoft 365 and Office 365 users can be convoluted and confusing. Different PowerShell modules manage licenses for different services. This does not scale for enterprises with hundreds -- or thousands -- of users. Group-based licensing is the key to streamlining provisioning because it automates the process in Azure Active Directory rather than resorting to manual administration of individual users.

Some companies juggle a lot of Microsoft subscriptions outside of the Office 365 plans, such as Dynamics 365, different security products, Microsoft Purview Information Protection, Power Platform and other SKUs. Managing those license assignments is a challenge for IT departments.

The traditional approach has been to assign the licenses in the admin portal. But that's not efficient for enterprises that work with a larger user base. To address this challenge, Azure AD lets admins do this work with a group-based licensing feature. With this method, administrators onboard users by assigning them to the right group based on their role and needs, which then routes the proper license to that user automatically.

Prerequisites and requirements to perform group-based licensing

This group-based licensing feature is only available to companies with users subscribed to a paid plan for Azure AD Premium P1 or above. It is also available to users assigned to one of the following plans:

  • Microsoft 365 Business Premium;
  • Office 365 Enterprise E3;
  • Office 365 A3;
  • Office 365 Government Community Cloud (GCC) G3;
  • Office 365 E3 for Government Community Cloud High (GCCH); and
  • Office 365 E3 for Department of Defense (DOD) and above, which includes the E5 plans.

There are a few features that come with the group-based licensing functionality that streamline the method to deploy and assign licenses to users.

Licenses purchased through the portal or a cloud solution provider (CSP) can be assigned to any security group in Azure AD. These groups can originate from an on-premises Active Directory, a cloud-based Active Directory that syncs through Azure AD Connect or from a group created in Azure AD.

With Azure AD-group based licensing, the administrators get more control over what functionality or service plan is available in several ways:

  • When a plan or license is assigned to an AD group, the administrator has the option to disable any of the features.
  • Any Microsoft cloud service that can be assigned to a user can also be assigned to a group.
  • Group-based license assignment is available through the Azure portal.
  • The organization can assign licenses to users via the group assignment or individually through the Office 365 admin portal.

How to start with Azure AD group-based licensing

To start with the group-based licensing, the administrator creates a group or uses an existing group from their on-premises Active Directory or a security group in Azure. With groups in Azure AD, an administrator can choose either create a dynamic group or a static group.

In a static group, the administrators must maintain the members through manual assignment of users, which can be done through Active Directory or PowerShell.

In a dynamic group, users can be automatically assigned membership based on specific rules that IT makes with the rule builder in the Azure portal. The tool makes it easy to form rules with expressions. The following are examples of expressions used to build dynamic groups.

A group membership based on department number information included in the user properties would look like this:

user.department -in ["50001","50002","50003","50005","50006","50007","50008","50016","50020","50024","50038","50039","51100"]

or

user.department -eq "Sales"

or

user.department –eq "Marketing" –and user.country –eq "US"

A group membership based on the display name that matches an expression would look like this:

user.displayName -match "Da.*"

A group membership for all users within the organization would look like this:

user.objectId -ne null
Azure AD group
An example of a group generated in Azure AD.

After selecting the group, the administrator can assign available licenses. After selecting a license, the administrator can make additional modifications to add or remove features or remove some of the services.

review license options menu
After selecting the license for a service, administrators can make additional adjustments in the license options menu.

Administrators can also use the Microsoft Graph API and PowerShell to assign users to groups that get a specific set of licenses. The Graph Explorer is available to test the commands.

To assign a set of licenses to a security group, the following post-based command can be sent via Microsoft Graph API. The command requires the group unique identifier and the SKU IDs from Microsoft:

POST https://graph.microsoft.com/v1.0/groups/1ad75eeb-7e5a-4367-a493-9214d90d54d0/assignLicense
Content-type: application/json
{
 "addLicenses": [
  {
   "disabledPlans": [ "11b0131d-43c8-4bbb-b2c8-e80f9a50834a" ],
   "skuId": "c7df2760-2c81-4ef7-b578-5b5392b571df"
  },
  {
   "disabledPlans": [ "a571ebcc-fqe0-4ca2-8c8c-7a284fd6c235" ],
   "skuId": "sb05e124f-c7cc-45a0-a6aa-8cf78c946968"
  }
 ],
 "removeLicenses": []
}

To display the list of groups available for licensing, run the following PowerShell command:

Get-MsolGroup -All | Where {$_.Licenses} | Select `
  ObjectId, `
  DisplayName, `
  @{Name="Licenses";Expression={$_.Licenses | Select -ExpandProperty SkuPartNumber}}

The pros and cons of group-based licensing

When verifying user license assignment from the Office 365 admin portal, administrators will see the two types of licenses that can be assigned to their users: a direct license given from the admin portal and inherited ones that come from the Azure AD group-based license.

Direct licenses are more flexible. The administrator can add or remove these licenses per user. Adjusting assignments from a group license requires creating a new group that has the added or removed features.

Using dynamic and static groups to assign licenses to a set of users streamlines license management for IT. This functionality is one way to efficiently upgrade a large group of users from one set of licenses into an another, which can be helpful for enterprises with a substantial user base.

Next Steps

How to use Azure AD Connect synchronization for hybrid IAM

Dig Deeper on Microsoft messaging and collaboration