Managing Licensing with Azure AD Group-based License Assignment

One of the biggest headaches with onboarding new users with Microsoft 365 can be license assignment. A big issue with managing the on-going usage of Microsoft 365 services can be making sure everyone has the right products enabled in a consistent way. In this article, we explore using and automating license assignment using features in Azure AD.

With the use of Microsoft 365, Dynamics 365, and the vast array of Microsoft services across the cloud offerings from Microsoft, it’s all about licensing. Making sure that every user has the right licenses is important so let’s explore how we could be managing licensing with Azure AD Group-based License Assignment.

Licenses vs. Apps

Before we get into using Azure AD Group-based License Assignment and how it can help us, we wanted to just clarify something on licenses vs. apps. Most admins will be familiar with the fact that users need to be assigned licenses to use features, however, what some may overlook is that many of the licenses are suite bundles: these bundles consist of multiple apps which we can turn on and off too.

Imagine a user that we want to grant access to Microsoft Teams but we don’t want to allow them to use Microsoft Yammer because that product isn’t supported by our organisation. By assigning a Microsoft or Office 365 license the user would by default get both, however, by customising the apps enabled in that license, we can turn off Yammer selectively.

The good news is that this type of scenario is supported when managing licensing with Azure AD Group-based License Assignment!

What is Group-based License Assignment?

Right now, how are you assigning your cloud software licenses to users? Manually? Using a custom script that you’ve written that runs when a user account is provisioned?

If you are assigning them manually then this post is absolutely for you. If you’ve already written scripts or tools to handle the licensing for you then perhaps you won’t be as pushed to use Group-based License Assignment but wouldn’t it be great to have one less thing to support: one less script or piece of code to test and debug?

Group-based License Assignment is a simple concept. When a user is added to a group that has been configured to assign licenses, the user that is added gets given those licenses [if you have sufficient available]. When a user is removed from the group they are removed from the license consequently freeing up the license.

Requirements for Group-based License Assignment

In order to use the feature, you need to have an Azure Active Directory Premium P1 or P2 license. You may be immediately thinking that this is some kind of chicken-and-egg scenario where you need to assign the Azure AD Premium license first to get the user started, however, that’s not the case.

Once your tenant has been activated for the Premium features then the Group-based License Assignment feature will work, however, to remain within the terms of your licensing agreement that user must have an Azure AD Premium license assigned to them: by a license assignment group we would recommend.

When we think about what else Azure AD Premium offers such as Custom Branding (which is also in Azure AD Basic), Hybrid Writeback features, Conditional Access, and User and Sign-in Risk Policies (only in Premium P2) it’s one license that almost every organisation should consider applying to every user.

Using Group-based License Assignment

Using the feature couldn’t be easier. First, identify a group that you want to use. This could be a group that you create directly in the cloud in Azure AD, it could be a group that is synced from on-premises via Azure AD Connect, or it could even be a dynamic group (more on this in a minute).

Once you’ve identified your group, within the group, head to the Licenses blade within the Azure Portal. From here, you can add the licenses to the group that you want to assign. For each license, you can assign which Apps and Services that you want to enable.

And that’s it! Once you add users to the group their licenses will be processed against the group and if you’ve got sufficient licenses available they will be assigned.

If you are viewing the licenses assigned to a user via Azure AD you can even see the source: whether the license was directly assigned or was assigned via a group and the name of the group.

License Assignment with Dynamic Groups

We wanted to address this point separately because frankly, combining the features of Dynamic Groups in Azure AD with Group-based License Assignment offers the ultimate combination of ease of management and consistency across a large estate.

If you aren’t familiar with Dynamic Groups this is another feature available within Azure AD Premium. Simply put, you create a group with a set of conditions. When a user [or a device] meet the criteria they are added to the group.

Rather than trying to explain everything that’s possible with a Dynamic Group, simply head over to the documentation for the feature and have a look for yourself at https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/groups-dynamic-membership.

A typical scenario could be that everyone in a given department needs a Project Online license. Using an Azure AD Dynamic Group which looks for the user.department attribute to match a specific value, when a new user is found they are added to the group and in turn, has the license automatically assigned. If that user then moves to another role in the business and their department changes, they are removed from the group and the license removed with it.

At Arcible, we think that combining these two features is really powerful and has so many possibilities for use beyond just licensing but that’s a larger conversation.

Learning more about Azure AD Premium

If we’ve got you interested in what’s possible with Group-based License Assignment, Dynamic Groups, or you want to learn more about the other features of Azure AD Premium like Conditional Access then get in touch with us to find out more.

We can help you investigate and leverage these features as a Consultancy engagement or as part of our Enterprise Mobility or our Security and Identity solutions.