If you’re struggling with figuring out how to manage Office 365 user licensing at scale, look no further! You can now manage Office 365 user licensing by a group with Azure Active Directory (AD) group based licensing with Office 365!
Office 365 group based licensing allows you to standardize licensing applications by managing them in groups rather than by individual users. This can soon turn into a huge time-saver for admins! With a seemingly never-ending rollout of Office 365 services, you owe it to yourself to manage licenses in bulk.
Azure AD Group-based licensing is a system of implementing a licensing template that is assigned to users through group membership. Unlike manual license assignments that can be performed in the Microsoft 365 Admin Center, all portal-based tasks must be performed in the Azure AD portal.
In this article, you’re going to learn how Office 365 licensing works today and then how you can save a lot of time and management headaches with Azure group-based licensing.
Let’s get started!
Licensing Office 365 (The Hard Way)
Office 365 consists of a suite of services like Exchange Online, SharePoint Online, and Skype for Business Online, among others. Each service can be licensed individually by the user.
Individual Licenses
For example, let’s say you have purchased an Exchange Online Plan 1 license product. You’d like to allocate a user license to that product using a single Exchange Online mailbox.
In the Microsoft 365 Admin Portal, you’d click on Assign as shown below to apply the Exchange Online Plan 1 license product to the mailbox.
The above example is for one product – Exchange Online. But licensed products also come in suites with the Microsoft or Office 365 E3 license product, for instance.
Suite Licenses
When assigning a suite license, the individual services can be controlled as you can see below. Here you can apply license products to the mailbox at once.
Using PowerShell May Work But Comes with Drawbacks
At some point, an organization may then need to update user licenses. They then may turn to PowerShell. Although a PowerShell script is certainly a solution, it’s not as simple as one might expect.
Even if you know how to write PowerShell code, you’ll still be faced with a confusing list of various PowerShell modules to use like MSOnline, AzureAD, AzureADPreview, and Az. Which one do you use in which circumstance? It’s not entirely clear. All work similarly.
The hardest part is figuring out which PowerShell cmdlets in these modules map to options in the Microsoft 365 Admin Portal. Inside PowerShell, you’ll see cryptic names like Deskless for Office Online. These names are not in the Microsoft 365 Portal.
To assign and remove user licenses with PowerShell, you’d have to find license SKUs, build a list of license options by navigating those cryptic names, and more. There is no simple cmdlet (within these modules) to easily enable and disable user licenses.
Although this approach works, it will mean writing a lot of PowerShell code which comes with its own set of management challenges.
Azure AD group-based licensing removes the requirement to get into the weeds with PowerShell and simplifies the license management process.
Licensing with Office 365 Group Based Licensing
To forego the challenges of managing user licenses individually or using PowerShell, let’s dive into how to manage licenses via groups via Office 365 group based licensing.
Prerequisites
If you plan to follow along with the following demonstration, know that you will need to meet a few prerequisites. You’ll first need to ensure you’re in an organization with the following licenses (paid subscriptions or active trials):
- Azure AD Premium P1, or higher
- Office 365 E3 license (or equivalent), or higher
- Enterprise Mobility + Security E3, or higher (includes Azure AD Premium P1)
- Microsoft 365 E3, or higher (includes both Office 365 E3, or higher and Enterprise Mobility + Security, or higher)
In addition, each user that has licenses applied via Office 365 group based licensing must have licenses for the product to be assigned.
Licensing Requirements
Office 365 group based licensing is only available for organizations with the following licenses (paid subscriptions or active trials):
- Azure AD Premium P1, or higher
- Office 365 E3 license (or equivalent), or higher
- Enterprise Mobility + Security E3, or higher (includes Azure AD Premium P1)
- Microsoft 365 E3, or higher (includes both Office 365 E3, or higher and Enterprise Mobility + Security, or higher)
In addition, each user that has licenses applied via Office 365 group based licensing must have licenses for the product to be assigned and the previously mentioned licensing to support group-based licensing.
License requirements for Office 365 group based licensing present a “chicken and egg” problem. The prerequisite licenses must be available, but without having assigned the licenses, the users do not have the required license assigned. To account for this problem, Azure AD Group-based licensing is enabled tenant-wide as soon as subscriptions that meet the licensing requirements exist.
To remain in the spirit of the license, only the number of users that will be assigned one of the required licenses should have group-based licensing applied.
If, for example, 300 Office 365 E3 licenses exist (and no Azure AD Premium licenses exist), then only 300 users should be licensed via group-based licensing. There is no control that prevents exceeding the limits, so self-auditing is recommended to ensure tenants remain in compliance.
More information on licensing requirements can be found on Microsoft’s licensing requirements page.
Azure AD Group-Based Licensing How-To Walkthrough
To implement Office 365 group based licensing, you must perform the following four rough steps:
- Create a group in Azure AD (synchronized, on-premises group, or a group only in Azure AD)
- Choose a license to apply
- Choose the license options to apply
- Select the applicable group(s) to apply the license settings
Once these steps have been done, licenses can be applied in a consistent manner to users by assigning them to the appropriate groups.
Let’s now get our hands dirty and walk through a simple example of how to implement Office 365 group based licensing!
Creating an Azure AD Group
The first task you’ll need to do is create a group. This is the group you’ll eventually use to assign licenses to members inside of the group.
The following steps are displayed in the next screenshot.
- To get started, ensure you’re logged into the Azure AD Portal.
- In the portal, navigate to Azure Active Directory —> Groups.
- Click New group.
- Assign the Group name as E3 Standard. You can choose any group name you wish.
- Click Members to add the desired members, select the desired users and click on Select.
- Click Create to confirm the creation of the group.
Assigning Office 365 License to the Azure AD Group
Once the group is created, it’s time to assign product licenses to the group. The following steps are displayed in the next screenshot.
- While still in the Azure AD portal, navigate to Azure Active Directory —> Licenses —> All products.
- Check the product to license as Microsoft 365 E3 or another product.
- Click Assign.
- To choose the assignment group, click Users and groups.
- Select E3 Standard or the name of the group created earlier.
- Click Select.
- Click Assignment options.
- Toggle the desired options.
- Click OK.
- Click Assign as seen below.
More information can be found on the Assign licenses to users by group membership in Azure Active Directory page.
If a user is assigned to multiple groups the various SKUs and options will be added together to form to total license assignment for the user.
Direct vs. Inherited Licensing
A key concept for Office 365 group based licensing is Direct versus Inherited licensing. If a user has had licenses assigned manually, these are known as direct assignments, and Azure AD Group-based Licensing will not override these. Reviewing a member of a group that has had directly assigned and licenses inherited, you can see below.
Removing Office 365 Licenses
For Office 365 group based licensing to be effective, direct-assigned licenses should be removed such that any changes to assignment options are handled with consistency via a group assignment. Any inherited assignments will remain, so the previous redundancy works to transition the user to group-based licensing seamlessly.
When users are assigned a license both directly and via inheritance, the redundant direct license assignment must be removed. To do so, in the Azure AD Portal:
- Navigate to Users.
- Select the user to modify.
- Click Licenses.
- Click on the license to remove.
- Click Remove license.
- Click Yes.
You can see in the below screenshot what this will look like from steps five and six.
After a few moments, only the inherited license remains, as seen below.
For more information, refer to the Microsoft page on How to migrate users with individual licenses to groups for licensing.
After the direct licenses have been removed, users will be managed entirely through groups-based licensing.
Removing Groups with Group-Based Licensing
As a fail-safe mechanism, a group involved in Office 365 group based licensing cannot be removed until all licenses assigned handled by the group are removed. This is to prevent inadvertent license removal that would result in users being unable to perform work.
In order to remove a group, follow the below steps:
- In the Azure AD Portal navigate to Azure Active Directory —> Licenses —> All products.
- Check the product to license Microsoft 365 E3.
- Check the group to remove.
- Click Remove license.
- Click Yes.
You can see what steps four through six looks like below.
Now the group may be removed. Be mindful of any other potential conflicts that removing licensing from a group could create, like with dependent products.
Remediating Licensing Issues
As with direct licensing, where the admin portal displays errors in applying licenses, groups-based licensing can encounter the same circumstances which must be reconciled.
When licensing issues occur with groups-based licensing, administrators are not interactively working with the portal or PowerShell and will need to become informed of such issues. Licensing issues can be identified in the Azure AD portal under the licensing section, as seen below.
Conflicting Licenses
Some subscriptions have conflicting versions of licenses that cause a failure to occur when applying licenses. This failure happens when manually assigning licenses and using Office 365 group based licensing at the same time.
When you assign the Exchange Online Plan 1 license and there is an attempt to assign a license that includes Exchange Online Plan 2, or SharePoint Online Plan 1 and SharePoint Online Plan 2 is a great example. The licenses will conflict with each other.
To resolve this issue, refer to the above steps on removing the direct assignment that causes the conflict or, if necessary, removing the group-based membership.
This situation can be tricky to navigate if the combination of assignments is necessary to get a complete licensing profile assigned to a user.
No Unassigned Licenses are Available
Even though you do everything right you might still end up in a situation where you simply run out of licenses to assign. As mentioned in the Prerequisites section, each license applied via groups-based licensing must be available within the tenant’s subscriptions.
If there are 30 users, for example, in a group being assigned an Office 365 E3 license but there are only 25 licenses for that SKU, there will not be enough unassigned licenses to fulfill the settings applied through groups-based licensing. You can see an example of this situation below.
Unmet Dependencies
Certain licenses depend on other licenses being applied. For instance, individual licenses for PSTN service for Skype for Business and/or Microsoft Teams require all users to have the underlying products assigned.
In this instance, if a user is not assigned options for Skype for Business or Microsoft Teams, any PSTN licenses applied will result in an unmet dependency which but be remediated prior to any PSTN functionality being available to the assigned users.
Unassigned Usage Location
Before a user can be assigned any licenses, a usage location must be selected. The usage location is used when legal or regulatory mandates exist that restrict certain products from being used. If no usage location is assigned, the tenant location will be assigned as the usage location with groups-based licensing. While this allows the user to function, it could result in legal or regulatory ramifications.
With a direct license assigned, an error would be presented rather than automatically assigning the tenant location as the usage location.
Reprocessing Users
After remediating any licensing errors, users may still not be in a proper license assignment. In such an event, it is necessary to force the reprocessing of license assignments.
To reprocess licensing for a user:
- Navigate to Users.
- Select the user to reprocess
- Click Licenses.
- Click Reprocess.
More information can be found at the Identify and resolve license assignment problems for a group in Azure Active Directory Microsoft docs page.
Summary
Azure AD Group-based licensing can contribute to the consistent assignment and updating of product licensing within Office 365. In addition, it can be part of a mature provisioning process; such a process may begin with user creation in Active Directory, synchronization to Azure AD, provisioning an Exchange Online mailbox via the on-premises Exchange Management Shell, and assigning licenses through Office 365 group based licensing.