If you're struggling with figuring out how to manage Office 365 user licensing at scale, look no further! You can now manage Office 365 user licensing by a group with Azure Active Directory (AD) group-based licensing.

Azure AD group-based licensing allows you to standardize licensing application by managing them in groups rather than by individual users. This can soon turn into a huge time-saver for admins! With a seemingly never-ending rollout of Office 365 services, you owe it to yourself to manage licenses in bulk.

Azure AD Group-based licensing is a system of implementing a licensing template that is assigned to users through group membership. Unlike manual license assign that can be performed in the Microsoft 365 Admin Center, all portal-based tasks must be performed in the Azure AD portal.

In this article, you're going to learn how Office 365 licensing works today and then how you can save a lot of time and management headaches with Azure group-based licensing.

Let's get started!

Licensing Office 365 (The Hard Way)

Office 365 consists of a suite of services like Exchange Online, SharePoint Online, Skype for Business Online, among others. Each service can be licensed individually by user.

Individual Licenses

For example, let's say you have purchased an Exchange Online Plan 1 license product. You'd like to allocate a user license to that product using a single Exchange Online mailbox.

In the Microsoft 365 Admin Portal, you'd click on Assign as shown below to apply the Exchange Online Plan 1 license product to the mailbox.

Assigning a user-based license

The above example is for one product - Exchange Online. But licensed products also come in suites with the Microsoft or Office 365 E3 license product, for instance.

Suite Licenses

When assigning a suite license, the individual services can be controlled as you can see below. Here you can apply license products to the mailbox at once.

Assigning suite licenses

Using PowerShell May Work But Comes with Drawbacks

At some point, an organization may then need to update user licenses. They then may turn to PowerShell. Although a PowerShell script is certainly a solution, it's not as simple as one might expect.

Even if you know how to write PowerShell code, you'll still be faced with a confusing list of various PowerShell modules to use like MSOnline, AzureAD, AzureADPreview and Az. Which one do you use in which circumstance? It's not entirely clear. All work similarly.

The hardest part is figuring out which PowerShell cmdlets in these modules map to options in the Microsoft 365 Admin Portal. Inside of PowerShell, you'll see cryptic names like Deskless for Office Online. These names are not in the Microsoft 365 Portal.

To assign and remove user licenses with PowerShell, you'd have to find license SKUs, build a list of license options by navigating those cryptic names and more. There is no simple cmdlet (within these modules) to easily enable and disable user licenses.

Although this approach works, it will mean writing a lot of PowerShell code which comes with its own set of management challenges.

Azure AD group-based licensing removes the requirement to get into the weeds with PowerShell and simplifies the license management process.

Licensing with Azure AD Group-Based Licensing

To forego the challenges of managing user licenses individually or using PowerShell, let's dive into how to manage licenses via groups via group-based licensing.

Prerequisites

If you plan to follow along with the following demonstration, know that you will need to meet a few prerequisites. You'll first need to ensure you're in an organization with the following licenses (paid subscriptions or active trials):

  • Azure AD Premium P1, or higher
  • Office 365 E3  license (or equivalent), or higher
  • Enterprise Mobility + Security E3, or higher (includes Azure AD Premium P1)
  • Microsoft 365 E3, or higher (includes both Office 365 E3, or higher and Enterprise Mobility + Security, or higher)

In addition, each user that has licenses applied via group-based licensing must have licenses for the product to be assigned.

Licensing Requirements

Azure AD Group-based licensing is only available for organizations with the following licenses (paid subscriptions or active trials):

  • Azure AD Premium P1, or higher
  • Office 365 E3 license (or equivalent), or higher
  • Enterprise Mobility + Security E3, or higher (includes Azure AD Premium P1)
  • Microsoft 365 E3, or higher (includes both Office 365 E3, or higher and Enterprise Mobility + Security, or higher)

In addition, each user that has licenses applied via group-based licensing must have licenses for the product to be assigned and the previously mentioned licensing to support group-based licensing.

License requirements for Azure AD Group-based licensing present a “chicken and egg” problem. The prerequisite licenses must be available, but without having assigned the licenses, the users do not have the required license assigned. To account for this problem, Azure AD Group-based licensing is enabled tenant-wide as soon as subscriptions that meet the licensing requirements exist.

To remain in the spirit of the license, only the number of users that will be assigned one of the required licenses should have group-based licensing applied.

If, for example, 300 Office 365 E3 licenses exist (and no Azure AD Premium licenses exist), then only 300 users should be licensed via group-based licensing. There is no control that prevents exceeding the limits, so self-auditing is recommended to ensure tenants remain in compliance.

More information on licensing requirements can be found on Microsoft's licensing requirements page.

Azure AD Group-Based Licensing How-To Walkthrough

To implement Azure AD group-based licensing consists of four rough steps:

  1. Create a group in Azure AD (synchronized, on-premises group or a group only in Azure AD)
  2. Choose a license to apply
  3. Choose the license options to apply
  4. Select the applicable group(s) to apply the license settings

Once these steps have been done, licenses can be applied in a consistent manner to users by assigning them to the appropriate groups.

Let's now get our hands dirty and walk through a simple example of how to implement Azure AD Group-based licensing.

Creating an Azure AD Group

The first task you'll need to do is create a group. This is the group you'll eventually use to assign licenses to members inside of the group.

The following steps are displayed in the next screenshot.

  1. To get started, ensure you're logged into the Azure AD Portal.
  2. In the portal, navigate to Azure Active Directory —> Groups.
  3. Click New group.
  4. Assign the Group name as E3 Standard. You can choose any group name you wish.
  5. Click Members to add the desired members, select the desired users and click on Select.
  6. Click Create to confirm creation of the group.
Creating an Azure AD group

Assigning Office 365 License to the Azure AD Group

Once the group is created, it's time to assign product licenses to the group. The following steps are displayed in the next screenshot.

  1. While still in the Azure AD portal, navigate to: Azure Active Directory —> Licenses —> All products.
  2. Check the product to license as Microsoft 365 E3 or another product.
  3. Click Assign.
  4. To choose the assignment group, click Users and groups.
  5. Select E3 Standard or the name of the group created earlier.
  6. Click Select.
  7. Click Assignment options.
  8. Toggle the desired options.
  9. Click OK.
  10. Click Assign as seen below.
Assigning license to Azure AD group

More information can be found at the Assign licenses to users by group membership in Azure Active Directory page.

If a user is assigned to multiple groups the various SKUs and options will be added together to form to total license assignment for the user.

Direct vs. Inherited Licensing

A key concept for Azure AD Group-based licensing is Direct versus Inherited licensing. If a user has had licenses assigned manually, these are known as direct assignments and Azure AD Group-based Licensing will not override these. Reviewing a member of a group that has had directly-assigned and licenses inherited, you can see below.

Direct vs. inherited license

Removing Office 365 Licenses

For Azure AD group-Based licensing to be effective, direct-assigned licenses should be removed such that any changes to assignment options are handled with consistency via a group assignment. Any inherited assignments will remain, so the previous redundancy works to transition the user to group-based licensing seamlessly.

When users are assigned a license both directly and via inheritance, the redundant direct license assignment must be removed. To do so, in the Azure AD Portal:

  1. Navigate to Users.
  2. Select the user to modify.
  3. Click Licenses.
  4. Click on the license to remove.
  5. Click Remove license.
  6. Click Yes.

You can see in the below screenshot of what this will look like from steps five and six.

Removing a direct license

After a few moments, only the inherited license remains, as seen below.

Direct license has been removed

For more information, refer to the Microsoft page on How to migrate users with individual licenses to groups for licensing.

After the direct licenses have been removed, users will be managed entirely through groups-based licensing.

Removing Groups with Group-Based Licensing

As a fail-safe mechanism, a group involved in groups-based licensing cannot be removed until all license assigned handled be the group are removed. This is to prevent inadvertent license removal that would result in users being unable to perform work.

In order to remove a group, follow the below steps:

  1. In the Azure AD Portal navigate to Azure Active Directory —> Licenses —> All products.
  2. Check the product to license Microsoft 365 E3.
  3. Check the group to remove.
  4. Click Remove license.
  5. Click Yes.

You can see what steps four through six look like below.

Removing a group-based license

Now the group may be removed. Be mindful of any other potential conflicts that removing licensing from a group could create, like with dependent products.

Remediating Licensing Issues

As with direct licensing, where the admin portal displays errors in applying licenses, groups-based licensing can encounter the same circumstances which must be reconciled.

When licensing issues occur with groups-based licensing, administrators are not interactively working with the portal or PowerShell and will need to become informed of such issues. Licensing issues can be identified in the Azure AD portal under the licensing section, as seen below.

Inspecting license problems

Conflicting Licenses

Some subscriptions have conflicting versions of licenses that cause a failure to occur when applying licenses. This failure happens when manually assigning licenses and using group-based licensing at the same time. An example of this behavior is when the Exchange Online Plan 1 license is assigned and there is an attempt to assign a license that includes Exchange Online Plan 2, or SharePoint Online Plan 1 and SharePoint Online Plan 2. The licenses will conflict with each other.

To resolve this issue, refer to the above steps on removing the direct assignment that causes the conflict or, if necessary, remove the group-based membership.

This situation can be tricky to navigate if the combination of assignments is necessary to get a complete licensing profile assigned to a user.

No Unassigned Licenses are Available

Even though you do everything right you might still end up in a situation where you simply run out of licenses to assign. As mentioned in the Prerequisites section, each license applied via groups-based licensing must be available within the tenant’s subscriptions.

If there are 30 users, for example, in a group being assigned an Office 365 E3 license but there are only 25 licenses for that SKU, there will not be enough unassigned licenses to fulfill the settings applied through groups-based licensing. You can see an example of this situation below.

Not enough licenses available

Unmet Dependencies

Certain licenses depend on other licenses being applied. For instance, individual licenses for PSTN service for Skype for Business and/or Microsoft Teams require all users to have the underlying products assigned.

In this instance, if a user is not assigned options for Skype for Business or Microsoft Teams, any PSTN licenses applied will result in an unmet dependency which but be remediated prior to any PSTN functionality to be available to the assigned users.

Unassigned Usage Location

Before a user can be assigned any licenses, a usage location must be selected. The usage location is used when legal or regulatory mandates exist that restrict certain products from being used. If no usage location is assigned, the tenant location will be assigned as the usage location with groups-based licensing. While this allows the user to function, it could result in legal or regulatory ramifications.

With direct license assigned, an error would be presented rather than automatically assigning the tenant location as the usage location.

Reprocessing Users

After remediating any licensing errors, users may still not be in a proper license assignment. In such an event, it is necessary to force the reprocessing of license assignments.

To reprocess licensing for a user:

  1. Navigate to Users.
  2. Select the user to reprocess
  3. Click Licenses.
  4. Click Reprocess.
Reprocessing licenses

More information can be found at the Identify and resolve license assignment problems for a group in Azure Active Directory Microsoft docs page.

Summary

Azure AD Group-based licensing can contribute to the consistent assignment and updating of product licensing within Office 365. In addition, it can be part of a mature provisioning process; such a process may begin with user creation in Active Directory, synchronization to Azure AD, provisioning an Exchange Online mailbox via the on-premises Exchange Management Shell, and assigning licenses through groups-based licensing.

Further Reading