Azure AD Group Based Licensing

As opposed to adding cloud based licenses per user basis or via PowerShell to automate license assignment with a security group, Azure’s group based licensing is easy to do and will save a lot of time.
This setup is ideal for the organizations which has a number of licenses for different types of users. Also will be beneficial for the scenarios when not all the features needs to be activated for a given user group/ type to perform their specific role.

Requirements
The Admin account that creates the Groups Should have Office 365 E3 or A3
OR
Account that creates the Groups Should have Azure P1

Group types that can be used
Azure AD Security Groups/ Security Enabled Distribution groups
Synced security groups/ / Security Enabled Distribution groups from the on-prem AD

Ways to do it
Add users manually to the group and they will be assigned to the allocated license to that group
Dynamically – Depending on the user’s attribute, that user will be a member of that group (dynamic groups are available with Azure AD Premium P1 license)

More on Azure Dynamic Groups
https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/groups-create-rule

Use case
In my scenario, I have On-Premises synced users in my Azure AD and I will create the Security Group in the On-Prem AD and will sync it to Azure AD
Anyone who is a member of this group should get Office 365 E3 and Visio Plan 2

1. Create the Group in AD and perform a Sync

How Office 365 Admin Center would see it


2. License assignment
Go to https://aad.portal.azure.com
Go to Azure Active Directory tab
Go to the Groups blade
Search the Group
Go to Licenses

Click on Assignments

Select the available licenses for your tenant. I have selected Office 365 E3 and Visio Plan 2 as per my requirement

You can customize the license features further by Reviewing the license options from the right hand-side so only the selected features will get assigned to the group and to the members in it.

After the assigning the licenses to the group, it might take few minutes before it’ll be visible in the console.

From now onwards, whenever you add a user to this Security Group from the On-rem AD, after the next sync the account membership will be synced to Azure AD, which then according to the previous assignment, the member in that gouyp will get the licenses assigned.

This is how the user is visible in that group after the sync

Two things I would like to note here.
1. State – Conflicting Service Plans – This means one or many features in once license is already available in another assigned license
2. Assignment Paths – Inherited (Azure-Lic-E3) is the Group assignment
Direct – Is the license that’s being assigned manually from the M365 Admin center.

To resolve the issue in the State, go to on of the assigned licenses and check for errors

To rectify this…
Go to the Azure Active Directory > Groups > Licenses > Click on the license that has duplicated features and switch them off > Save > click on Reprocess button on top.
If there are more errors, it will give you a prompt so you can follow that to resolve it.

Make sure you have enough licenses as well. If not, buy them 1st and then once they are visible in the portal, click on Reprocess.

Once the errors are sorted, the status will change to Active and whenever you add a user to this group, the license assignment will be automatically happen and that will remove one step of the user cloud enablement process.

 

 

 
 
Featured image: Office Vectors by Vecteezy

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.