One of the limitations of Microsoft’s Office 365 has been the lack of tools to manage license assignment, with Microsoft providing the Office 365 Admin Center or PowerShell commands to manage licenses on an individual per user basis. This has meant Admins have had to develop complex PowerShell scripts to try and apply a level of automation to license management in Office 365, or take the time consuming route of manually managing licenses.
Further, when Microsoft adds in new functionality to Office 365 it can automatically license your end users for that new functionality (depending on how you have assigned licenses to your end users). This might provide functionality you do not want, or do not need, your end users to have. Overall, license management in Office 365 leaves a lot to be desired.
In order to address the requests for a more robust license management mechanism in Office 365, Microsoft has introduced group-based license management into Azure (Active Directory) AD for public preview. This feature will allow the definition of “license templates,” which can be applied to Azure AD security groups. Azure AD will then automatically assign and remove licenses as users are added and removed from the group.
The license templates allow you to selectively enable and disable service components within the Office 365 product licenses, allowing large service suites, such as Office 365 Enterprise E5, to be rolled out in a staged deployment. For example, one can initially roll out Exchange Online and then selectively add in additional services when the initial migration to Exchange Online has been completed.
The security groups used for the license templates can be synchronised from on-premises AD or created directly in Azure AD. In addition, if you have an Azure AD Premium P1 subscription, you can use dynamic groups to further automate the license management flow.
Also, with an Azure AD Premium P1 subscription you can make use of the self-service group functionality to give your users the ability to decide if they require a license to a product, and request membership to the relevant group.
All Microsoft Online services that have user level licensing are supported for group-based license management.
License assignments using group-based license management will stack. This means that it is possible to create a base license template to apply a basic level of functionality to your end users, and then create additional license templates to light up additional functionality without having to create individual license templates for every combination of licenses you want to deploy.
For the duration of the public-preview you will need a subscription for Azure AD Basic or above. If you don’t already have one, you can sign up for an Enterprise Mobility + Security trial. When group-based license management becomes generally available it will be included in Office 365 Enterprise E3 and similar products. Also, the feature is only available in the Azure Portal.
There are some known limitations and issues with the public preview, including:
- Group-based licensing currently does not support “nested groups” (groups that contain other groups). If you apply a license to a nested group, only the immediate first-level user members of the group have the licenses applied.
- One or more of the licenses could not be modified because they are inherited from a group membership. To view or modify group based licenses visit the Azure admin portal.
- The Office 365 admin portal does not currently support group-based licensing. If a user inherits a license from a group, this license appears in the Office admin portal as a regular user license. If you try to modify that license (for example, to disable a service in the license), or try to remove the license, the portal returns an error message. Inherited group licenses cannot be modified directly on a user.
- When a user is removed from a group and loses the license, the service plans from that license (for example, Exchange Online or SharePoint Online) are set to a “suspended” state. The service plans are not set to a final, disabled state. This is a precaution to avoid accidental removal of user data, if an admin makes a mistake in group membership management.
- When licenses are assigned or modified for an extremely large group (for example, 100,000 users), this could impact performance. Specifically, the volume of changes generated by Azure AD automation might negatively impact the performance of your directory synchronization between Azure AD and on-premises systems. This could cause delays in directory sync in your environment.
- License management automation does not automatically react to all types of changes in the environment. For example, you might have a shortage of licenses, causing some users to be in an error state. To free up the available seat count, you can remove the directly assigned licenses from other users. However, the system does not automatically react to this change and fix users within that error state.
- Even though group-based license management is only in public preview it does give you a good idea of how the service will work once released to general availability, as well as the ability to test the functionality and plan the roll out for a smooth transition to group-based licensing in your environment.SoftwareONE has been helping customers all over the world transform and adopt the latest innovations available through cloud technologies. Why not reach out to us and see how we can help you in your journey.
SoftwareONE has been helping customers all over the world transform and adopt the latest innovations available through cloud technologies. Why not reach out to us and see how we can help you in your journey?