Automated Office 365 License Assignment with Entra ID Premium

If you’ve recently begun an Office 365 deployment, you’ve undoubtedly run up against the problem of how to assign an Office 365 license to your users. Out of the box, the only option is a manual process of assigning licenses one-by-one. If you have more than a handful of users, that’s not a long-term option.

Without a license, end users will not be able to use Office 365 services like Exchange Online or OneDrive for Business, so it’s critical that users have the right Office 365 license(s) assigned to them. Historically, automating the assignment of licenses has required the development of custom PowerShell scripts or purchasing a third-party solution.

However, Microsoft has finally solved this problem with the introduction of Group Based License Assignment in Entra ID (formerly Azure Active Directory) Premium. With this new feature, you can automatically assign licenses to users based on their membership in security groups. These security groups can be synchronized from your on-premises Active Directory domain, or you can use dynamic security groups in Entra ID Premium that are automatically updated.

Even more helpful, you can not only assign entire licenses (e.g. Office 365 E3), but, you can decide what components (service plans) of an Office 365 license to include or exclude from the assignment. For example, you might decide that all users receive an E3 license, but only hourly employees are licensed for the Microsoft StaffHub component of E3.

Group Based Licensing is a premium feature, so you’ll need to make sure the users you need to license are covered by an Entra ID Premium or Enterprise Mobility Suite license. You’ll need to be a Global admin in Entra ID to configure this feature.

Six Steps to Group Based License Assignment

Getting started is easy. In this example, we’ll assign Office 365 E3 to a group called All Users, but we’ll make sure those users don’t get access to StaffHub. To begin, log in to the Azure management portal and go to your Entra ID and then follow these steps:

1 Click Licenses from the list of tasks:

Office 365 licenses overview

2 Click All products

3 Select Office 365 Enterprise E3, and then click Assign on the toolbar:

Assigning Microsoft Licenses

4 Click Select users and/or groups and select the All Users group. Click Select on the bottom of the list.

5 Click Assignment options. Change the Microsoft StaffHub slider to Off and then click OK:

Azure License Assignment Options

6 Finally, click Assign.

Once you complete this step, users will automatically be assigned the Office 365 E3 license without the Microsoft StaffHub component. Once you assign licenses to a group, the change may not always happen in real time, but, it should still happen quickly. If you assign a license to a very large group, it may take additional time for Entra ID to process your request.

Going forward, if you’re using groups synchronized from your on-premises Active Directory, as users are added to the group, they’ll automatically receive any additional licenses, and likewise as they’re removed from the group, they’ll lose the license they received from the group.

If you were previously assigning licenses directly to users, when they are removed from a group that also assigns the license, they won’t remove the license. The “direct” license assignment will still exist until you manually remove it.

Taking Group Based Licensing to the Next Step

As you can see, group based licensing can greatly simplify how you assign licenses to users. You will no longer need complicated PowerShell scripts that directly assign licenses to users. Even better, group based licensing isn’t just for Office 365. You can also use group based licensing to assign other licenses like Entra ID Premium, the Enterprise Mobility Suite, or Microsoft Dynamics.

How are you licensing your users in Office 365 today? Have you taken advantage of Entra ID Premium features like group based licensing yet? Learn more here.


Azure Automation and SQL Server

Microsoft Azure Automation is a service that is designed to automate operational tasks across Azure and on-premises environments. It provides a way to create, test,

6 Tips to Harden Your Windows LAPS Deployment

In a previous blog post, we covered how to migrate to Windows Local Administrator Password Solution (LAPS). With Windows LAPS deployments gaining traction, it’s important

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.