Automated Office 365 License Assignment with Azure AD Premium

If you’ve recently begun an Office 365 deployment, you’ve undoubtedly run up against the problem of how to assign an Office 365 license to your users. Out of the box, the only option is a manual process of assigning licenses one-by-one. If you have more than a handful of users, that’s not a long-term option.

Without a license, end users will not be able to use Office 365 services like Exchange Online or OneDrive for Business, so it’s critical that users have the right Office 365 license(s) assigned to them. Historically, automating the assignment of licenses has required the development of custom PowerShell scripts or purchasing a third-party solution.

However, Microsoft has finally solved this problem with the introduction of Group Based License Assignment in Azure Active Directory Premium (AAD-P). With this new feature, you can automatically assign licenses to users based on their membership in security groups. These security groups can be synchronized from your on-premises Active Directory domain, or you can use dynamic security groups in AAD-P that are automatically updated.

Even more helpful, you can not only assign entire licenses (e.g. Office 365 E3), but, you can decide what components (service plans) of an Office 365 license to include or exclude from the assignment. For example, you might decide that all users receive an E3 license, but only hourly employees are licensed for the Microsoft StaffHub component of E3.

Group Based Licensing is a premium feature, so you’ll need to make sure the users you need to license are covered by an Azure AD Premium or Enterprise Mobility Suite license. You’ll need to be a Global admin in Azure AD to configure this feature.

Six Steps to Group Based License Assignment

Getting started is easy. In this example, we’ll assign Office 365 E3 to a group called All Users, but we’ll make sure those users don’t get access to StaffHub. To begin, log in to the Azure management portal and go to your Azure Active Directory and then follow these steps:

1 Click Licenses from the list of tasks:

Office 365 licenses overview

2 Click All products

3 Select Office 365 Enterprise E3, and then click Assign on the toolbar:

Assigning Microsoft Licenses

4 Click Select users and/or groups and select the All Users group. Click Select on the bottom of the list.

5 Click Assignment options. Change the Microsoft StaffHub slider to Off and then click OK:

Azure License Assignment Options

6 Finally, click Assign.

Once you complete this step, users will automatically be assigned the Office 365 E3 license without the Microsoft StaffHub component. Once you assign licenses to a group, the change may not always happen in real time, but, it should still happen quickly. If you assign a license to a very large group, it may take additional time for Azure Active Directory to process your request.

Going forward, if you’re using groups synchronized from your on-premises Active Directory, as users are added to the group, they’ll automatically receive any additional licenses, and likewise as they’re removed from the group, they’ll lose the license they received from the group.

If you were previously assigning licenses directly to users, when they are removed from a group that also assigns the license, they won’t remove the license. The “direct” license assignment will still exist until you manually remove it.

Taking Group Based Licensing to the Next Step

As you can see, group based licensing can greatly simplify how you assign licenses to users. You will no longer need complicated PowerShell scripts that directly assign licenses to users. Even better, group based licensing isn’t just for Office 365. You can also use group based licensing to assign other licenses like Azure Active Directory Premium, the Enterprise Mobility Suite, or Microsoft Dynamics.

How are you licensing your users in Office 365 today? Have you taken advantage of Azure AD Premium features like group based licensing yet? Learn more here.

WHAT WE DO

Manage Azure AD Groups with the Graph API

In my previous blog [Win32 App Deployment with Intune Supersedence Rules] I explained how to update Win32 applications deployed within Microsoft Intune by using the

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.