ENow Exchange & Office 365 Solutions Engine Blog (ESE)

Assigning Office 365 Licenses by AD Group Membership

Posted by Nathan O'Bryan MVP, MCSM on Sep 5, 2017 6:00:00 AM

Since the dawn of time (if the dawn of time was in 2011), assigning licenses in Office 365 has been a pain. It has never been complicated, but it has also never been a pleasant experience.

You've always had two options to either manually assign licenses to users from the Office 365 Admin portal or use PowerShell to bulk assign the license to large numbers of users. In the first couple of years of Office 365 when most of the customers were small, I primarily just manually assigned licenses in the portal. As larger customers started moving into Office 365, I relied more heavily on PowerShell scripts to assign licenses to Office 365 users en masse.

Microsoft has recently added a third option to assign the license to users in Office 365 based on group membership. In this blog post, I'm going to walk you through the process of setting up automatic license assignment based on group membership.

Usage Location

The first hurdle we need to get over is the usage location. Since Office 365 is a worldwide service, and Microsoft does not have legal rights to sell some of those services in some countries, Microsoft needs to ensure that users are in a location where the services are legal before they can allow a license to be assigned to a specific user.

This is not an issue for US based organizations, but in countries like India, some of the cloud based telephone services in office 365 are not legal.

When you are assigning license manually or via PowerShell you have to assign a usage location to each user before you can assign a license. The good news is that when assigning license via group membership, users who do not have a usage location specifically assigned will inherit the default usage location from the directory.

Assigning Licenses to a Group

The process of assigning a license to a group is done in the Azure AD portal. Go to the Azure AD blade and select "Licenses."

 Picture1-9.png

Next, select "All products" under manage and you'll see a listing of the licenses available within your tenant.

Picture2-5.png

Select the license you want to work with (for this example, I selected E3) and then select "Assign" from the top of the menu.

On the next screen, choose "Select users and/or groups" then choose the group to which you want to assign this license.

Picture3-4.png

Under "Assignment options," you can turn off individual parts of the license that you don't want users to get. For example, I tend to turn off Yammer to protect users from being exposed to that mess. Your mileage may vary.

After the license is assigned, you'll get a notification that the assignment was made.

Picture5-5.png

Currently, there is no indication within the portal showing you what previous license assignments have been made. Hopefully, as this feature matures, Microsoft will add that functionality. I do see this feature referenced in the documentation on TechNet, but I don't see previous license assignments in my tenant.

Troubleshooting Issues

There can be a number of different reasons why a license assignment might fail. The most straightforward for a license assignment to fail would be not having enough licenses available in your tenant. The problem with assigning licenses via group membership is that license assignment does not happen right away, so there isn't an error to report immediately.

If you add a user to an on-premises AD group, and that group membership change takes 30 minutes to sync to Azure AD, then the license assignment process behind the scenes takes another 15 minutes (about the average based on my testing in my tenant), it can be difficult to figure out why an assignment failed.

In the Azure AD portal, there is a troubleshooting wizard that you can use to assist with figuring out these issues.

Picture6-3.png

The "Troubleshoot" link on the left takes you to a wizard that will step you through a few issues that may occur. I didn't find it to be super helpful with any of the things I broke in my tenant.

What I do think is most helpful is the audit logs. Below you can see where I assigned the E3 license to the "Executives" group, and where I added a test user to that group and he received an E3 license.

Picture7.png

I've found that going through the audit logs has given me the information I was looking for on all the problems I created in my license assignments.

Additional Scenarios

Here are a few additional scenarios I found while playing with this feature in my tenant.

You cannot directly remove a license that was assigned my group membership. Trying to do so will result in the following error:

Picture8.png

You can manually assign another license to that user. If your new license assignment adds services that user already has (you manually assign an E3 license to a user that already has an E5 license) you won't see an error. This can cause considerable waste, but it does not prevent the user from accessing anything.

As Microsoft adds new services to a license, that new service will automatically be turned on. For example, when Yammer was added to the E3 license that service was just turned on for all users who have E3 licenses assigned. If you want to save users from having to deal with Yammer, you'll need to manually go into Azure AD and change the services that are enabled under that license assignment.

The Wrap-Up

The ability to manage licenses via group membership is a big plus for Office 365 tenants, but this feature is not fully fleshed out yet. There is clearly some additional work that needs to be done before this feature is fully ready. Hopefully, Microsoft will continue to work out the rough spots and give us a great solution for license management.

Either way, the ability to manage license assignment via group membership is a feature I have used with several customers now. Overall, it's a great feature for Office 365.

Topics: Active Directory, Office 365, Office 365 Customization

Gain visibility into your Office 365 Deployment

See why monitoring makes sense in a cloudy world.