One of the top requests we hear from Azure AD and Office 365 is for richer tools to manage licenses for Microsoft Online Services like Office 365 and the Enterprise Mobility + Security. Admins need easier tools to control who gets a product license and which services are enabled. Some customers have even had to delay service roll-outs as they struggled to find a reliable solution that works at scale.
Today, we’re happy to be able to fulfill this request by announcing the public preview of a much-anticipated new capability in Azure AD: group-based license management! With this new feature you can define a “license template” and assign it to a security group in Azure AD. Azure AD will automatically assign and remove licenses as users join and leave the group.
This preview also includes the highly-requested ability to selectively disable service components in product licenses, making it possible to stage the deployment of large service suites such as Office 365 Enterprise E5.
Keep reading to get an overview of this new capability, or dive straight into our detailed documentation.
Here are a few key facts about group-based license management:
- Licenses can be assigned using any “security group” in Azure AD, whether synced from on-premises or created directly in Azure AD.
- All Microsoft Online Services that require user-level licensing are supported.
- The administrator can disable one or more service components when assigning a license to a group. This allows staged deployments of rich products like Office 365 Enterprise E5 at scale.
- The feature is only available in the Azure portal.
- Licenses are typically added or removed within minutes of a user joining or leaving a group.
There are more details below, or, if you’re ready to dig in, just jump straight into our new license management experience in the Azure portal. That’s right, no more going back to the classic portal to license your EMS or Azure AD users! If you’re not using Azure AD Basic or above, sign up for a trial.
Easily assign licenses to many users
To assign a license, just choose an individual user or a group. In the example below, I’m rolling out the Office 365 Enterprise E3 suite to all information workers in the organization. Since I’m doing a staged rollout, I will initially enable only a handful of online services in the suite:
After all users in the group are processed they will inherit licenses from the Information Workers group.
From now on, any newly added group members will be licensed, and when they leave the group the license will be removed from them. You can do more cool things with this, like have users inherit licenses from multiple groups at the same time. Check out this article to learn more about how this functionality works.
Automate even more with dynamic group membership
If you have an Azure AD Premium P1 subscription you can combine dynamic group membership with license management to create an automated license management flow.
Here is an example of two groups that look at extensionAttribute1 and assign licenses based on its value:
“O365 E5 – base services”
“EMS E5 – licensed users”
A user with attribute value of “EMS;E5_baseservices;” automatically inherits both licenses:
This functionality keeps you from having to write and maintain scripts to manage licenses and group memberships. All the heavy lifting is done in the cloud, by Azure AD!
Find out more about how to use these features.
Let your users sign up for licenses!
As the admin, you control license assignment in Azure AD, but you can choose to open a group for users so you don’t have to be involved in managing a certain product, like Power BI (free).
With Azure AD Premium P1, you can use the powerful self-service management features directly in the cloud to let users decide if they need product licenses by requesting to join a group.
How can I try it?
Visit the Azure portal and give the license management experience a try!
While group-based license management is in public preview you will need an active subscription for Azure AD Basic (or above) in your tenant to assign licenses to groups. If you don’t have one, just sign up for an Enterprise Mobility + Security trial. Later, when this functionality becomes generally available it will be included in Office 365 Enterprise E3 and similar products.
As with all previews there are some limits to what we currently support. You can find details about those limitations in our documentation, which we will be updating consistently as things change.
Let us know what you think by leaving a comment below or emailing the Azure AD License Management team. We look forward to hearing from you!
Alex Simons (Twitter: @Alex_A_Simons)
Director of Program Management
Microsoft Identity Division