Just the other day I wrote a blog post on how you could use Azure AD v2 PowerShell and Dynamic Groups based on extension attributes to set EMS license plans for your cloud and on-premises users, https://gotoguy.blog/2017/02/17/assign-ems-license-with-azure-ad-v2-powershell-and-dynamic-groups/.
And now, User and Group based licensing in the Azure AD Portal has been added in Preview! This is a long awaited feature, and works will all of your purchased services, either its EMS, Office 365, Dynamics 365, PowerBI and many more.
Let’s take a quick look on the functionality. Based on the above referenced blog post, I will use the same Dynamic Groups, where membership is defined based on values for extension attributes. So I already have configured Dynamic Groups for EMS E3, EMS E5and Office 365:
The new Licensing functionality are now added to the Azure AD Preview at https://portal.azure.com:
When I go to the Licenses blade I get a quick overview over my purchased products and total of assigned licenses:
When I go to All products, a list of my product subscriptions are shown, with an overview of licenses assigned, available and if any are expiring soon:
If I go into one of the products, I will see the already existing licensed users, which in my case are Direct assigned (I did that with the PowerShell script in the previous blog post).
Let’s configure Licensed Groups:
Click + Assign to add a group to License, I will use my Dynamic Group:
Then, at Assignment options, I can optionally configure individual services:
After clicking OK and Assign, the group has been added for processing:
And if I look at Licensed Users again after the change has been processed, I will see that uses now have an inherited license based on the group. Of course, the Direct assignments added by PowerShell are not removed, so I will have to remove those later.
In the same way I can add my Office 365 and EMS E5 Dynamic Groups:
By the way, you can go into each group after and look at License status, and Reprocess if needed.
At the Group’s Audit Log we can track the license activity as well:
So there we have it, a long sought after functionality that I’m sure many organizations will have good use for. As this is in Preview, some more testing are should be done before setting it directly into production, and if I find anything special I will update this blog post.
I am sure there will be an announcement and blog post at the Enterprise Mobility + Security blog shortly also: https://blogs.technet.microsoft.com/enterprisemobility/
I have a question. The group based licensing is a very neat tool for allocating existing licenses, but I have found that the “Reprocess button” is not very efficient when dealing with environments that struggle from high levels of user turnover and you are constantly updating the license pool. Are there any other interfaces, like a REST API, I can use to detect and react to situations where the tenant’s lacking available licenses?
You could use the Microsoft Graph, and for example to Beta method for getting subscribedSkus, this will return consumed units, something it would be possible to report on. https://graph.microsoft.com/beta/subscribedSkus