Microsoft Licensing the Easy way: Use Security Groups!

Microsoft Licensing the Easy Way

By now, most people probably have their own methods or scripts for managing Microsoft licensing. Even so, I felt it was worth sharing my preferred method for this, because it is so easy to do. Recently I read a post on Reddit talking about how some folks were unaware using Security Groups was even possible for licensing. Let me assure you, not only is it a thing, but it is a life saver for a few different reasons. Keep reading to learn how you can manage Microsoft licensing with Azure Groups.

In this case, we are talking about leveraging the power of groups to manage Microsoft licensing. Now you may wonder why bother, since you can just check the boxes on new employees and then they have exactly what they need. For smaller firms, it may seem like it is a bigger pain to set up than it is worth. For larger firms, you may think they need to be too custom to justify groups, as you would end up with a million different groups. (Chances are, a large organization already has this problem anyways, but that’s a different discussion.) I’ll start by giving you my top 3 reasons why you should do this, then we will go into the steps to set it up.

DISCLAIMER

Please understand that the content herein is for informational purposes only. This existence and contents shall not create an obligation, liability or suggest a consultancy relationship. In further, such shall be considered as is without any express or implied warranties including, but not limited to express and implied warranties of merchantability, fitness for a particular purpose and non-infringement. There is no commitment about the content within the services that the specific functions of the services or its reliability, applicability or ability to meet your needs, whether unique or standard. Please be sure to test this process fully before deploying in ANY production capacity, and ensure you understand that you are doing so at your own risk.

Table of Contents

Three Reasons why YOU SHOULD be Managing Microsoft Licensing via Group Membership
How to Configure Microsoft Licensing for Management via Groups
How to Make License Assignment via Security Group more Powerful
Conclusion


Three Reasons why YOU SHOULD be Managing Microsoft Licensing via Group Membership

  1. Consistency
  2. Onboarding/Offboarding
  3. Scalability

#1 – Consistency

If you haven’t figured it out yet, consistency is a key factor in reducing the number of steps in troubleshooting many things in IT and reducing the overall number of support tickets your Help Desk will get. Configuring every employee account the same way immediately eliminates things you need to look at for troubleshooting. Licensing is no different. When you assign licenses to users individually, via the check boxes in the Admin Center, then there is a risk you miss one, or add an extra. This just increases the chances that someone gets something they shouldn’t or doesn’t get something they should. Both cases likely lead to future support issues.

#2 – Onboarding/Offboarding

Licensing via group membership means that new employees just get added to another group or two during account creation. If you work in a smaller organization, that probably means copying someone else’s account, and then making the changes that need made. (This process includes group membership, so you already have that portion taken care of). This automates one step of the onboarding process. You can assign certain departments specific licenses based on a departmental group. You can have the license group based on the department rather than the applications contained making it more consistent (there’s that word again) yet still custom. Everyone in that department gets the same license as a baseline.

Offboarding is even easier. If you aren’t offboarding via PowerShell script, you should be. There are so many other great articles out there about it, and you can customize their scripts to match what you need. But I promise you, removing someone from a group in PowerShell is easier than retrieving assigned licenses and removing them. Assigning all licenses using a group, means they all get removed during offboarding. It will manage itself.

#3 – Scalability

Now to me, it doesn’t matter if you are in a large or small IT department, scalability is important. Every organization tries to keep overhead costs low, and IT is usually one of the biggest ones. Having the flexibility to scale without hiring more bodies will always make the executives happy. And if you work for a company that expects you to be a one administrator type show, then scalability will make your own life easier. Whether you are onboarding one person, or 25 people, the process is the same. Adding 25 people to an group is marginally longer than adding one.

Not to mention, that if you have the capability and cost, you can automate that process. Have your ticket system add someone to an Ad group for you when they submit a ticket. Enable your Help Desk staff to assign licenses without Admin Center access because they can add users to certain groups. Any time you can create a process that allows complex or protected processes be performed safely at a lower skill level, you are winning. Enabling the level one Help Desk tech the ability to handle simple license tickets means you can go back to figuring out the other 45 fires burning at the moment. Groups enable this behavior.

Convinced? Ready to move on the reason you came here? Lets go.


How to Configure Microsoft Licensing for Management via Groups

In general, this works with any kind of Security Group available to you in your Azure tenant. Azure AD Security Groups, Mail-Enabled Security Groups, and On-Prem AD security groups all work with this. Additionally, you should be able to do this with a Microsoft 365 group, but personally I haven’t done it yet. If you are creating user accounts on premises (because you are configured for hybrid with Azure AD Connect), then it is easier to add licenses to groups created on premise. Assigning licenses with on-premises AD Groups licenses accounts before they are synced to the cloud. For Microsoft’s Official process, check here.

Configuration Steps

  1. Sign into Azure AD, and navigate to “Groups”. (Must have License Administrator, or Global Administrator privileges)
  2. Find the “group” you plan to assign licenses to. Alternatively, create the group if it doesn’t already exist. Here I have my standard license group, which will get the baseline license that every employee gets.
Azure Portal for Azure AD Groups

3. Click on the “Licenses” tab to see available licenses. We will click “Assignment” to assign license.

Assign Microsoft Licensing in Azure Portal

4. Under Assignments, and select the license, and specific check box items you want to have assigned to a baseline employee. In this case, I am actually selecting all as I want all employees to have the full E5 EMS license. Hit save once you have selected everything you want.

Microsoft Licenses

5. When you return back to the properties of the group itself, you should now see assigned licenses under the Licenses tab.

Microsoft licensing assigned to a group

That’s it! The next step is to confirm the licenses are getting passed down. So go to “Users” in Azure AD and find a user in the group you assigned licenses too. Once you find that user, click on their licenses tab, and see what they have assigned.

Proof of license assignment

The key thing to note here, is that the License assignment path is Inherited with the group name of “Standard License”. This means you have done it correctly and anyone who gets assigned to that group, will get licensed accordingly. Try removing that license from that user. Removing it will fail because the license isn’t directly assigned.


How to Make License Assignment via Security Group more Powerful

Dynamic User Security Groups

One of the easiest ways to add additional power to this license method is based on the use of security groups with Dynamic Group membership. For example, I have a group called “Project Managers” which is a Dynamic User Group that adds members based on the Job Title of “Project Manager“. This means that if someone gets a promotion, and their new job title is “Project Manager” then they will automatically get the additional licenses they need to do their job.

Dynamic Member groups

Help Desk Automation

Many modern ITSM solutions offer some levels of automation for AD or Azure AD. One example of this is the Fresh Service Orchestration tool. When this is possible, you should look to leverage this capability. In some cases, you may just have it so that users submit a ticket, and the system assigns them to the appropriate group, and closes the ticket. Full service with no human interaction. Or where applicable, now your Help Desk team can get those tickets, and resolve the issue at their level because they just add them to the right group. Either way, the problem was handled at the lowest level, and you (the admin) didn’t have to be involved at all.


Conclusion

I hope you found this useful. I know it is probably longer than what it needs to be, but I feel strongly about this topic. There are so many reasons I didn’t even cover of why this is in everyone’s best interests, and it took me a few extra words to get that point across. Whether you use broad adoption, or just small niche examples, there are benefits that make this process worth while.

Hit me up on Twitter @SeeSmittyIT to let me know what you thought of this post. Thanks for reading!

Smitty

Curtis Smith works in IT with a primary focus on Mobile Device Management, M365 Apps, and Azure AD. He has certifications from CompTIA and Microsoft, and writes as a hobby.

View all posts by Smitty →