As opposed to adding cloud based licenses per user basis or via PowerShell to automate license assignment with a security group, Azure’s group based licensing is easy to do and will save a lot of time.
This setup is ideal for the organizations which has a number of licenses for different types of users. Also will be beneficial for the scenarios when not all the features needs to be activated for a given user group/ type to perform their specific role.
Requirements
The Admin account that creates the Groups Should have Office 365 E3 or A3
OR
Account that creates the Groups Should have Azure P1
Group types that can be used
Azure AD Security Groups/ Security Enabled Distribution groups
Synced security groups/ / Security Enabled Distribution groups from the on-prem AD
Ways to do it
Add users manually to the group and they will be assigned to the allocated license to that group
Dynamically – Depending on the user’s attribute, that user will be a member of that group (dynamic groups are available with Azure AD Premium P1 license)
More on Azure Dynamic Groups
https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/groups-create-rule
Use case
In my scenario, I have On-Premises synced users in my Azure AD and I will create the Security Group in the On-Prem AD and will sync it to Azure AD
Anyone who is a member of this group should get Office 365 E3 and Visio Plan 2
1. Create the Group in AD and perform a Sync
How Office 365 Admin Center would see it
2. License assignment
Go to https://aad.portal.azure.com
Go to Azure Active Directory tab
Go to the Groups blade
Search the Group
Go to Licenses
Click on Assignments
Select the available licenses for your tenant. I have selected Office 365 E3 and Visio Plan 2 as per my requirement
You can customize the license features further by Reviewing the license options from the right hand-side so only the selected features will get assigned to the group and to the members in it.
After the assigning the licenses to the group, it might take few minutes before it’ll be visible in the console.
From now onwards, whenever you add a user to this Security Group from the On-rem AD, after the next sync the account membership will be synced to Azure AD, which then according to the previous assignment, the member in that gouyp will get the licenses assigned.
This is how the user is visible in that group after the sync
Two things I would like to note here.
1. State – Conflicting Service Plans – This means one or many features in once license is already available in another assigned license
2. Assignment Paths – Inherited (Azure-Lic-E3) is the Group assignment
Direct – Is the license that’s being assigned manually from the M365 Admin center.
To resolve the issue in the State, go to on of the assigned licenses and check for errors
To rectify this…
Go to the Azure Active Directory > Groups > Licenses > Click on the license that has duplicated features and switch them off > Save > click on Reprocess button on top.
If there are more errors, it will give you a prompt so you can follow that to resolve it.
Make sure you have enough licenses as well. If not, buy them 1st and then once they are visible in the portal, click on Reprocess.
Once the errors are sorted, the status will change to Active and whenever you add a user to this group, the license assignment will be automatically happen and that will remove one step of the user cloud enablement process.
EMS Route - Shehan Perera 