Automate automate automate, that should be part of my job title. In this post I’m going to talk about a lesser known feature of Azure AD, which is now available to anyone with A3/E3 or above, group based licensing.
With Microsoft’s retirement of the AzureAD and MSOL modules (replaced with MSGraph) you will need to update your provisioning/licensing scripts for Microsoft 365. Why not just ditch the scripts all together? Well you can if you use Group Based Licensing.
Let’s get the small print out of the way first
You must have one of the following licenses for every user who benefits from group-based licensing:
- Paid or trial subscription for Azure AD Premium P1 and above
- Paid or trial edition of Microsoft 365 Business Premium or Office 365 Enterprise E3 or Office 365 A3 or Office 365 GCC G3 or Office 365 E3 for GCCH or Office 365 E3 for DOD and above
Small print out of the way, lets explain what we are doing. Group based licensing assigns license(s) to a group, and Azure AD will take care of the rest, sounds simple and it mostly is, but as always there is some caveats to be aware of:
Dynamic groups can massively help you mass populate a group for staff and/or students which we can use for the mass licensing. Azure AD will update the membership as things change in your tenant.
In Azure AD create a new security group (can be a Microsoft 365 group if you want a team/group/distribution list), set it to use Dynamic User membership and create the dynamic query to use. You can find a list of properties you can query in Microsoft Docs.
You’ll need a property on a user to define the dynamic rule, I’m going to use Job Title for mine, one group will be jobTitle -eq “Student” and another will be jobTitle -ne “Student”.
In the screenshot above you can see in the Staff group we have everyone except Pradeep who’s job title is Student. The student group will be the oposite way round.
Repeat for student (or undergrad/post grad, etc) to get the main groups.
You don’t have to use Dynamic groups but they help in situations like this.
If, like Jisc, you sync your users from on premise and you your tenant location is different from the usage location (e.g. Ireland/Netherlands instead of UK) you may need to create an AAD Connect Rule to set this. This can happen if you setup your 365 tenant quite some time ago.
Group based licensing needs the usage location set or it will use the tenant location which maybe wrong in some cases to set the usage location when assigning licenses.
To do this, and also set the preferred data location, follow the guide on Microsoft’s Docs for Configuring Preferred Data location. Add this rule in Step 6:
- To set everyone to a single usage location you can use:
Flow type Target attribute Source Apply once Merge type Constant usageLocation GB Unchecked Update
- To use the Preferred Data Location if it’s set you can use:
Flow type Target attribute Source Apply once Merge type Direct usageLocation preferredDataLocation Unchecked Update
You will need to ensure you have enough licenses to apply via group based licensing, you will need to monitor the licenses pane in AAD for details on this.
You will get a yellow banner in the license overview pane if there are any issues.
Direct assigned licenses
Whilst this won’t cause an issue, you may want to remove direct assigned licenses from all users once Group based relicensing is in full swing.
In Education there is some more leeway on this one, but you want to make sure you don’t get licensing conflicts (e.g. A1 and A5 assigned to 1 user). You will get errors in the yellow banner in the licenses overview pane.
If you have a Teams telephony users group for instance, just have the addon licenses in there, not the Teams licenses, use a wider group to assign that, but also make sure you don’t assign an addon license to a A5/E5 user, that’s just wasting a license.
Group Based Licensing
So you’ve read through the above caveates and ready to proceed…
In the group you have created you can now click on the Licenses pane, + Assignments and add the license to the group, you can even use this wizard to remove components from the license (No Microsoft kaizala for instance)
Save and your done. You can reprocess from the licenses screen anytime.
You can see from the main licenses pane the status, I have a green tick here, but any errors will show a clickable yellow banner.
You should now see users with the Inherited license assignment type. You may see users with Inherited, Direct. This means they have a legacy direct assignment, you can go into that user, and remove the license and the group based inherited will take over.
Group based licensing is a very powerful tool, and it’s my recommendation to use it where possible. In your scripting you could populate a group and then license against that group, or manually add users to a group.
For help/support/advice reach out to your Jisc Relationship Manager for a consult or join the Office 365 Managers JiscMailing list.