Preparing your environment for the cloud

Licensing your users

Once a cloud user has been created, and you have started synchronizing identities to your tenant, you will need to assign licenses to your users before they can begin consuming Microsoft 365 services.

Licensing plans and subscriptions were explained in detail in Chapter 1, though there are several methods available for licensing users in Microsoft 365. It is important to understand each available method so you can pick the best option for you. Currently, there are three primary methods for license assignment in Microsoft 365:

  • Azure Active Directory group–based licensing

  • PowerShell licensing cmdlets included in the MSOnline PowerShell module

  • Manual licensing via the Microsoft 365 portal

Group-based licensing

One of the most popular features available for licensing in Microsoft 365 is group-based licensing, commonly referred to as GBL.

Group-based licensing is a feature that requires either Azure AD Premium Plan 1 or Azure AD Premium Plan 2. It is one of the quickest, easiest, and most effective ways to manage Azure AD licenses. As the name implies, group-based licensing uses Azure AD groups for the assignment of licenses to users.

Licenses are assigned to either security groups, which are synchronized to Azure via the Azure AD Connect tool, or to cloud-only groups created directly in Azure.

In the example shown in Figure 2-33, an on-premises security group and its membership has been synchronized to Azure AD, and the Exchange Online Enterprise E3 license is assigned (1 of 26 enabled services).

Figure 2-33

Figure 2-33 Group-based license assignment in the Azure portal

Additionally, dynamic groups can be created in the Azure portal and configured to define membership based on synchronized attributes. The creation of Azure AD dynamic groups, shown in Figure 2-34, requires an Azure AD Premium license.

Figure 2-34

Figure 2-34 Creating a dynamic group in the Azure portal

Once a dynamic group has been created in the Azure portal, the group can then be used for automatic license assignment via group-based licensing, as shown in Figure 2-35.

Figure 2-35

Figure 2-35 Assigning licenses to an Azure dynamic group

It is important to note the following details regarding Azure AD group-based licensing:

  • All existing Microsoft Azure license types are supported by Azure AD group-based licensing.

  • Group membership updates made in on-premises groups synced to Azure AD are effective within just a few minutes of a membership change.

  • Users can be members of multiple groups, and licenses across groups are combined.

  • If no licenses are available within the tenant, group-based licensing will be unable to assign licenses to a user, and no error will be returned.

  • Licenses assigned via a group cannot be manually removed via PowerShell or the portal.

  • Users can have licenses assigned via multiple groups or direct assignment (PowerShell and manual).

  • Users can have licenses through multiple means, such as manual licensing applied through PowerShell or group-based licensing.

PowerShell licensing

The second licensing method is using the provided PowerShell cmdlets in the Azure Active Directory PowerShell for Graph module.

This Powershell module includes several cmdlets that can be used for user license assignment in Azure AD. These cmdlets can assign users SKUs and enable or disable specific plans under the SKU.

  1. All users must have a Usage Location assigned to be licensed. Define the list of sub-plans that you wish to have disabled (not enabled) and assign the options directly to the user.

  2. A user’s Usage Location is set automatically via the AAD Connect tool, provided the msExchUsageLocation value in the on-premises Active Directory is populated with a valid two-digit ISO country code. If the value is not set, the AAD Connect tool can be customized to synchronize any other Active Directory attribute (such as CountryCode) as Usage Location, provided it is a valid two-digit ISO country code.

  3. If the Usage Location is not set via AAD Connect, it can be set programmatically using the Azure Active Directory PowerShell for Graph cmdlets as follows:

    Set-AzureADUser -ObjectID -UsageLocation YY

    In the example shown in Figure 2-36, the user Pilar Ackerman’s Usage Location has been set to US.

    Figure 2-36

    Figure 2-36 Setting UsageLocation via PowerShell

  4. Next, it is necessary to retrieve a list of Subscribed SKUs available in the tenant; these can be identified using the following command:

  5. As shown in Figure 2-37, the Get-AzureADSubscribedSkus command returns a list of the SkuIds and their ObjectIds for licenses available in the tenant.

    Figure 2-37

    Figure 2-37 Returning a list of Azure SKUs available in a tenant

  6. Next, it is necessary to retrieve a list of service plans available for a particular SKU so they can be assigned to a user. The list of service plans available can be displayed using the following command:

    Get-AzureADSubscribedSkus -ObjectID <ObjectID of the desired SKU>
  7. In Figure 2-38, you can see that the Get-AzureADSubscribedSkus command is used in conjunction with a Select statement to return a list of service plans.

    Figure 2-38

    Figure 2-38 Returning a list of service plans from a SubscribedSku

  8. Once a SubscribedSku Object ID and service plan name has been identified, the license can be assigned to a user with the following command:

    Set-AzureADUserLicense -ObjectID <user UPN> -AssignedLicenses $LicenseObject
  9. To create the LicenseObject needed for license assignment, it is necessary to create an Azure AD License object that can be applied to the user. In Figure 2-39, you can see the steps necessary to set the License and LicenseObject.

    $License = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicense
    $License.SkuId = "SkuID of the license you wish to assign"
    $Licenses = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicenses
    $Licenses.AddLicenses = $License
    Figure 2-39

    Figure 2-39 Creating a LicenseObject for user assignment

  10. Finally, the License object created in the previous step can be used with the following command to assign the License object to the user, as shown below and in Figure 2-40:

    Set-AzureADUserLicense -ObjectID <User UPN> -AssignedLicenses $Licenses
Figure 2-40

Figure 2-40 Assigning a license to a user with Powershell

Manual license assignment

The final method available for license assignment is using the Microsoft 365 portal to assign user licenses manually.

Manual license assignment can be done on an individual user basis by selecting the user and editing assigned licenses or by selecting multiple users, as shown in Figure 2-41.

Figure 2-41

Figure 2-41 Bulk user license assignment via the Microsoft 365 portal

While the ability to assign user licenses is available via the Microsoft 365 portal for both individual and bulk assignment, it does not typically scale well for large organizations with many thousands of users. Also, it does not scale well with licensing requirements because doing so can create the need to assign licenses in various combinations based on role, location, or department.

This is why the manual assignment of licenses should be used on an ad-hoc basis and as a supplement to one of the other options for license assignment.