Manage Licenses in Azure AD

Ganesh Chauhan, Technical Support Specialist, Microsoft Azure.

Licenses are necessary for Microsoft’s premium cloud services like Dynamics 365, Enterprise Mobility + Security, and Microsoft 365. Each user who requires access to these services is given a license. Administrators use PowerShell cmdlets and one of the administration portals (Office or Azure) to manage licenses. The foundational technology that allows identity management for all Microsoft cloud services is called Azure Active Directory (Azure AD). Information about the user’s license assignment states is stored in Azure AD.

Up until recently, licences could only be distributed to specific users, which can make managing large-scale operations challenging. An administrator frequently needs to create a complicated PowerShell script in order to add or remove user licenses based on organizational changes, such as users joining or departing the company or a department. Individual calls to the cloud service are made by this script.

Group-based licensing is now a feature of Azure AD to help with these issues. A group may be given access to one or more product licenses. Azure AD makes sure that the licenses are distributed to each group member. Any new members are given the proper licenses as soon as they join the club. Those licenses are taken away when they leave the group. With the help of this licensing management, it is no longer necessary to automate license management using PowerShell to take account of changes in the organizational and departmental structure on an individual user basis.

License requirements

To use group-based licensing, you must own one of the following licenses:

  • Azure AD Premium P1 and above subscription, whether it is paid or trial
  • Office 365 Enterprise E3, Office 365 A3, Office 365 GCC G3, Office 365 E3 for GCCH, or Office 365 E3 for DOD and above, whether they are paid or trial editions.


Number of licenses necessary

You are required to have a license for each individual member of any group to which one has been granted. You don’t have to give each member of the group a license, but you do need to have enough licenses to cover everyone. For instance, in order to comply with the licensing agreement, you must have at least 1,000 licenses if your tenant has 1,000 unique members that are a part of licensed groups.


Features –

These are group-based licensing’s key characteristics:

  • Security groups can be synced from on-premises via Azure AD Connect, and licenses can be assigned to any security group in Azure AD. Additionally, you can automatically build security groups using the Azure AD dynamic group functionality or directly in Azure AD (also known as cloud-only groups).
  • The administrator can disable one or more of the product’s service plans when a product license is given to a group. This task is typically performed when the company is not yet prepared to begin employing a service that is a part of a product. For instance, the administrator might provide department access to Microsoft 365 while momentarily turning off the Yammer service.
  • Support is provided for all Microsoft cloud services that demand user-level licensing. All Microsoft 365 products, Enterprise Mobility + Security, and Dynamics 365 are all supported by this service.
  • Only the Azure portal presently offers group-based licensing.
  • Changes in group membership that result in license revisions are automatically managed by Azure AD. Usually, licensing changes take effect right away after a membership change.
  • Multiple groups with different license policies that one user can join. Additionally, a user may have some licenses that were given to them directly and independent of any groups. All assigned product and service licenses combine to create the final user state. If a user receives the same license from several sources, the license will only be used once.
  • Licenses occasionally cannot be given to a user. For instance, the tenant may not have enough licenses available, or incompatible services may have been assigned at the same time. Administrators have access to data on users for whom Azure AD was unable to process group licenses completely. On the basis of that knowledge, they can then take corrective action.

Not all locations offer every Microsoft service. Before granting a license to a user, the administrator must indicate the user’s intended place of use in the user profile.

Users who don’t specify a use location inherit the directory’s location when a group license is assigned. If you have users spread out across different locations, it’s advised that you always specify usage location as part of the user creation flow in Azure AD (for instance, via Azure AD Connect configuration). This will guarantee that the license assignment outcome is always accurate and prevent users from receiving services in locations where they are not permitted.

For more information, contact Professional Labs, the Best Cloud Managed Services Provider Saudi Arabia

Contact Us