Moving from manual to automatic Microsoft Azure AD license assignment

Wouldn’t it be nice if we never have to worry about assigning a license manually to a user, ticking that checkbox for new starters and unticking it for leavers. Or what about having to change a license subscription and having to change over from the old one to the new for all users. Ohhh! what a nightmare!

Good thing is that Azure AD Group-Based License Management is now a thing! And what’s better than that? Rule builder is now available – for the ones that are not too savvy in creating their own dynamic rule syntax.

Here are the steps on how to make this thing work for you and your organisation:

  1. Gather information and prepare requirements.
    • Identify the baseline license that bulk of the users should have.
    • Identify if the accounts are purely AAD or synchronised from AD on premise, this will come in handy when identifying the next bullet below.
    • Identify the attribute and the unique value that the users have in common.
    • Ensure that you have the appropriate number of licenses.
    • Ensure that you have at least Azure AD Premium 1 to be able to create dynamic groups.
    • Ensure that you have at a minimum User and License Administrator privileges in your tenant.
    • Once the above steps are complete, you are ready to start.
  2. Create a new dynamic membership Azure AD security group with an easy to identify name.
    • Example: License Assignment – O365 F1 and EMS E5
    • Set the membership type to Dynamic User.
    • It’s also a good idea to add an owner for future reference.
    • Setup the dynamic query using the rule builder. By default the first entry is already filled in so you may need to update it if needed – just like what I did below.
    • You may add up to 5 expressions as of this writing. The rule builder also automatically creates a rule syntax (highlighted in yellow) which you may also need to update if your query is a bit complex.
      In the above example, I need to update the rule syntax and group the department together hence adding a parenthesis () after the second “and” query as shown below. Note that once the rule syntax has been manually updated the rule builder entries will show as empty.
    • Hit the save button once you are happy with the rule to create the dynamic group.
  3. Review the newly created dynamic membership group.
    • Click the object to see the processing status. Once the processing is done notice that the group now have members. Review the accounts and see if you have captured the correct users. If not, revisit and update your rule syntax until you have the correct users.
    • Once you are completely happy with the dynamic membership group members then you may now proceed in associating the group to the license.
  4. Associate the group to the license.
    • From the group pane, click Licenses then hit Assign.
    • Select the licenses that you want to associate to the group and save the changes.
    • Once the process has been completed, you should be able to see a message whether the licenses were applied. It will also mention if there is an error which you can click on to see more information on how to resolve. An error will also show up here if you do not have enough license.
  5. Review the license assignment. Once the group license assignment has been processed, you will see the assignment paths as having Direct or Inherited. Review the assignment and ensure that all users that have inherited assignment is correct, otherwise, revisit your group filter in step 2.
  6. Perform a cleanup. Remove direct license assignment and ensure that state is Active.

Things to note:

  1. While the user has both direct and inherited license assignment, the user is still using ONE license.
  2. License assignment may take awhile to process so ensure that everything has been processed BEFORE removing direct license.

Troubleshooting:

  1. If there are issues with the state, reprocess license assignment.

There you go! Hope this helps someone, somewhere out there! šŸ™‚

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s