Office 365 administrators have a reason to be happy: Microsoft has finally joined the party on group-based Office 365 licence management, saving time from manual maintenance, or the reliance on scripts and third-party systems.
The 'before' time
Until earlier this year, administrators of Office 365 had no pure native way to automate applying licences to their user base. They could already apply licences manually, of course, through either the web interface or PowerShell.
The web interface method is a rather time-consuming method and only suited to very small companies. It also gives a large margin of user error, due to requiring several options toggled off or on based on requirements. Doing this for each add/move/change in an environment is a tedious task that will frustrate anyone trusted enough to allocate those licences.
Using PowerShell is a better method; it can be a bit cumbersome to wrap your head around the syntaxes and commands to pipe together when assigning a licence the first time, but it does the job. Being PowerShell driven, these commands can be automated through Scheduled Tasks to see what's changed (including adding or removing a user from a security group in Active Directory). This provides a reasonable level of automation, but it requires the administrator to bring their own solution.
Third parties also offer automated Office 365 licence management, but these are generally tied into other offerings, and have other benefits and costs attached to them, for example ticketing systems, user account management utilities, identity management solutions. For those who had one of these bigger solutions, using them would be a no-brainer compared to the native options.
Welcome to the modern era
Now, nearly six years since Office 365 was floated, Microsoft has released the Azure Active Directory Group-Based License Management as a public preview. The feature is available for all customers globally.
The fact it's taken so long – Office 365 arrived in 2011 – is a surprise. Windows 7 was still Microsoft's newest desktop operating system (Windows 8 was released a year later) and Microsoft Office 2010 was the latest productivity suite in a post-Clippy world. We have it now, though, and Microsoft staff themselves admit that this sort of solution has been one of their top requests for a very long time.
The new Azure portal let's you create a group and point a ruleset of licences at it; all members of the group get that ruleset of licences and lose them when they leave. There's a few different group types supported – on-premise Active Directory Security Groups, Azure AD-based Security Groups, and Azure AD-based Dynamic Security Groups.
The first two methods are rather straightforward – work out how to add and remove users from the security groups, and there's your licensing automated. Dynamic Security Groups, however, let you set the rules on what defines a member of the group.
Some administrators will have a simple environment: create a single Dynamic Security Group that adds all staff (for example, only adding user accounts that have an employee number, or phone number) into the group, and those members get the full suite of Office 365 licences available.
This also means when an account is cleaned up (deleted, or fields wiped) the user falls out of scope of the dynamic security group, loses their Office 365 licence and gets marked as "suspended" to avoid accidental catastrophic deletions.
Sonia Cuff, a technology consultant and Office Servers and Services MVP, gave this extra piece of advice:
Smaller businesses might now be tempted to look under the hood at Azure Active Directory powering their Office 365 authentication. But if they get their services via a Microsoft Cloud Solution Provider (CSP) agreement, there may still be some manual intervention required. Dynamic licensing won't automatically provision new licenses from the CSP provider, so there will need to be enough unused licenses available to their tenant or they'll have to purchase more.
It's a valid point, automation is great but if left unmonitored or not done properly, you may quickly exhaust your pool of available licences.
For most others, though, licences will be tight, and there will be other more specialised licenses (such as Power BI Pro) that are only given to a handful of people.
The flexibility of this new solution means that the framework around how a user gets a licence is really up to you. It might be that anyone with "manager" in their title gets the Power BI Pro License, or anyone from the marketing department gets access to Microsoft Teams because they're very up to date with technology and have decided to no longer use emails as a form of internal communication.
The documentation for group-based licence management is already rather detailed and thorough, so if you're still doing licensing management the manual way, it may be worthwhile testing this solution to get back those tedious minutes from your day.
But it's not without caveats. Anything in public preview can change without notice, nested security groups aren't supported, and you'll need to clean up your manual licence assignments once your group-based licensing is complete.
And, finally, before jumping in and setting up this automation – have a think about how you're going to architect the licences and groups.
Why? Because automation that isn't logical and/or clear to someone other than you is just a new problem waiting to happen.
After all, you don't want to be called back at beer o'clock on Friday evening just because HR decided to enact an end-of-week tidy-up to the CEO's Office 365 account. ®