First Look at the New Azure AD Group Based Licensing Feature


Yesterday Microsoft Release one of the most long awaited features of Azure (Office 365). The feature to assign licenses based on Group membership.

Until now it has only been possible to assign them individually, or you would have to do something using a PowerShell script and achieve the same.


Here are the main features of group-based licensing capability:

  • Licenses can be assigned to any security group in Azure AD. Security groups can be synced from on-premises using Azure AD Connect, created directly in Azure AD (also called cloud-only groups), or created automatically via the Azure AD Dynamic Group feature.
  • When a product license is assigned to a group, the administrator may disable one or more service plans in the product. Typically, this is done when the organization is not yet ready to start using a service included in a product, for example the administrator wants to assign Office 365 E3 product to a department but temporarily disable the Yammer Enterprise service.
  • All Microsoft cloud services that require user-level licensing are supported. This includes all Office 365 products, Enterprise Mobility + Security, Dynamics CRM, etc.
  • Group-based licensing is currently available only through the Azure portal. Customers who primarily use other management portals for user and group management, such as the Office 365 portal, can continue to do so, but will need to use the Azure portal to manage licenses at group level.
  • Azure AD automatically manages license modifications resulting from group membership changes. Typically, a user joining or leaving a group will have their licenses modified within minutes of the membership change.
  • A user may be a member of multiple groups with license policies specified; they may also have some licenses that were directly assigned to the user outside of any groups. The resulting user state is a combination of all assigned product and service licenses.
  • In some cases, licenses cannot be assigned to a user; for example, because there are not enough available licenses in the tenant or conflicting services have been assigned at the same time. Administrators have access to information about users for whom Azure AD could not fully process group licenses; they can then take corrective action based on that information.
  • During public preview, a paid or trial subscription for Azure AD Basic or higher is required in the tenant to use group-based license management. Also, every user inheriting any licenses from groups must have the paid Azure AD edition license assigned to them.

How to get started

Log into your Azure portal:

Go to the Azure Active Directory of your tenant:


Next click the new Licenses feature option:

Next click All products and then one of the licenses in your tenant, in my case EMS – E3:

Next choose the on or more Licenses which should be part of a Group assignment, in my case I choose EMS – E3 and then click Assign:

Next find a Group, which you want to assign licenses to (the group needs to have been created):

Next when the Group has been assigned, you can set Assignment Options, like which of the individual services (workloads) should be part of this License Assignment:

Then all users of my Group, will now be assigned the licenses I have selected above.

It is also possible to assign Licenses using Dynamic Groups. See reference documentation for more info about that.

Limitations and known issues

  1. Group-based licensing currently does not support “nested groups” (groups that contain other groups). If you apply a license to a nested group, only the immediate first-level user members of the group will have the licenses applied.
  2. Group-based licensing is currently only exposed via the Azure portal. At this time, it is not possible to use PowerShell to set or modify licenses on groups.
  3. The Office 365 admin portal does not currently support group-based licensing. If a user inherits a license from a group, this license will show up in the Office admin portal as a regular user license. If you try to modify that license (for example, to disable a service in the license, or try to remove the license) the portal will return an error message (because inherited group licenses cannot be modified directly on a user).

    To assign a license that contains Azure Information Protection Plan 1, you must also assign one of the following service plans: Azure Rights Management.

  4. When a user is removed from a group and loses the license, the service plans from that license (for example, Exchange Online or SharePoint Online) are set to a “suspended” state as opposed to a final disabled state. This is done as a precaution to avoid accidental removal of user data if an admin makes a mistake in group membership management.

    We are going to implement a workflow in which the state of those service plans will eventually be completely disabled for those users. Until that is available, some services may continue to operate for users who were removed from a group and no longer have a license.

  5. When licenses are assigned or modified on an extremely large group of users (for example, 100,000 users) the large number of changes generated by Azure AD automation may negatively impact the performance of your directory synchronization between Azure AD and on-premises systems. This could cause delays in directory sync in your environment.
  6. License management automation does not automatically react to all types of changes in the environment. For example, you may have run out of licenses and some users are in error state “Not enough licenses.” You can then remove some directly assigned licenses from other users to free up the available seat count. However, the system will not automatically react to this change and fix users in that error state.

    As a workaround to these types of limitations, you can go to the group blade in Azure AD and click the Reprocess button. This will process all users in that group and resolve the error states, if possible.