Group-based licensing for security groups in Office 365. This is something that will reduce clicking, scripting, and admin burden overall.
If this fits your organisation requirements and governance, then go for it! It’s a great feature.
Let’s see how we can start using it.
- Global Admin or User Management permissions
- Office 365 trial/paid subscription (E3 in my case)
- Enough licences in the tenant for users
NOTE: In my scenario, I have 2 fake users as follows:
- Georges has already been assigned a few services from the E3 license
- John is not licensed at all
- They are both part of the SG_HR security group
Assign licenses to the Security Group
To start assigning licences, log into the Azure Portal with your admin credentials, or from the Office 365 Admin Center >> All Admin Centers >> Azure Active Directory.
Once in the Azure AD admin center, navigate to Azure Active Directory >> Licenses.
Under “licenses“, click on All products >> Choose your plan >> Click on “Assign”
Under Assignment options, select the services from this license that you wish to enable for the group.
Here I’m only going to choose the main ones (EXO, SPO, Teams…) and remove all the “extras” like PowerApps, Flow, Stream…
Navigate above, under “Users & groups” >> Search for your group (and click on it) >> click on Select at the bottom of the page
Finally, click on “Assign” to assign the license to the group!
There will be a little notification on the top-right corner 😉
Check the license has been assigned
To check if the license has been properly assigned, navigate back to Licenses >> All Products >> click on the plan >> Licensed groups (left pane)
Another way is also to click on “Licensed Users“, and notice how my 2 fake users are licensed:
- Georges is licensed directly AND via the group-based licensing
- John is licensed ONLY via the group-based licensing
Verify in the Office 365 Admin Center
Let’s have a look at the Office 365 admin center now.
Remember that “John” was not licensed at all. He’s now only licensed through the group-based licensing model.
Therefore, if I try to add services for him manually, and save those changes… We have a message telling us NOPE, you can’t do that! Well… in a nutshell that is…🙄
“Georges” was already assigned some services, so it’s totally possible to change this manually…
IMPORTANT: If you have manually enabled a service for a user (like Georges had “Sway” turned on prior to the group-based licensing), and the group-licensing turns it off, this will have no impact on the user as he/she already had it on 😉