Group-based licensing in Azure

Azure AD group-based licensing allows you to standardize the licensing assignment by managing them in groups rather than by individual users. 
While individual license assignment is perfectly doable in very small environments, it does not scale well. Assigning licenses per user quickly grows to be a considerable time sink once your userbase grows and changes frequently. Group-based licensing allows you to carefully set up a desired combination of licenses and assign them to an Azure AD group. After that, just add or remove users from such groups, and Azure will periodically assign and remove licenses from individuals accordingly.

Prerequisites

To be able to use group-based licensing, your Azure AD needs to be on level P1 or higher. This is the case if at least a single license is available in the tenant that includes a P1 license. Examples are: E3 or higher, Enterprise Mobility + Security E3 or higher, Microsoft 365 E3 or higher.

Enabling

Licenses are assigned to groups in the Azure portal. Not in the O365 portal. Open https://portal.azure.com/ and browse to Azure Active Directory -> Groups. Create or open a group, and click on Licenses. You will now be able to assign licenses to all users in that group.
A change in this screen to licenses is processed in the background. This may take 10-15 minutes to process for larger groups.

group-based licensing
Group-based Licenses

You can verify the assignment by opening a user object in Azure AD. Licenses that are assigned via group-based licensing will show as “Inherited“. Licenses that are assigned directly to a user bypassing the group-based licensing show as “Direct“. For Azure AD group-Based licensing to be effective, direct-assigned licenses should be removed such that any changes to assignment options are handled with consistency via a group assignment.

Some usefull thoughts

  • All users will have the same licenses, no mistakes are made. Individual exceptions are always possible.
  • Adding an Exchange Online license will also create the mailbox for that user. No need for a separate process to create mailboxes.
  • The Azure AD group can be a cloud group or a group that is synced with on-premise AD.
  • You can create multiple groups with different licenses. The user will have all the licenses from all groups, unless some are mutually exclusive.
  • Your onboarding/offboarding tooling will most likely already be able to add new users to AD groups out-of-the-box. No need for a separate process to add licenses in Azure.
  • Adding and removing licenses is now a Level 1 helpdesk activity.