How to Setup Group Based Licensing in Microsoft 365

  • Post author:
  • Post category:Main
  • Post last modified:April 11, 2023
  • Reading time:7 mins read

Group-based licensing in Microsoft 365 or Azure Active Directory is a quick and effective way to manage your user license assignments. It means that when a new user (or existing user) is added to a group with group-based licensing, then that user is automatically assigned a license. This is particularly helpful when managing a large number of users, such as during migrations and take overs, or even during ongoing user management by simplifying onboarding processes. 

In this tutorial, I am going to show you how to setup group-based licensing in Microsoft 365.

Requirements for group-based licensing

To use group-based licensing, you will need to have at the minimum an Azure AD P1 license for every user that will benefit from it. Although this might seem a little backward, there is nothing to worry about. As soon as you add a single Azure AD P1 license, the features become available, so you can then configure your group-based licensing to assign both your Azure AD P1 license and any other licenses you wish.

You should also be conscious that you still need enough available (unassigned licenses) to assign to your users. For example, if you create a new group that will automatically assign M365 Dynamics licenses to staff and you add 10 users to that group. You need to ensure you have 10 available licenses ready to be assigned automatically.

What are the benefits?

It goes without saying one of the primary benefits is easy and simplified license management, enabling streamlined onboarding and change processes as well as simplified administration, removing the need to assign and remove licenses manually.

However, consistency and security should also be considered when deciding on group-based licensing. By ensuring a well-defined group structure you can clearly overlook which licenses are assigned to which user. By incorrectly or over-licensing users you are risking exposing them to data which they should not be able to see, either directly or indirectly which would be perfect for an attacker.

Assign licenses to a group

I won’t be going through how to create a group in Azure Active Directory in this tutorial, however, if you want to know how to create a security group using Microsoft Graph PowerShell, then you can check out my guide: How To Create Groups With Microsoft Graph PowerShell.

1. Start by logging into the Azure Active Directory admin center and select Groups.

Select the Groups blade
Select the Groups blade

2. Select your group from the list, then on the left-hand menu, select Licenses.

Select licenses
Select licenses

3. Select the Assignments button and check the license you wish to assign to this group (it could be a single license or multiple), then click Save.

Select Assignments
Select Assignments

Migrate users to group-based licensing

Migrating licensing assignments to groups is quite simple and if done correctly will have zero impact on your end users.

Assumingly if you are migrating users to group-based licensing, atleast some already have licenses directly assigned. Luckily Microsoft have made the migration quite simple and as such, your users can have the same license directly assigned and also assigned via group membership. For example, you may have long standing users who were manually assigned licenses which you want to migrate, you can add them to the necessary licensing group then manually remove their direct assignment.

During the inbetween period where licenses are assigned both ways, only a single license is consumed so you don’t have to worry about over spending or over using licenses. Also, by removing their direct assignment, the user will remain ‘licensed’ via the group membership and there will be no loss of service for the user.

If you want to learn how to bulk remove licenses using PowerShell (if you have many users for example), take a look at my guide: How To Assign User Licenses With Microsoft Graph PowerShell and read the Remove multiple licenses section.

View the group licensing status

The critical step while migrating to group-based licensing is to ensure licenses are correctly assigned by the group before removing the direct assignement.

1. Start by logging into Azure Active Directory > Users and select the one of the users you are migrating.

2. From the left-hand menu select Licenses. This will display a list of licenses assigned to the user.

Select Licenses
Select Licenses

3. You can see from the license list, that your target license is both directly assigned and inherited from the group.

Direct and Inherited licenses
Direct and Inherited licenses

You can also remove the direct assignment here by selecting the license and clicking Remove license.

By refreshing the page, you can now see that only Inherited is listed under the assignment paths.

Inherited only
Inherited only

Validate this has worked correctly first for a couple of users before you bulk remove licenses from all users.

Daniel Bradley

My name is Daniel Bradley and I work with Microsoft 365 and Azure as an Engineer and Consultant. I enjoy writing technical content for you and engaging with the community. All opinions are my own.

Leave a Reply