As opposed to adding cloud-based licenses per user or via PowerShell to automate license assignments with a security group, Azure’s group-based licensing is easy to do and will save a lot of time.
This setup is ideal for organizations that have a number of licenses for different types of users. Also, it will be beneficial for scenarios when not all the features need to be activated for a given user group/ type to perform their specific role.
Requirements
The Admin account that creates the Groups Should have Office 365 E3 or A3.
Or
An account that creates the Groups Should have Azure P1.
Group types that can be used
Azure AD Security Groups/ Security Enabled Distribution Groups.
Synced security groups/ / Security Enabled Distribution groups from the on-prem AD.
Ways to do it
Add users manually to the group, and they will be assigned the allocated license to that group.
Dynamically: Depending on the user’s attribute, that user will be a member of that group (dynamic groups are available with Azure AD Premium P1 license).
More on Azure Dynamic Groups
Use case
In my scenario, I have On-Premises synced users in my Azure AD, and I will create the Security Group in the On-Prem AD and sync it to Azure AD.
Anyone who is a member of this group should get Office 365 E3 and Visio Plan 2.
1. Create the Group in AD and perform a Sync.
![Create group in AD]()
How would the Office 365 Admin Center see it?
![Admin center]()
2. License assignment
Go to https://aad.portal.azure.com
Go to the Azure Active Directory tab
Go to the group blade
Search the Group
Go to Licenses
![Azure Active Directory]()
Click on Assignments.
![Licenses]()
Select the available licenses for your tenant. I have selected Office 365 E3 and Visio Plan 2 as per my requirements.
![Update Licenses Assignments]()
You can customize the license features further by Reviewing the license options from the right-hand side, so only the selected features will get assigned to the group and to the members in it.
After assigning the licenses to the group, it might take a few minutes before they’re visible in the console.
![Console]()
From now onwards, whenever you add a user to this Security Group from the On-rem AD, after the next sync, the account membership will be synced to Azure AD, which then, according to the previous assignment, the member in that group will get the licenses assigned.
This is how the user is visible in that group after the sync.
![Users]()
![User visibality]()
Two things I would like to note here.
- State–Conflicting Service Plans: This means one or many features in one license are already available in another assigned license.
- Assignment Paths: Inherited (Azure-Lic-E3) is the Group assignment.
Direct – This is the license that’s being assigned manually from the M365 Admin Center.
To resolve the issue in the State, go to one of the assigned licenses and check for errors.
![Error]()
To rectify this
Go to the Azure Active Directory > Groups > Licenses > Click on the license that has duplicated features and switch them off > Save > Click on the Reprocess button on top.
If there are more errors, it will give you a prompt so you can follow that to resolve it.
Make sure you have enough licenses as well. If not, buy them 1st, and then once they are visible in the portal, click on Reprocess.
![Notification]()
![Error details]()
Once the errors are sorted, the status will change to Active, and whenever you add a user to this group, the license assignment will automatically happen, and that will remove one step of the user cloud enablement process.