As an Azure administrator, managing licenses in Microsoft Entra ID is a required task. While this is not too difficult, we will look at the process of managing Microsoft 365 licenses in Microsoft Entra ID when using Azure.
Subscriptions vs licenses
There are a couple of terms that may be confusing due to their similarities. What is the difference between a subscription and license in Microsoft Azure?
Subscriptions
A subscription represents a commitment with Microsoft to utilize one or more of its cloud services. The billing for these services can either be on a per-user licensing basis or based on the consumption of cloud resources.
The charges are typically on a per-user license basis for Microsoft’s cloud services that operate on a Software as a Service (SaaS) model, like Microsoft 365 and Dynamics 365. On the other hand, for services that fall under the Platform as a Service (PaaS) or Infrastructure as a Service (IaaS) categories, such as Azure, the costs are determined by the amount of cloud resources used.
Trial subscription
There’s also an option to opt for a trial subscription. However, it’s essential to note that these trials come with an expiration, either based on time or consumption limits. Once the trial period is over, upgrading it to a full-fledged, paid subscription is possible.
Multiple subscriptions
It’s not uncommon for organizations to hold multiple subscriptions across Microsoft’s cloud spectrum. You can create management groups that contain more than one Azure subscription and these can be more easily managed this way.
Licenses
For Microsoft’s SaaS-based solutions, a license grants a particular user account access to the cloud service’s features. This comes with a set monthly charge included in your subscription. Administrators are responsible for assigning these licenses to user accounts under the subscription.
In an example where an organization has a Microsoft 365 E5 subscription that comes with 100 licenses, they can provide up to 100 distinct user accounts with access to the features and services of Microsoft 365 E5.
Navigating the Azure Portal for License Management
The Azure Portal allows you to manage licenses in Microsoft Entra ID (formerly Azure Active Directory). It provides a user-friendly interface to manage, assign, and oversee licenses across user accounts and groups within an organization when you use Azure.
Using the Azure portal, you can manage user and group settings, and ensure that licenses are appropriately assigned and managed.
Understanding Microsoft Entra ID and Its Licensing Model
There are different licenses available for Microsoft Entra ID (Microsoft Azure), and provides different functionality and capabilities, depending on the license that is selected.
- Microsoft Entra ID Free
- Microsoft Entra ID P1
- Microsoft Entra ID P2
Keep in mind that these licenses are different from traditional licenses installed on Windows Server or virtual machine instances. These are for entitlement to services existing in the Microsoft 365 cloud infrastructure.
There are a few differences to note between the free Microsoft Entra ID offering and the P1 and P2 licenses.
With the free Microsoft Entra ID license, you don’t have access to the following as a few examples:
- Group assignment to applications
- Cloud app discovery
- Application proxy
- Advanced group management
- Cloud monitoring
- Cross-tenant user synchronization
- Conditional access
- SharePoint limited access
- Global Password Protection
As you can see, many Azure services require Azure AD Premium P1 or Azure AD Premium P2 licenses. Administrators need to be aware of the licensing limitations of each when they manage Microsoft Entra. You can see the detailed differences between the licenses here: Microsoft Entra Plans and Pricing | Microsoft Security.
There is also a nice feature under the License dashboard allowing you to see what features are available. Navigate to Licenses > Licensed features. You will see features that need Microsoft Entra ID P2 below noted:
Managing User and Group Licenses in Entra ID
Managing licenses in Microsoft Entra ID involves understanding user and group accounts, and ensuring that licenses are appropriately assigned and managed.
This includes understanding how to navigate through the Azure Portal, utilizing the blade to manage user settings, assign licenses, and ensure that user accounts and groups have access to resources and applications.
In the Azure Portal, search for licenses. Below, you see the Licenses option after searching.
Under the Licenses > All products view, you can see the licenses you have available and licensed users for each license installed. You can click the products listed to see which users and groups are assigned.
Click the +Add users and groups link.
After selecting a group to assign the license to, you can click the Review + assign button.
Access Management with User Principal Names
User principal name (UPN) management is important in Microsoft Entra. Managing UPNs ensures that user accounts are correctly associated with their respective licenses and that access to resources is appropriately managed and overseen.
This involves managing user settings, ensuring that UPNs are correctly assigned, and that user accounts have the necessary access to resources and applications.
Group-based licensing
Group-based licensing is a feature integrated into Microsoft Entra ID. It allows you to assign one or multiple product licenses directly to a group. With this setup, Microsoft Entra ID is responsible for ensuring every group member receives the designated licenses.
As new members become part of the group, they automatically get the relevant licenses. When a user is removed from a group, their licenses are promptly revoked.
With this, you no longer have to rely on PowerShell automation to assign licenses at the individual user level.
Usage location
One thing to note with group-based licensing. Every Microsoft service isn’t accessible in every region. Before allocating a license to a group, it’s required to define the Usage location for every member. In Microsoft Entra, this can be done by navigating to Identity > Users > All users >
Below, you can see the Usage location field that is unassigned for this particular user.
When you’re distributing licenses to a group or making mass updates, like turning off the synchronization status for the organization, any user without a specified usage location will default to the tenant’s location.
Security and compliance with license management
Keep in mind that managing licensing appropriately is an important component of security and compliance as it determines what resources and access are possible for end-users.
It is essential that users are configured correctly, and licenses are assigned to Azure resources, ensuring that user settings are configured correctly and that licenses are managed and overseen through the Azure Portal no matter where the user is accessing resources from, whether a mobile device or using virtual machines.
Managing External Users and Guest User Access
Managing external user and guest user access in Microsoft Entra involves assigning and managing licenses, ensuring that external users and guests have the appropriate access to resources, and that their access is managed and overseen through user settings in the Azure Portal.
Wrapping up
Managing licensing in Microsoft Entra ID is an extremely important concept to understand and knowing how to assign licenses to users and groups is a basic requirement. Effective management of licensing can be carried out using the Azure Portal. Using group-based licensing, you can assign licenses to multiple users at once and control licensing based on group memberships.
Related Posts:
Microsoft Azure Administrator: AZ-104: Microsoft Entra ID Guest User Accounts – Part 5
Follow our Twitter and Facebook feeds for new releases, updates, insightful posts and more.
