If identity is the foundation for security in the Microsoft 365 platform,licensing is the entitlement engine that is used to grant identities access to the tools and applications.
Every Microsoft 365 service is tied to a license—whether that’s individual product licenses for Exchange Online or SharePoint Online or bundled offerings such as Microsoft 365 G3 that include multiple services.
In Microsoft terminology, there are a number of key terms to be aware of:
• Licensing plans: In broad terms, a licensing plan is any purchased licensing item. For example, standalone Exchange Online P2 and Microsoft 365 E3 are both examples of licensing plans.
• Services: Also known as service plans, these are the individual services that exist inside of a licensing plan. For example, Exchange Online P2 has a single Exchange Online P2 service plan, while Microsoft 365 E3 has an Exchange Online service plan, a Microsoft 365 Apps, service plan, a SharePoint Online service plan, and so on.
• Licenses: This is the actual number of individual license plans of a particular type that you have purchased. For example, if you have 5 subscriptions to Exchange Online P2 and 5 subscriptions to Microsoft 365 E3, you have 10 licenses (or 5 each of Exchange Online P2 and Microsoft 365 E3). Licenses are frequently mapped 1:1 with users or service principals, though some users may have more than one license plan associated with them.
• SkuPartNumber: When reviewing licensing in PowerShell, the SkuPartNmber is the keyword that maps to a licensing plan. For example, Office 365 E3 is represented by the
SkuPartNumber ENTERPRISEPACK.
• AccountSkuId: The AccountSkuId is the combination of your tenant name (such as Contoso) and the SkuPartNumber or licensing plan. For example, the Office 365 E3 licensing plan belonging to the contoso.onmicrosoft.com tenant has an AccountSkuId of contoso:ENTERPRISEPACK.
• ConsumedUnits: Consumed units represent the number of items in a licensing plan that you have assigned to users. For example, if you have assigned a Microsoft 365 E3 licensing plan to three users, you have three ConsumedUnits of the Microsoft 365 E3 licensing plan. When reviewing licensing from the Azure AD portal, this field is sometimes displayed as Assigned.
• ActiveUnits: Number of units that you have purchased for a particular licensing plan. When reviewing licensing from the Azure AD portal, this field is sometimes displayed as Total.
• WarningUnits: Number of units of a particular license plan that you haven’t renewed purchasing for. These units will expire after the 30-day grace period. If reviewing licensing in the Azure AD portal, this field is also sometimes displayed as Expiring soon.
You can easily view purchased licensing plan details in the Microsoft 365 admin center under Billing | Licenses, as shown in Figure 2.28:
Figure 2.28 – License details in the Microsoft 365 admin center
You can assign licenses in many ways:
• Through the Licenses page in the Microsoft 365 admin center Microsoft( 365 admin center | Billing | Licenses)
• On the properties of a user on the Active users page in the Microsoft 365 admin center (Microsoft 365 admin center| Users | Active Users | User properties)
• To users through the Licenses page in the Azure AD portal (Azure AD portal | Azure Active Directory | Licenses | Licensed users)
• To users through the User properties page in the Azure AD portal (Azure AD portal | Azure Active Directory | Users | User properties)
• To groups through group-based licensing (Azure AD portal | Azure Active Directory | Licenses | Licensed groups)
• Through PowerShell cmdlets such as Set-MsolUserLicense
Each licensing method allows you similar options for assigning license plans to users, including assigning multiple license plans or selectively enabling service plans inside an individual license plan.
For example, in the Microsoft 365 admin center, you can view and modify a user’s licenses on the
Licenses and apps tab of their profile. See Figure 2.29:
Figure 2.29 – User license management
As you can see in Figure 2.29, the user has the Office 365 E5 licensing plan enabled as well as individual services such as Common Data Service, Common Data Service for Teams, and Customer Lockbox, while the Azure Rights Management service plan for this licensing plan is disabled.
Note
In order to assign licenses, a usage location is required. The usage location is used to determine what service plans and features are available for a given user. Any user that does not have a usage location set will inherit the location of the Azure AD tenant.
Many organizations may choose to automate some or all of the licensing assignments. Azure AD
group-based licensing allows you to specify one or more licenses to be assigned to one or more users or security groups.
To configure group-based licensing, follow these steps:
- Navigate to the Azure AD portal (https://portal.azure.com).
- Select Azure Active Directory | Licenses.
- Under Manage, select All products.
- Select one or more licenses that you want to assign as a unit to a group and then click Assign. See Figure 2.30:
Figure 2.30 – Assign selected licenses to a group
- On the Users and groups tab, click Add users and groups and select one or more security groups from the list. You can only select security groups or mail-enabled security groups. The security groups can be cloud-only or synchronized.
- Click the Assignment options tab.
- Select which services you want to enable for each licensing plan by sliding the toggle to either Off or On. See Figure 2.31:
Figure 2.31 – Configuring assignment options
- When finished, click Review + assign.
- Confirm the configuration. When ready, click Assign.
Further Reading
For more information on configuring group-based licensing, see https://learn. microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-licensing-whatis-azure-portal.
Next, you’ll look at how to perform bulk user management operations in Microsoft 365.
