Tutorial / Cram Notes
Managing licenses in Azure Active Directory (Azure AD) is critical for organizations that want to ensure they are in compliance with their software use terms and to optimize their software spending. Azure AD provides several capabilities for managing licenses for Microsoft Online Services like Office 365, Enterprise Mobility Suite (EMS), and Microsoft Azure.
License Management in Azure AD
To manage licenses, Azure AD administrators can use the Azure portal or automate processes using PowerShell cmdlets. Utilizing Azure AD for license management entails assigning, unassigning, and monitoring the usage of licenses within your organization.
Assigning Licenses
You can assign licenses to user accounts individually or in bulk. For individual assignments, you need to access the Azure portal, navigate to the Azure Active Directory, select the user, and then manage their licenses.
For bulk assignments, you can use group-based licensing, which allows you to assign a license to a group in Azure AD and have all members of that group automatically receive the license. This is particularly useful for large organizations.
Example: To assign an Office 365 license to a user individually:
- Sign in to the Azure portal.
- Go to Azure Active Directory > Users.
- Select the user.
- Click on Licenses > Assign license.
- Select the license you want to assign and click Assign.
License Reconciliation
Azure AD provides a feature known as license reconciliation that ensures a user’s most essential licenses are prioritized in case there are not enough licenses to go around. This feature automatically removes non-essential licenses from the user and ensures they retain critical service licenses.
Monitoring License Usage
To maintain effective license management, administrators can monitor license usage to see how many licenses are in use and how many are available. Through the Azure portal, you can generate reports to get insights into your organization’s license status.
Example: To view license usage in the Azure portal:
- Sign in to the Azure portal.
- Navigate to Azure Active Directory > Licenses.
- Here, you can select All products to view the usage of all licenses or pick a specific product.
Unassigning Licenses
Unassigning licenses can be done manually through the Azure portal or with automated processes using PowerShell. This is important when a user no longer needs a service or when they leave the organization.
Example: To remove a license from a user:
- Go to Azure Active Directory > Users.
- Select the user.
- Click on Licenses > Remove license.
- Choose the license to remove and confirm.
Automation with PowerShell
For more advanced license management scenarios, you can use PowerShell cmdlets. This allows administrators to script the process of assigning and unassigning licenses, and more complex license management tasks.
Example: To assign a license using PowerShell:
$License = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicense
$License.SkuId = (Get-AzureADSubscribedSku | Where-Object { $_.SkuPartNumber -eq “ENTERPRISEPACK” }).SkuId
$LicenseToAdd = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicenses
$LicenseToAdd.AddLicenses = $License
Set-AzureADUserLicense -ObjectId “<UserObjectId>” -AssignedLicenses $LicenseToAdd
Replace `ENTERPRISEPACK` with the appropriate SKU part number and `<UserObjectId>` with the user’s object ID in Azure AD.
Licensing Considerations for Hybrid Environments
Organizations running hybrid environments with on-premises Active Directory and Azure AD need to make sure licenses are correctly synchronized. Azure AD Connect helps with this by syncing user profiles, enabling seamless license management across environments.
Reporting and Compliance
Azure AD’s licensing features also help with reporting and compliance. Administrators can generate detailed reports on license assignments, usage, and compliance with licensing agreements.
Advanced License Management with Azure AD Premium
Azure AD Premium provides additional rich features for license management, like dynamic group membership, which can reduce the administrative overhead for managing licenses.
Summary Table
| Feature | Azure AD Free | Azure AD Premium P1 | Azure AD Premium P2 |
|---|---|---|---|
| Individual License Assignment | ✓ | ✓ | ✓ |
| Bulk License Assignment via Group Membership | ✗ | ✓ | ✓ |
| License Usage Reports | ✓ | ✓ | ✓ |
| License Reconciliation | ✓ | ✓ | ✓ |
| PowerShell Automation | ✓ | ✓ | ✓ |
| Advanced Group-based Licensing and Automation | ✗ | ✓ | ✓ |
| Dynamic Group Membership | ✗ | ✓ | ✓ |
Conclusion
Effective license management in Azure AD is crucial for operational efficiency, compliance, and cost optimization. By using the tools Azure AD provides, Azure administrators can assign, monitor, and manage licenses in accordance to an organization’s needs. The AZ-104 Microsoft Azure Administrator exam will require understanding these principles and potentially demonstrating the ability to manage these licenses using both the Azure portal and PowerShell scripts.
Practice Test with Explanation
Question 1: True or False: In Azure Active Directory, you need a license for each user that you want to assign a paid feature to.
True
Each user that requires access to paid Azure AD features needs to have a license assigned to them.
Question 2: Which Azure AD feature allows you to group licenses for easier management?
- A) Azure AD groups
- B) Group-based licensing
- C) License pooling
- D) License templates
B) Group-based licensing
Group-based licensing allows you to assign a license to a group in Azure AD, and all members of the group automatically receive the license.
Question 3: True or False: There is an unlimited number of licenses you can assign in Azure AD.
False
The number of licenses you can assign in Azure AD is limited by the number of licenses you have purchased for your tenant.
Question 4: How often do you need to check the license assignments to ensure compliance in Azure AD?
- A) Once a year
- B) Monthly
- C) Weekly
- D) Every time a user’s role changes
D) Every time a user’s role changes
You should check license assignments every time a user’s role changes to ensure they have the licenses they need and are in compliance.
Question 5: Which PowerShell cmdlet can be used to assign licenses to users in Azure AD?
- A) Add-AzureADUserLicense
- B) Set-AzureADUserLicense
- C) New-AzureADUserLicense
- D) Grant-AzureADUserLicense
B) Set-AzureADUserLicense
The Set-AzureADUserLicense cmdlet is used to assign licenses to users in Azure AD.
Question 6: True or False: You can mix licenses from different plans when assigning them to a single user in Azure AD.
True
You can assign multiple licenses from different plans to a single user as needed, provided your organization has the required licenses available.
Question 7: Which of the following is NOT a correct option to remove licenses from users in Azure AD?
- A) Using Azure portal
- B) Using PowerShell
- C) Using Azure CLI
- D) Deleting the user account
D) Deleting the user account
While deleting a user account will remove their licenses, it is not a correct option specifically for removing licenses. The correct methods are through the Azure portal, PowerShell, or Azure CLI.
Question 8: True or False: Azure AD Free edition supports group-based licensing.
False
Azure AD group-based licensing is a feature that requires Azure AD P1 or P2, which are premium editions. Azure AD Free edition does not support this feature.
Question 9: Multiple Select: Which of the following services require an Azure AD license?
- A) Microsoft Exchange Online
- B) Microsoft Azure Virtual Machines
- C) Azure Active Directory Premium features
- D) Office 365 applications
A) Microsoft Exchange Online, C) Azure Active Directory Premium features, D) Office 365 applications
Microsoft Exchange Online, Azure Active Directory Premium features, and Office 365 applications require an Azure AD license. Azure Virtual Machines don’t specifically require an Azure AD license for their core functionality.
Question 10: True or False: You can only assign licenses to individual users and not to groups in Azure AD.
False
You can assign licenses to both individual users and groups in Azure AD using group-based licensing.
Question 11: Which Azure service helps you manage and report on Azure AD license usage and trends?
- A) Azure Cost Management
- B) Azure Monitor
- C) Azure AD License Usage
- D) Azure Advisor
A) Azure Cost Management
Azure Cost Management provides tools for managing and reporting on Azure AD license usage and spending trends.
Question 12: True or False: When a user leaves the company, their assigned Azure AD licenses are automatically freed up and made available for other users.
True
When a user is removed or their account is deleted from Azure AD, the licenses that were assigned to them become available for reassignment to other users.
Interview Questions
What are licenses in Azure Active Directory, and what is their purpose?
Licenses in Azure Active Directory (Azure AD) are used to determine what features and services are available to users. The purpose of licenses is to provide granular control over what users can access.
How can you manage licenses in Azure AD using the Azure Portal?
You can manage licenses in Azure AD using the Azure Portal by navigating to the “Azure Active Directory” section, selecting “Licenses”, and then assigning licenses to users or groups.
How can you manage licenses in Azure AD using PowerShell?
You can manage licenses in Azure AD using PowerShell by installing the Microsoft 365 PowerShell module, connecting to your Azure AD tenant, and then using cmdlets such as Get-MsolAccountSku, New-MsolUserLicense, and Remove-MsolUserLicense.
How can you view what licenses are assigned to a user in Azure AD using PowerShell?
You can view what licenses are assigned to a user in Azure AD using PowerShell by using the Get-MsolUser cmdlet with the -UserPrincipalName parameter and then checking the AssignedLicenses property of the returned object.
Can you assign licenses to a group in Azure AD using the Azure Portal?
Yes, you can assign licenses to a group in Azure AD using the Azure Portal by selecting the group in the “Assignments” section of the license you want to assign.
How can you remove a license from a user in Azure AD using PowerShell?
You can remove a license from a user in Azure AD using PowerShell by using the Remove-MsolUserLicense cmdlet with the -UserPrincipalName and -LicenseAssignment parameters.
What is the difference between a license and a subscription in Azure AD?
A license in Azure AD determines what features and services are available to a user, while a subscription is used to access Azure services such as Azure Virtual Machines or Azure Storage.
Can you manage licenses for Microsoft 365 using PowerShell?
Yes, you can manage licenses for Microsoft 365 using PowerShell by using the cmdlets provided in the Microsoft 365 PowerShell module.
How can you view the available licenses in Azure AD using PowerShell?
You can view the available licenses in Azure AD using PowerShell by using the Get-MsolAccountSku cmdlet.
Can you assign multiple licenses to a user in Azure AD?
Yes, you can assign multiple licenses to a user in Azure AD to provide access to a variety of features and services.
How can you turn features and services on or off for a user’s license in Azure AD using the Azure Portal?
To turn features and services on or off for a user’s license in Azure AD using the Azure Portal, you can select the license in the “Licenses” section and then use the “Features” tab to control what is enabled or disabled.
How can you view what licenses are available in a subscription using PowerShell?
You can view what licenses are available in a subscription using PowerShell by using the Get-MsolAccountSku cmdlet with the -ServicePlans switch.
Can you remove a license from a user using the Azure Portal?
Yes, you can remove a license from a user using the Azure Portal by selecting the user in the “Assignments” section of the license you want to remove.
How can you view the users that are assigned a particular license in Azure AD using PowerShell?
You can view the users that are assigned a particular license in Azure AD using PowerShell by using the Get-MsolUser cmdlet with the -All and -LicenseReconciliationNeeded parameters.
Great blog post! It helped me understand how to manage licenses in Azure AD.
What is the easiest way to assign licenses to multiple users at once?
Experimenting with group-based licensing has been a game-changer for our organization.
I experienced some issues with PowerShell scripts. Should I check Azure AD permissions?
Our IT department switched to dynamic groups for license management, and it’s working great!
Is there a way to automate the removal of licenses when a user leaves the organization?
Thanks a lot!
I’m finding difficult to understand the rules for dynamic groups, any advice?