5a175 azure ad connect cloud sync e1715103648352

Microsoft 365 Group Based Licensing

author

In the modern business world, automating and scaling license management is essential. Especially for large organizations, Entra ID(Azure AD) simplifies this process with the group-based licensing feature. In this article, we will explain the group-based licensing feature with Azure AD. Microsoft 365 We'll cover how you can automatically assign licenses and how you can use this feature on a departmental basis.

Benefits of Microsoft 365 Group-Based Licensing

Group-based licensing makes your organization more efficient and compliant:

  • Central management: Ability to manage license assignments centrally.
  • Automatic Assignments: Events such as adding a new employee to the system or changing an employee's role trigger automatic license assignments.
  • Dynamic Adaptation: Ability to automatically assign licenses based on department or role changes.

Microsoft 365 Group Based Licensing Features

  • Licenses can be assigned to any security group in Microsoft Entra ID. Security groups can be synchronized on-premises using Microsoft Entra Connect. You can create security groups directly in Microsoft Entra ID (also called cloud-based groups) or automatically through the Microsoft Entra dynamic group feature.
  • When assigning a product license to a group, an administrator can disable one or more service plans included in the product. This assignment is typically made when an organization is not yet ready to start using a service included in a product. For example, an administrator can assign Microsoft 365 to a division, but temporarily disable the Yammer service.
  • All Microsoft Cloud services that require user-level licensing are supported. This includes all Microsoft 365 products, Enterprise Mobility + Security, and Dynamics 365.
  • Group-based licensing is currently available through the Azure portal and the Microsoft Admin center.
  • Microsoft Entra ID automatically manages license changes resulting from group membership changes. Typically, license changes take effect within minutes of the membership change.
  • A user can be a member of multiple groups with specified license policies. A user can also have some licenses directly assigned to them, independent of any group. The resulting user status is a combination of all assigned product and service licenses. If a user is assigned the same license from multiple sources, the license is consumed only once.

In some cases, licenses cannot be assigned to a user. For example, the tenant may not have enough licenses available or conflicting services may be assigned at the same time. Administrators have access to information about users for whom Microsoft Entra ID cannot fully process group licenses. They can then take corrective action based on this information.

Example: Department Based License Assignment

In a company, employees in the accounting department are asked to be assigned a Microsoft 365 E3 license, while employees in the IT department are asked to be assigned an E5 license. Organizations generally have licenses by department or by user, which is very important for the organization's current budget.

  1. Creating a Group:
    • Create an Azure AD security group for accounting: “Accounting_Department”
    • Create another group for IT: “IT_Department”
  2. Creating a License Assignment Policy:
    • Define an E3 license assignment policy for the “Accounting_Department” group.
    • Define an E5 license assignment policy for the “IT_Department” group.
  3. Setting Dynamic Membership Rules:
    • For example, you can define a rule that automatically adds users whose 'department' property is 'Accounting' to the "Accounting_Department" group.
    • Similarly, define a rule that enables automatic addition to the “IT_Department” group for users whose 'department' property is 'IT'.
  4. Result:
    • When a new employee is added to the accounting department, that person automatically gets an E3 license.
    • When a new employee is added to the IT department, that person automatically gets an E5 license.

Prerequisites for Assigning Microsoft 365 Group-Based Licenses

For each user using group-based licensing, you must have one of the following licenses:

Microsoft Access ID P1 Paid or trial subscription for and above

Paid or trial version for Microsoft 365 Business Premium or Office 365 Enterprise E3 or Office 365 A3 or Office 365 GCC G3 or Office 365 E3 GCCH or Office 365 E3 DOD and above

Microsoft 365 Group Based License Configuration Steps

Bu islemi Entra ID As we can do through, On-Prem AD via your server ENTRA ID We can also do this using Connect.

We carry out our operations On-Prem AD and we will do it through Entra ID ConnectWe will perform the Sync operation using t. While performing this operation, we will assign an E5 license since we only have Microsoft E5 Packages on the Tenant. First of all, I create another Groups OU under the Mersin OU on my On-Prem AD server and name it Microsoft_E5Full.

image

If you are using a special OU or Group for Sync on Entra ID Connect, you need to include the new Group or OU we created. Since there is no special filtering in my environment, we do not perform these operations and I start the Delta Sync process with Powershell.

Start-ADSyncSyncCycle -PolicyType Delta
1 picture

After logging in to Entra ID, we check the group we are performing the sync operation with.

2 picture

We have created On-Prem AD “M365_E5Full” We can view the group on Entra ID. Entra ID – Groups – All Groups It will be enough to follow the steps.

3 picture

Now we need to assign a license for the Group. Before starting this process, let's check our Licenses on Entra ID;

Entra ID – Billing – Licenses – All Products We just need to follow the steps.

4 picture

We can assign licenses from the Groups tab, as well as from the License in the All Product. After selecting License, we continue with the "Licensed Groups" option in the left pane.

5 picture

We mark the “M365_E5Full” group that we have synced with the Assign button.

6 picture

After marking the group, we continue with the next step, “Assignment options”. In this section, we need to mark which services will be used in the E5 license. Since our group is E5Full, we will actively proceed with all the services in the E5 package.

7 picture

After reviewing the configurations with the Review + assign button, we complete the process.

When we go back to the Licensed Group section, you can see that the configuration is in Pending status, the activation process takes 5 minutes.

8 picture

Since it is not a Dynamic Group, we need to determine the group members ourselves. By creating a rule, you can automatically make users with matching attributes members of certain groups.

We need to add group members via On-Premises AD, you can use ADUC for this process. I add my users as members of the M365_E5Full group in the Mersin OU.

9 picture

After adding group members, I perform the Delta Sync process again with Entra ID Connect.

10 picture

We have completed the License Group creation and group member addition processes. When we open the License group in Licensed Groups on Entra ID, the group members should be displayed.

11 picture

We can check the process by viewing the license status of our users within the users on the Entra ID portal. We can perform the check process by following the steps Entra ID – Users – All Users.

12 picture

When we check, we can see that our group member users are active and Licensed. Again, you can reduce the licenses of users in this way, the license of each user you remove from the group will be reduced.

In this article, we used Entra ID to assign our Microsoft 365 licenses to users on a group basis. I hope this was a useful article.

Similar Articles – Microsoft 365 Group Based Licensing

Comment

© 2025 Cengiz YILMAZ
TermsContact