The growth of SaaS apps brings another waterfall of tasks and risks for IT and compliance departments – the hell of managing those on-line licenses. Who gets what kind of license? When does it get revoked? How can we optimize its usage? Who should physically assign those? There might be something to it if 8 out of 10 links on the first page of Google query for office 365 licenses management lead to automation tools.
This is actually one exact answer to the above questions – AUTOMATION. You don’t want to do it on your own or even delegate it to your team members or helpdesk personnel. They have better things to do in life, right?
I thought about it today while helping one of our customer in pharmaceuticals to configure license assignment for their newly purchased Enterprise Mobility Suite licenses. We got the request to enable them for all active users now and in the future.
And, of course, to revoke them when they are not needed (why pay for something which is no longer in use?)
It took me 10 minutes to accomplish this task. What’s more – it will be working for each and every new person as well. AUTOMATION.
There are at least three ways to easily handle this task without anyone being involved daily.
Let’s have a quick overview of all of them with their advantages and bumps.
This is where everyone starts when it comes to license automation. It is easy.
Start with the documentation from the Internet. There is plenty of examples how to do this. Customize it to your needs. Done! Life is easy now.
Few things to consider here:
Aaaand it’s done. You wrote it. You put it to work. Nothing left.
Well, in the end, life is a bit more complicated. Usually, there is a need for some business rules in there. And these are changing.
Moreover, someone will need a way to check why this license was assigned. With PowerShell, there is no easy way to look into it for helpdesk people.
And actually – is scripting all that IT can come up with? (It is in many cases a “good enough” solution).
PowerShell is a pretty good solution, but it requires maintenance and space. Can we make it better? Azure AD comes to help.
Azure AD has a built-in license management feature which is in preview at the time of writing. It is allowing you to assign various types of licenses for users – among others, licenses for Office 365 or EMS.
When in Azure AD tenant (using old portal), go to the Licenses tab, and you will see licenses existing in your directory.
Click on it, and you will be able to assign a license to a particular user or a group.
Hey! Wait! Am I saying you will have to “ASSIGN”? Manually? Really?
You can do that, but the deal is to get rid of it. And to do this we can combine this capability with another Azure AD Premium;
This way you will have a dynamic way of assigning people to various licenses – like we have at Predica (inherited = group based).
This can be combined with other capabilities like self-service groups to create license management vehicle in Azure AD.
The group can also be managed on-premises and synchronized to Azure AD where membership will grant the right license to people. When you remove a person from the group – the license is gone.
Changes to this mechanism are coming to bring license management to the new portal and provide more granular options to assign licenses plans in UI.
We have gone through PowerShell (scripted, custom), Azure AD (feature, product based) ways to manage licenses. There is always the third way – let’s explore this now. License management is often a task to assign to IAM teams maintaining employee identities.
Those teams usually have some tools to use. And this very tool I’m talking about easily automates your tasks.
Hey – maybe it can also automate license management.
This is a common request which we fulfill for customers using Microsoft Identity Manager (MIM). It is not exclusive for MIM – if you have another identity management tool you can also do this – you will easily find an implementation for ForgeRock (where we can also help you BTW).
With on-premises identity management tool you can take two strategies for Office 365 licenses management;
The first approach is simple – it connects both solutions I have mentioned earlier. You manage group membership on-premises (every IAM tool will let you do this) and then use AAD Connect to synchronize group membership to Azure.
If you need more flexibility and granularity in license management, you can take advantage of MIM as identity management tool and connect it directly to Azure AD for license management.
This requires a connector – management agent. There is one built-in into the product, but luckily, we have a community for that. Soren Granfeldt has created flexible PowerShell connector for MIM which is up to the task.
When you have the connection from MIM to O365, you can easily create a process of assigning licenses in MIM either manually or through automated business rules.
MIM allows you to create rules allocating licenses based on employee type, location, and other user attributes. And then can carry on this information to Azure AD either through groups or directly through license assignment.
MIM provides the end-user portal with which you can assign licenses directly. In many cases, there are standard licenses assigned to users and some additional products to be assigned on-demand. In this case, MIM allows you to provide this option either for a user as self-service or delegated to manager or helpdesk.
If you have existing MIM setup and you want to include this option for your users, just contact us. We might have something ready for you.
Two points to mention here:
If you have Azure AD Premium you are licensed for MIM anyway – in that case, it is worth exploring to manage licenses this way.
Well, time to answer a question from the title of this post…
As simple as that. Our customer had license management with MIM deployed. I had to create licensing option and assign it to people. It takes around 10 minutes to do this in this setup.
Here it is. We’ve explored three ways of managing license assignment for SaaS applications like Office 365:
I hope this will help you select the right tool for your license management strategy. If you need help – jump on an online 1-on-1 with me here .
If you want to see how to do this in a large organization with practical examples – here it is (How Microsoft is automating license management in its environment). With more than 100k users it is quite a challenge. Enjoy and see you next time!
Along with improved DevOps expertise comes a better performance of delivery teams. And when many deployments take place ...
It is a very exciting moment for each team member when the project they are to work on has a well-defined scope and is w...