Press "Enter" to skip to content

Azure AD Group licensing is GA

In small environments up to 25 users, the allocation of licenses in a Microsoft 365 environment may still be feasible, but then you should look for other ways to automate licensing at best. This should also work in a hybrid context so that we IT admins have less work to do. But let’s take a closer look at this:

Azure AD group-based license now GA

Many of us already use this offer, but it was always in the preview and became GA only yesterday. Thus it is now stable and usable after the wording. But what does that actually know?

The principle is first of all easily explained:
We synchronize security groups with Azure AAD Connect to Azure AD. We then give these groups a license. This means that every user in the group receives a license. The license pool is controlled by the group and you can specify exactly which licenses should be assigned to the users in the group, even from packages.


This time advantage, if you don’t use automated PowerShell scripts, is considerable. In the future you can also connect this to the “dynamic Groups”, so that the users of the group are automatically booked in and out again. Demos were shown at this year’s Ignite.

Innovations with GA

  • The Developer APIs in Microsoft Graph, which allow you to programmatically read group-based license assignments for groups and programmatically determine the status and errors of assignments.
    Ability to re-edit and modify group-based license assignments for a single user.
  • Simplified licensing requirements for group-based licenses. Group-based licensing users require Azure Active Directory (Azure AD) Basic (and above) or Office 365 E3/A3 (and above).
    Licensing News
  • The news that surprised and pleased me a bit is that you can now use the feature with Azure AD Basic (Office365) as well. Earlier you need an Azure AD Premium P1 license to use it …





Wish for the future – Azure AD Group Nesting

A definite wish for the future is the introduction of nesting of Azure AD groups, so that you can build similar to local AD dependencies. This would make it a lot easier to move users into a group that contains a special permission and license assignment.