Delegate365-Working with License Assignments
Thursday, June 29, 2017
Delegate365 provides various automation tasks. One of these is the new License Assignment rule to automatically assign Office 365 licenses to users based on their user properties or on their group membership. See how this works in real world with a demo scenario here.
The License Assignment is available since version 6.4. For details, pls. see the description here. This new feature allows to assign Office 365 licenses in a very custom way to users and runs at each Delegate365 synchronization operation, So, whenever a SyncOp runs, Delegate365 checks the sync rules and assigns licenses as specified. So let’s see how this works step-by-step as follows.
Many organizations work with security groups to simplify their user management. In my scenario, I created some security groups within Delegate365 and added some users as members. Security group Finance has Alan and Christa as members.
Security group IT has Dan as member, to keep that sample very simple.
Just to mention: In this demo, I created OU’s with the same name (Finance, IT, …) to keep the management simple. To clarify, there is no correspondence between OU’s in Delegate365 and any security groups. You can organize your tenant and your Delegate365 environment as needed.
License tasks in Delegate365 always add licenses. This means, if a user already has a license set, this will stay untouched and new licenses will be added.
So, here we have a specific set of license set just for user Christa: MDM, Yammer and Exchange in E3 are activated, all other license plans are disabled.
The other two users Eric and Dan do not have any licenses set.
A Portal Admin can define the sync rules in administration / sync / sync rules. Here, the User sync options are disabled, but the User license assignment will be enabled. We create a new rule where Security group contains Finance. This means, all current members of the security group Finance shall get a specific set of licenses. In our sample that’s Office Web Apps, SharePoint and Exchange in SKU E3 and additionally AAD_PREMIUM_P2.
Ok. Now we add another rule for member of the security group IT. The IT personal shall get the Skype and Teams license within the E3 SKU.
Ok. Don’t forget to Save the sync rules at the bottom of the page.
We’re done here. Since you can add many rules with various conditions, many custom scenarios can be defined.
Optional: Don’t forget the UsageLocation
Office 365 requires to have a UsageLocation set for each user who shall get any license. As administrator you need to take care of that fact. It can be the case, that some users have a UsageLocation set and others not. With Delegate365 this can be set in the OU Auto License Assignments if needed, in module administration / organizational units / manage ou’s (see Delegate365 changelog version 6.5-Service health, logging and more “Assign OU Licenses and UsageLocation”).
Select the OU and click Edit licenses. In here, enable Use license auto assignment and select a country to set for UsageLocation as shown here. Usually, it’s a good idea to enable Check existing OU assignments as well to ensure that all users that are already assigned to that OU are checked for UsageLocation. No licenses are selected in here, we just want to set the UsageLocation .
The UsageLocation defined in here will only be set, if a user has NO UsageLocation set. If that user property is already set, this will be ignored (we do have the UsageLocation then already and do not need to re-assign one).
To ensure we will also have a UsageLocation for all members of OU IT, we do the same for that OU.
Remember, this step is optional- If you are sure, all users have a UsageLocation set, you can skip this step.
Run a sync
Now let’s try it. We could wait for the next automatic SyncOp (which usually runs all 4 hours), or to see the result instantly, we run the SyncOp manually. This can be done in administration / sync / sync operations. Click the Sync button.
The progress box below shows the details. Depending on the size of your Office 365 tenant and your settings, this can take some minutes or even hours. In my demo tenant with just about 250 users and few groups, this takes about 3 minutes. The page must not stay open, you can continue to work in other Delegate365 pages.
After the SyncOp has finished, you can check the result in the same page in the Sync history box. Here we see the manual triggered SyncOp.
Check the result
Now let’s see the result in the user licenses. First, we check the licenses of Christa. We should see that she now has additional licenses in E3 (Office Web Apps and SharePoint) and AAD_Premium_P2. The existing licenses for MDM, Yammer and Exchange are set as before. So, the new licenses have been added.
The result for Eric now shows just the new licenses (MDM has been added automatically through AAD Premium by a role, this was not manually defined by us). So, we see the licenses for MDM, Office Web Apps, SharePoint and Exchange. and for AAD_Premium_P2. These licenses have been assigned since Eric is member of the security group Finance.
Let’s check user Dan who is member of IT. He got Teams and Skype as defined (plus MDM as above).
Well perfect, or?
As we have seen, the License Assignment is basically easy to use. But of course, it can happen, that you don’t get the desired result. If licenses are not added after a sync, the following issues can have happened:
- In Delegate365, there is a license quota defined for an OU and the limit is exceeded.
- You are out of Office 365 licenses in your tenant. Licenses could not be assigned since there are no licenses left.
- Licenses could not be set because of license conflicts. For example, you tried to assign the license EOP_ENTERPRISE that cannot be assigned to a user. Delegate365 tries to set the defined licenses, but if Office 365 restricts specific licenses, this license cannot be set and an error is logged (see below).
So, if something goes wrong, we recommend:
- Check the result after a sync with some single users.
- Check the Delegate365 error message that are collected in the notification center in the top menu bar (the message icon). Click Read all messages and see any error that may have occurred, as shown here.
ad 1) If a license quota is exceeded
So, how does it look like if there is a license quota defined? I created another new user: Molly (without any Office 365 license in OU Finance) and added her to the Finance security group.
Then, a license quota is defined for the OU Finance with an enforced maximum of 2 licenses for SKU E3 as shown here.
After Save, we see that 2 license-quota for OU Finance.
Remember, we had already two users, Christa and Eric in that OU, with two E3 licenses. So the License Assignment for Molly should not work. We are set now, and can re-run the SyncOp (as above).
After the SyncOp, let’s check Molly’s licenses. This looks as follows: The E3 licenses have NOT been set. You see the information “Microsoft Office 365 Plans E3 (2 of 2 used)”.
If we check the notifications, we see the reason: “No more licenses available for OU: Finance and Licenses: Microsoft Office 365 Plans E3”. The license could not be assigned because of the license quota of 2.
So, the notifications are important to check.
If we now change the quota to, let’s say, 3 licenses and re-run the SyncOp, Molly will get the E3 license automatically. I did this and checked the result here. Molly got the E3 licenses now.
ad 2) If no more 365 licenses are available in the Office 365 tenant
The same as described above, happens when exceeding the available Office 365 licenses of the tenant. You see the warning in the notification center.
ad 3) If a license cannot be assigned
Some licenses sets are not possible since they are not permitted by Office 365. For example, the message “User Licence(318) email@example.com: License EOP_ENTERPRISE cannot be assigned to a user.” informs that that license could not be assigned. Microsoft is continuously adding licenses and plans and combinations and such messages (as for example, double license plans in different SKU’s) are possible. The notification center informs about such issues.
I hope this sample demonstrates the License Assignment functionality and allows you to automate your Office 365 user and license management. Check automatic license assignments after the SyncOp and see the notification center for any issues. With that toolset, it’s easy to automate license assignments. Benefit from working with Delegate365!