Since Ignite 2017 last September, we got to have more insight in new features coming to Azure Active Directory. Some (most) of them require a Azure AD premium P1 license, commonly bought in the license pack EMS P1 (Enterprise Mobility + Security). It is my and other colleagues experience that Microsoft is currently not technically checking this, but you should know and plan this if you want to keep on using these features.
Limiting the creation of Office 365 groups
Within Office 365, Office 365 Groups are THE talk of the town since they were introduced about two years ago. They are also the base object behind Teams, so deciding who can create new ones is an often requested configuration in new tenants.
The technical procedure itself is to first create a security group and limit Office 365 group creation to that group, then second disabling the general ‘everyone can’ setting for the tenant. The procedure is well documented in this technical article.
But not that known (and not mentioned in this article) is the fact that this will require a AAD P1 for every member of that security group. For your (and my own) reference it is documented here.
Expiration policy for Office 365 groups
In IT we like to plan and create things, let them grow and flourish, but planning the end of life of our creations is something we seldom do. Good lifecycle management should include that too. For Office 365, Office 365 Groups could be created and used a lot, and with the new buzz word GDPR (General Data Protection Regulation) keeping data forever is no longer an option.
In comes the Expiration policy! It was made generally available the 14th of march, and once you set a group to expire, the owners of the group are notified to renew the group as the expiration nears. If the owner does not renews the group, it is deleted. Any Office 365 group that is deleted can be restored within 30 days by the group owners or the administrator. Read about it here.
Again, users member of an O365 group that has expiration enabled will need a P1 license…
Something most Exchange administrators already know and use are groups that don’t have ‘fixed’ or configured members but rather have a query definition to decide which users are (automatically) member, for example if department equals ‘Education’.
Creating this type of group is simple in aad.portal.azure.com but remember that every member needs to have a P1 license. So a query to find all users, makes all users in need of a P1…
AAD administrative units
This is easy to explain if you know what OU’s (Organizational Units) do in AD. They allow you to organize your users (and groups and devices) so you can manage them. Management can then be ‘scoped’, a Belgian IT admin can only manage the users in the ‘Belgium’ OU. This is what AUs do in AAD. All creation, moving of users and scoping admin tasks has to be done currently using PowerShell. Recently the Office 365 Portal will take AUs into account for user management. So it is getting interesting. Unfortunately, license management, other admin portals currently don’t. It is still in preview…
You need a P1 license for every user you are putting in a AAD AU… More information can be found here.
Group based licensing
A lot of organizations come to realize what a long list of user based licenses Microsoft has, like this Premium P1, EMS bundle, and others like Office 365 F1 (FirstLine user, previously known as Kiosk user), Office 365 E1-E3-E5, Microsoft 365 E1-E3-E5 (including Windows 10), add-on licenses like Advanced Threat Protection, … I think you get the picture. Now think of managing all this with users going in & out, moving to other departments with different features, thus different license requirements.
You could script it off course… our ever answer to any challenge. About a year ago Microsoft announced Group Based Licensing, that would solve all this juggling! You add a user to a group, the group defines the licenses that type of user needs, and the background engine does all the rest. In depth info is found here.
Before you jump for joy, the feature is currently still in preview, unfortunately. Why?
Because a lot still has to be decided/defined/solved: what if I accidently remove you (or everyone) from the group? No license? No party! Meaning no longer the right to have a mailbox, a OneDrive. This data will all of a sudden become ‘soft deleted’, so you need to solve this error before the hard delete!
What if you are member of multiple groups giving you the same feature, maybe from different license bundles, will it count (will I have to pay double?)? And what if one group denies the mailbox, and the other gives you one?
… This one is the exception in the list of features I wanted to talk to you about: NO need to have a specific license…to be able to apply group based licenses…