Assign EMS licenses based on Local Active Directory Group Membership
As all roads lead to Rome there are many ways to assign Enterprise Mobility Suite (EMS) licenses to end-users. This can be a manual process or automated by using PowerShell. Both options have in common that you must be a global administrator of your Azure subscription to assign these licenses.
- How to assign EMS/Azure AD Premium licenses to user accounts
- How to use PowerShell to assign EMS/Azure AD Premium licenses
- Simplified License Assignment with Azure AD and EMS
- How to assign EMS licenses using the Azure Portal
The majority of the available public resources and publications describes the (manual) process bassed on per user- or group assignment through the Azure Management Portal. Downside of assigning EMS licenses through the Azure Management Portal or by PowerShell is that you must be a member of the global administrator user role. A right you want to keep to a limited number of accounts, further these accounts are often not responsible for such tasks as assigning licenses.
When using a native Azure AD (Premium) this is currently the only way to assign EMS licenses. But for most organizations a hybrid identity scenario applies, which means Local Active Directory objects (users & groups) are synced to Azure Active Directory using DirSync, Azure AD Services or Azure AD Connect.
This allows us to assign EMS licenses based on local AD group membership without being global administrator of your Azure subscription. In this post I’ll show you how.
First step is to create a security group in your local active directory.
After creating a security group users (and groups) will be populated which requires EMS licenses.
As we’re in a hybrid identity scenario AD users- and groups objects are synced from our local Active Directory to Azure Active Directory.
After a succesful sync the local AD security groups are available in Azure AD. On the source from tab you can determine the group type and whether it’s a synced Local Active Directory group or native Microsoft Azure Active Directory group.
Based on the synchronization the group memberships are populated, including group nesting and matches the Local Active Directory group memberships.
What further worth mentioning is feature of Dynamic Group Membership which is currently in preview in Azure AD. Dynamic group membership functionality enabled, users who satisfy the configured rule for a particular group, will automatically get access to the resources that are provided by that group. This frees the administrator from having to manually manage group memberships.
Now the foundion is in place we’ll assign the EMS licenses to the according group(s) in Azure AD.
We’re assigning EMS licenses to Licenses – EMS group.
All users and group within this group will automatically assigned an EMS license.
Note! licenses can only be assigned to security group (Local Active Directory & Windows Azure Active Directory) and not to distribution groups (Office 365)
Under licenses we can verify to which user(s) or group(s) EMS licenses is assigned to.
Take into account it can take a few moments until your licenses getting assigned/displayed, based on group membership inheritance in the Azure Administrator Portal.
If we go in to detail and show licenses based on Assigned Users we’ll see users getting EMS licenses assigned based on there group membership(s). The method tab indicates based on which way licenses are assigned. 3 users inherits (Inherited) EMS licenses based on their group membership Licenses – EMS and 1 users has been directly assigned an EMS license (Direct).
This all results that users are granted EMS licenses to fully utilize and take benefit of which Azure AD Premium, Intune, Azure RMS and MFA has to offer.
In summary, based on local Active Directory management tasks you’re able to delegate and (partially) automate the assignment of EMS licenses without the need to have global administrator rights of your Azure subscription! With this solution, the downside to be global admin to assign EMS licenses is no longer applicable anymore.
Of course you also need to manage and delegate your local AD groups management up, but this is for many a known exercise which can be more granular configured. Moreover, there is good news on the go, Microsoft will consolidate most admin portals in the new Azure Portal including improvements on delegated administration. Wherein the expectation is that in the area of license management can be delegated/performed without having to have global administrator rights.
Categories
Modern Workplace 
Thanks for the info. I only have 1 problem with this method. When i give users a license using a group in my AD the users won’t dissapear from intune when i remove the license(So when i remove them from the AD group). Synchronisation happens every 3 hours but even after a day the user was still visible in intune without a license assigned.
I issused a license manually to that user and removed it again but that didn’t work either.
If i issue a license manually to a new user and remove it a few min after it’s visible in intune it dissapears without any problems.
Did you encounter this problem?
Your post explicitly says members of nested groups get licenses assigned “All users and group within this group will automatically assigned an EMS license.” Alex Simons claims this is not the case here: https://blogs.technet.microsoft.com/enterprisemobility/2014/09/18/simplified-license-assignment-with-azure-ad-and-ems/. Could you clarify whether Alex’s assertion was addressed in a subsequent release or if your post is incorrect?
Hi Brian,
Appreciate reading my blog, you’re bringing on an interesting question. With “Group-based licensing supports direct group assignment only. Members of nested groups will not inherit the licenses.” Alex assertion applies to Azure AD groups. Groupnesting does work for on-premise AD security groups as you can see in my blog post.
Regards,
Ronny