Assign EMS licenses based on Local Active Directory Group Membership


 

 

As all roads lead to Rome there are many ways to assign Enterprise Mobility Suite (EMS) licenses to end-users. This can be a manual process or automated by using PowerShell. Both options have in common that you must be a global administrator of your Azure subscription to assign these licenses.

The majority of the available public resources and publications describes the (manual) process bassed on per user- or group assignment through the Azure Management Portal. Downside of assigning EMS licenses through the Azure Management Portal or by PowerShell is that you must be a member of the global administrator user role. A right you want to keep to a limited number of accounts, further these accounts are often not responsible for such tasks as assigning licenses.

When using a native Azure AD (Premium) this is currently the only way to assign EMS licenses. But for most organizations a hybrid identity scenario applies, which means Local Active Directory objects (users & groups) are synced to Azure Active Directory using DirSync, Azure AD Services or Azure AD Connect.

This allows us to assign EMS licenses based on local AD group membership without being global administrator of your Azure subscription. In this post I’ll show you how.

First step is to create a security group in your local active directory.

image

After creating a security group users (and groups) will be populated which requires EMS licenses.

image

As we’re in a hybrid identity scenario AD users- and groups objects are synced from our local Active Directory to Azure Active Directory.

image

After a succesful sync the local AD security groups are available in Azure AD. On the source from tab you can determine the group type and whether it’s a synced Local Active Directory group or  native Microsoft Azure Active Directory group.

image

Based on the synchronization the group memberships are populated, including group nesting and matches the Local Active Directory group memberships.

image

What further worth mentioning is feature of Dynamic Group Membership which is currently in preview in Azure AD. Dynamic group membership functionality enabled, users who satisfy the configured rule for a particular group, will automatically get access to the resources that are provided by that group. This frees the administrator from having to manually manage group memberships.

image

Now the foundion is in place we’ll assign the EMS licenses to the according group(s) in Azure AD.

image

We’re assigning EMS licenses to Licenses – EMS group.

image

All users and group within this group will automatically assigned an EMS license.

Note! licenses can only be assigned to security group (Local Active Directory & Windows Azure Active Directory) and not to distribution groups (Office 365)

image

Under licenses we can verify to which user(s) or group(s) EMS licenses is assigned to.

image

Take into account it can take a few moments until your licenses getting assigned/displayed, based on group membership inheritance in the Azure Administrator Portal.

image

If we go in to detail and show licenses based on Assigned Users we’ll see users getting EMS licenses assigned based on there group membership(s). The method tab indicates based on which way licenses are assigned. 3 users inherits (Inherited) EMS licenses based on their group membership Licenses – EMS and 1 users has been directly assigned an EMS license (Direct).

image

This all results that users are granted EMS licenses to fully utilize and take benefit of which Azure AD Premium, Intune, Azure RMS and MFA has to offer.

image

In summary, based on local Active Directory management tasks you’re able to delegate and (partially) automate the assignment of EMS licenses without the need to have global administrator rights of your Azure subscription! With this solution, the downside to be global admin to assign EMS licenses is no longer applicable anymore.

Of course you also need to manage and delegate your local AD groups management up, but this is for many a known exercise which can be more granular configured. Moreover, there is good news on the go, Microsoft will consolidate most admin portals in the new Azure Portal including improvements on delegated administration. Wherein the expectation is that in the area of license management can be delegated/performed without having to have global administrator rights.

Advertisements

4 thoughts on “Assign EMS licenses based on Local Active Directory Group Membership

  1. Horus

    Thanks for the info. I only have 1 problem with this method. When i give users a license using a group in my AD the users won’t dissapear from intune when i remove the license(So when i remove them from the AD group). Synchronisation happens every 3 hours but even after a day the user was still visible in intune without a license assigned.

    I issused a license manually to that user and removed it again but that didn’t work either.

    If i issue a license manually to a new user and remove it a few min after it’s visible in intune it dissapears without any problems.

    Did you encounter this problem?

  2. Pingback: Intune - Couldn't Enroll your Device - Adam Fowler - I.T. From Australia

    1. Hi Brian,

      Appreciate reading my blog, you’re bringing on an interesting question. With “Group-based licensing supports direct group assignment only. Members of nested groups will not inherit the licenses.” Alex assertion applies to Azure AD groups. Groupnesting does work for on-premise AD security groups as you can see in my blog post.

      Regards,
      Ronny

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s