blog.atwork.at

news and know-how about microsoft, technology, cloud and more.

Delegate365-Working with License Assignments

Delegate365 provides various automation tasks. One of these is the new License Assignment rule to automatically assign Office 365 licenses to users based on their user properties or on their group membership. See how this works in real world with a demo scenario here.

The License Assignment is available since version 6.4. For details, pls. see the description here. This new feature allows to assign Office 365 licenses in a very custom way to users and runs at each Delegate365 synchronization operation, So, whenever a SyncOp runs, Delegate365 checks the sync rules and assigns licenses as specified. So let's see how this works step-by-step as follows.

Security Groups

Many organizations work with security groups to simplify their user management. In my scenario, I created some security groups within Delegate365 and added some users as members. Security group Finance has Alan and Christa as members.

image

Security group IT has Dan as member, to keep that sample very simple.

image

Just to mention: In this demo, I created OU's with the same name (Finance, IT, ...) to keep the management simple. To clarify, there is no correspondence between OU's in Delegate365 and any security groups. You can organize your tenant and your Delegate365 environment as needed.

Existing licenses

License tasks in Delegate365 always add licenses. This means, if a user already has a license set, this will stay untouched and new licenses will be added.

So, here we have a specific set of license set just for user Christa: MDM, Yammer and Exchange in E3 are activated, all other license plans are disabled.

image

The other two users Eric and Dan do not have any licenses set.

Sync rules

A Portal Admin can define the sync rules in administration / sync / sync rules. Here, the User sync options are disabled, but the User license assignment will be enabled. We create a new rule where Security group contains Finance. This means, all current members of the security group Finance shall get a specific set of licenses. In our sample that's Office Web Apps, SharePoint and Exchange in SKU E3 and additionally AAD_PREMIUM_P2.

image

Ok. Now we add another rule for member of the security group IT. The IT personal shall get the Skype and Teams license within the E3 SKU.

image

Ok. Don't forget to Save the sync rules at the bottom of the page.

image

We're done here. Since you can add many rules with various conditions, many custom scenarios can be defined.

Optional: Don't forget the UsageLocation

Office 365 requires to have a UsageLocation set for each user who shall get any license. As administrator you need to take care of that fact. It can be the case, that some users have a UsageLocation set and others not. With Delegate365 this can be set in the OU Auto License Assignments if needed, in module administration / organizational units / manage ou's (see Delegate365 changelog version 6.5-Service health, logging and more "Assign OU Licenses and UsageLocation").

Select the OU and click Edit licenses. In here, enable Use license auto assignment and select a country to set for UsageLocation as shown here. Usually, it's a good idea to enable Check existing OU assignments as well to ensure that all users that are already assigned to that OU are checked for UsageLocation. No licenses are selected in here, we just want to set the UsageLocation .

image

The UsageLocation defined in here will only be set, if a user has NO UsageLocation set. If that user property is already set, this will be ignored (we do have the UsageLocation then already and do not need to re-assign one).

To ensure we will also have a UsageLocation for all members of OU IT, we do the same for that OU.

image

Remember, this step is optional- If you are sure, all users have a UsageLocation set, you can skip this step.

Run a sync

Now let's try it. We could wait for the next automatic SyncOp (which usually runs all 4 hours), or to see the result instantly, we run the SyncOp manually. This can be done in administration / sync / sync operations. Click the Sync button.

image

The progress box below shows the details. Depending on the size of your Office 365 tenant and your settings, this can take some minutes or even hours. In my demo tenant with just about 250 users and few groups, this takes about 3 minutes. The page must not stay open, you can continue to work in other Delegate365 pages.

After the SyncOp has finished, you can check the result in the same page in the Sync history box. Here we see the manual triggered SyncOp.

image

Check the result

Now let's see the result in the user licenses. First, we check the licenses of Christa. We should see that she now has additional licenses in E3 (Office Web Apps and SharePoint) and AAD_Premium_P2. The existing licenses for MDM, Yammer and Exchange are set as before. So, the new licenses have been added.

image

The result for Eric now shows just the new licenses (MDM has been added automatically through AAD Premium by a role, this was not manually defined by us). So, we see the licenses for MDM, Office Web Apps, SharePoint and Exchange. and for AAD_Premium_P2. These licenses have been assigned since Eric is member of the security group Finance.

image

Let's check user Dan who is member of IT. He got Teams and Skype as defined (plus MDM as above).

image

Well perfect, or?

Stumbling stones

As we have seen, the License Assignment is basically easy to use. But of course, it can happen, that you don't get the desired result. If licenses are not added after a sync, the following issues can have happened:

  1. In Delegate365, there is a license quota defined for an OU and the limit is exceeded.
  2. You are out of Office 365 licenses in your tenant. Licenses could not be assigned since there are no licenses left.
  3. Licenses could not be set because of license conflicts. For example, you tried to assign the license EOP_ENTERPRISE that cannot be assigned to a user. Delegate365 tries to set the defined licenses, but if Office 365 restricts specific licenses, this license cannot be set and an error is logged (see below).

Recommendations

So, if something goes wrong, we recommend:

  • Check the result after a sync with some single users.
  • Check the Delegate365 error message that are collected in the notification center in the top menu bar (the message icon). Click Read all messages and see any error that may have occurred, as shown here.
    image

ad 1) If a license quota is exceeded

So, how does it look like if there is a license quota defined? I created another new user: Molly (without any Office 365 license in OU Finance) and added her to the Finance security group.

image

Then, a license quota is defined for the OU Finance with an enforced maximum of 2 licenses for SKU E3 as shown here.

image

After Save, we see that 2 license-quota for OU Finance.

image

Remember, we had already two users, Christa and Eric in that OU, with two E3 licenses. So the License Assignment for Molly should not work. We are set now, and can re-run the SyncOp (as above).

After the SyncOp, let's check Molly's licenses. This looks as follows: The E3 licenses have NOT been set. You see the information "Microsoft Office 365 Plans E3 (2 of 2 used)".

image

If we check the notifications, we see the reason: "No more licenses available for OU: Finance and Licenses: Microsoft Office 365 Plans E3". The license could not be assigned because of the license quota of 2.

image

So, the notifications are important to check.

If we now change the quota to, let's say, 3 licenses and re-run the SyncOp, Molly will get the E3 license automatically. I did this and checked the result here. Molly got the E3 licenses now.

image

ad 2) If no more 365 licenses are available in the Office 365 tenant

The same as described above, happens when exceeding the available Office 365 licenses of the tenant. You see the warning in the notification center.

ad 3) If a license cannot be assigned

Some licenses sets are not possible since they are not permitted by Office 365. For example, the message "User Licence(318) ericg@d365v6.onmicrosoft.com: License EOP_ENTERPRISE cannot be assigned to a user." informs that that license could not be assigned. Microsoft is continuously adding licenses and plans and combinations and such messages (as for example, double license plans in different SKU's) are possible. The notification center informs about such issues.

Summary

I hope this sample demonstrates the License Assignment functionality and allows you to automate your Office 365 user and license management. Check automatic license assignments after the SyncOp and see the notification center for any issues. With that toolset, it's easy to automate license assignments. Benefit from working with Delegate365!

Comments (3) -

  • Hannes Deburchgraeve

    7/12/2017 3:51:31 PM |

    Dear,

    Is it possible to configure a soft quota notify?
    I am searching for a Quota over use e-mail monitoring functionality.

    Best Regards,



  • Toni Pohl

    7/12/2017 9:18:16 PM |

    Hi Hannes,
    Delegate365 provides soft and hard quotas just for Office 365 licenses. The purpose is to restrict the number of Office 365 licenses per Organizational Unit. In Delegate365, admins can also define mailbox quotas per user.
    I'm not sure if I understand your question regarding a "quota over user email monitoring functionality". Do you mean that f.e., if a user sends or receives more than n email in a specific time range, this user will be added to a list that then is sent to an email address?
    No, there's no such functionality in Delegate365, but there are Office 365 usage reports that deliver such data. AFAIK there is no monitoring out of the box available for such reports, but that's to be checked if needed.
    Does this answer help?
    thx, Toni

  • Hannes

    7/14/2017 7:54:06 AM |

    Thx for the info Toni !!

Loading