Delegate365 allows to split a Microsoft 365 tenant and to delegate management of assigned objects. With synchronization rules, licenses can be added or removed automatically. This works together with license quotas. In this article we show an example.
- Scenario: Here, we have a demo tenant and two administrators in Delegate365: Admin and AdeleV. The Admin can manage the OU´s "Seattle" and "New York" and has the role "Portal Admin". AdeleV has the role "Scope Administrator" assigned and she can manage OU "New York" as we see in the Delegate365 Administration / Administrators menu.
- Scope Admin AdeleV: User "AdeleV" sees currently 7 users in her assigned OU "New York". 3 users have an Office 365 license (E5) assigned: Allan, Isiah and Lee. The other 4 users don´t have any Office 365 license assigned as we see in the following screenshot.
- Define a license quota for "New York": The Admin now creates a new license quota for "New York" and license "Office 365 Enterprise E5" - we use the short form "E5" in this article - for 4 licenses in total. This can be done by entitled admins in the Licenses / Quotas menu.
This means that members of OU "New York" cannot be assigned more than 4 Office 365 E5 licenses in Delegate365.
- Create a security group with members for automatic license assignments: The Admin creates a new security group with the name "E5". 4 members are added as members: Allen, Cameron, and Delia from OU "New York" and Diego from OU "Seattle". AdeleV only sees "her" 3 users (these are the first 3 users in her users list).
- Define a license sync rule: The goal is to automatically add the "E5" license to all members of the security group "E5" (I chose the same name to show what this group does), so to all 4 members. In the users list shown to AdeleV above, we see that 2 users in OU "New York" currently do not have the "E5" license assigned, these are Cameron and Delia. The users Allen and Diego already have the "E5" license assigned. To accomplish this task, the Admin adds a sync rule in Delegate365 as here:
Step 1 is to add the condition: If Security Group contains the expression "E5" then...
Note: The condition is using the contains filter to apply the rule to every security group that has "E5" in it´s name. So, this rule would also assign the licenses set to security groups "E5", "Office 365 E5", "E5 licenses", "licenses e5 for standard users" or "Office5". This is especially useful if you have many groups and want to simplify the assignment of licenses. So, keep this in mind to get the desired license assignments.
...we click in the license icon and add the license "E5" as step 2.
Then, in step 3, we save the sync rules settings at the page bottom.
- Sync to test: Now we have defined a sync rule to automatically assign license "E5" to all members of security group "E5". Wait, we have defined a license quota for "New York" with 4 times "E5" licenses. So, what will happen? To see the result, let´s start the sync manually as Admin in Administration / Sync operations.
After clicking the Start AAD sync button, we confirm the start. This process will take a minute or up to some hours, depending on the tenant size and the sync rules.
- Check the result: As a result (after the sync has completed, we can check in the Sync history box and click Refresh...), AdeleV should see one more user having the "E5" license assigned. In this sample, this is user Delia. We also see that Cameron does not have an "E5" license due to the total license quota of 4 "New York" licenses.
The process worked. 4 users in OU "New York" have the "E5" licenses assigned (only and automatically).
Note: Sync rules cannot be configured which users get the licenses. They run through the user objects and (un)assign licenses in the order they are delivered from the Microsoft API.
- Notifications: The Portal Admins will see a corresponding message in their notification center in the Delegate365 menu bar, at the message icon. The message says: "Manage License: No more licenses available for OU: New York and License: OFFICE 365 ENTERPRISE E5". The license quota would have been exceeded by the sync operation and therefore no more licenses are assigned automatically. Also, a Scope Admin as AdeleV cannot use more than 4 "E5" licenses in the Delegate365 interface.
Note: Currently, Scope admins do not get this notification.
- No more licenses? What happens, if there are no more pool licenses available in the tenant? In that case, Delegate365 will inform the Portal Admins in the notification center as well.
The message will say: "UserLicenseSyncJob(378) DeliaD@M365x423383.OnMicrosoft.com: Code: Request_BadRequest Message: Subscription with SKU [someid] does not have any available licenses. Inner error". This is the message delivered from the Microsoft API combined with the user information. Delegate365 cannot assign the desired license since there is no license left in the pool. In this case, the organization needs to add more Office 365 licenses if needed or to reorganize their assigned licenses. Delegate365 supports internal license orders in the Licenses / license order menu.
- Quota exceeded? Can the Delegate365 license quota be exceeded? Yes, this can happen.
If licenses are set outside of Delegate365 (for example, in the Office Admin portal or with PowerShell), they remain assigned to the users and Delegate365 does not remove any licenses if a defined license quota is exceeded. In that case, the licenses and the quota will show a larger number in the user license menu, such as "E5 (10/4)": 10 users have the "E5" license assigned, but the quota is set to 4 licenses. The Scope Admin then can only reduce licenses by un-assigning licenses from users until there are less then 4 licenses assigned and reuse them afterwards. So, AdeleV could remove licenses from 7 users, then 1 license is available (the quota is 4 licenses( and can be assigned to another user.
This scenario shows the behavior of Delegate365 when working with license quotas and license sync rules. License quotas can be set per OU and for each Office 365 license. They help to set the available number of license per OU. This functionality is also helpful for billing OU´s (cost centers) for the usage of their Office 365 licenses, many customers of Delegate365 use this function.
We hope this article helps to use the (automatic and manual) license assignments correctly.