How to migrate users with individual licenses to groups for licensing
In Azure Active DIrectory (Azure AD), part of Microsoft Entra, you can have licenses deployed to users in your tenant organizations by direct assignment, using PowerShell scripts or other tools to assign individual user licenses. Before you begin using group-based licensing to manage licenses in your organization, you can use this migration plan to seamlessly replace existing solutions with group-based licensing.
The most important thing to keep in mind is that you should avoid a situation where migrating to group-based licensing will result in users temporarily losing their currently assigned licenses. Any process that may result in removal of licenses should be avoided to remove the risk of users losing access to services and their data.
Recommended migration process
You have existing automation (for example, PowerShell) managing license assignment and removal for users. Leave it running as is.
Create a new licensing group (or decide which existing groups to use) and make sure that all required users are added as members.
Assign the required licenses to those groups; your goal should be to reflect the same licensing state your existing automation (for example, PowerShell) is applying to those users.
Verify that licenses have been applied to all users in those groups. This application can be done by checking the processing state on each group and by checking Audit Logs.
You can spot check individual users by looking at their license details. You will see that they have the same licenses assigned “directly” and “inherited” from groups.
You can run a PowerShell script to verify how licenses are assigned to users.
When the same product license is assigned to the user both directly and through a group, only one license is consumed by the user. Hence no additional licenses are required to perform migration.
Verify that no license assignments failed by checking each group for users in error state. For more information, see Identifying and resolving license problems for a group.
Consider removing the original direct assignments. We recommend that you do it gradually, and monitor the outcome on a subset of users first. If you could leave the original direct assignments on users, but when the users leave their licensed groups they retain the directly assigned licenses, which might not be what you want.
An organization has 1,000 users. All users require Office 365 Enterprise E3 licenses. Currently the organization has a PowerShell script running on premises, adding and removing licenses from users as they come and go. However, the organization wants to replace the script with group-based licensing so licenses can be managed automatically by Azure AD.
Here is what the migration process could look like:
Using the Azure portal, assign the Office 365 E3 license to the All users group in Azure AD.
Confirm that license assignment has completed for all users. Go to the overview page for the group, select Licenses, and check the processing status at the top of the Licenses blade.
Look for “Latest license changes have been applied to all users" to confirm processing has completed.
Look for a notification on top about any users for whom licenses may have not been successfully assigned. Did we run out of licenses for some users? Do some users have conflicting license plans that prevent them from inheriting group licenses?
Spot check some users to verify that they have both the direct and group licenses applied. Go to the profile page for a user, select Licenses, and examine the state of licenses.
This is the expected user state during migration:
This confirms that the user has both direct and inherited licenses. We see that Office 365 E3 is assigned.
Select each license to see which services are enabled. To verify that the direct and group licenses enable exactly the same services for the user, select Assignments.
After confirming that both direct and group licenses are equivalent, you can start removing direct licenses from users. You can test this by removing them for individual users in the portal and then run automation scripts to have them removed in bulk. Here is an example of the same user with the direct licenses removed through the portal. Notice that the license state remains unchanged, but we no longer see direct assignments.
Learn more about other scenarios for group license management:
- What is group-based licensing in Azure Active Directory?
- Assigning licenses to a group in Azure Active Directory
- Identifying and resolving license problems for a group in Azure Active Directory
- How to migrate users between product licenses using group-based licensing in Azure Active Directory
- Azure Active Directory group-based licensing additional scenarios
- PowerShell examples for group-based licensing in Azure Active Directory
Lähetä ja näytä palaute kohteelle