Licensing:

The previous articles talked about Licensing with a multitenant application. This article continues to discuss a few more aspects.

The lifecycle of group-based licenses can be managed in Azure Active Directory. This is called entitlement management. Using groups to manage licenses for applications helps to configure periodic access reviews and allows other employees to request membership in the group.

For example, an access package can be created to allow employees to gain access to Office licenses such that group members can be reviewed annually, and new employees can request licenses with their manager's approval.

Azure AD entitlement management itself requires Azure AD Premium P2 license and Enterprise Mobility plus Security EMS ES approval.

The steps to create the access package involve the following steps: 1) the basics for the access package such as name, description, and catalog type must be specified. 2) the resources for the access package must be specified as groups and teams with roles as members. and 3) the requests for the access package must be configured to include approvals and their manner. 4) The requestor information must be collected, 5) the lifecycle for the access package must be configured and 6) finally, the access package must be created and reviewed.

Users with individual licensing can be migrated to use groups. There is a caveat here that a situation where users temporarily lose their currently assigned licenses during migration must be avoided. Any process that may result in the removal of licenses should similarly be avoided. The recommended migration process involves 1) using existing automation to manage license assignment and removal for users. 2) creation of a new licensing group to make sure all the required users are added as members. 3) the required licenses should be assigned to those groups 4) the licenses should be applied to all users in those groups and 5) a check must be performed that no license assignments failed. License assignment errors can be found by finding users in an error state in a group.

Common errors encountered with Licensing involve the following:

1) a situation where there are not enough licenses – this can be mitigated by purchasing more licenses for the product or freeing up unused licenses from other users or groups. Available licenses can be viewed.

2) a situation where there are conflicting service plans. Some service plans are configured in a way that they can’t be assigned to the same user as another related service plan This can be resolved by disabling one of the plans. 

3) a situation where other products depend on this license. A product might have a service plan that requires another service plan in another product to function. This can be mitigated by making sure that the required plan is still assigned to users through some other method or that dependent services are disabled for those users.

4) a situation where the usage location is not allowed. Before a license can be assigned to a user, the usage location property must be specified for the user. When this is violated, an error occurs. This can be resolved by removing users from unsupported locations from the license group.

5) a situation where the proxy addresses are duplicated. when users in the organization specify the same proxy address twice and the group-based licensing tries to assign a license to such a user, it fails. This error must be solved on the user side and the license processing must be forced on the group after the remediation.

6) a situation where the Azure AD mail and Proxy Addresses attribute changes. Some proxy address calculations can trigger attribute changes. These must be investigated on a case-by-case basis.

7) a situation where a concurrency exception occurs in the audit logs. This comes from a concurrent license assignment of the same license to a user. Retrying the process will resolve this issue and there will not be any action required from the customer to fix this issue.

8) a situation where more than one product license must be assigned to a group. We can see users who failed to get assigned and check which products are affected by this symptom.

9) a situation where a licensed group is deleted. All licenses assigned to the group must be deleted before the group can be deleted.

10) a situation where licenses for products with prerequisites must be managed – some products are add-ons and they require a pre-requisite service plan to be enabled for a user or group before they can be assigned a license. The add-on license can be assigned to a group, where the group also contains the prerequisite service plan

11) a situation where group licensing processing can be forced to resolve errors especially for freeing up some licenses

12) a situation where the user licensing processing can be forced to resolve errors such as the duplicate proxy error described above.

When the number of servers or the number of users is large, volume licensing options might be available. This is the practice of selling a license authorizing one piece of software to be used on a large number of computers or by a large number of users. Software training for volume licensing customers might be made available by way of training and certification solutions. A customized software purchase program that grants discounted access to training and certification solutions.