How can we improve Azure Active Directory?

← Azure Active Directory

Add an option to bypass service plan dependency check when assigning license to group

The Azure portal does not allow assignment of an add-on license to a user group unless a base license with prerequisite service plans is also assigned to the group. Example: Audio Conferencing can only be assigned to a group if (e.g.) Office 365 E3 with the Microsoft Teams service plan enabled is added to the group at the same time.

The problem is that most of our customers have a mix of Office licenses. In order to avoid service plan conflicts and unnecessary license usage, we would need to create a group for each possible combination of the addon and the relevant base products for each customer. In contrast, a one-to-one relationship between license and group would make the license assignment matrix cleaner and much easier to understand and maintain.

Microsoft's rationale is to ensure that prerequisites for the add-on products are met, but this check is really performed at the wrong stage of the assignment process.

In the current scenario, service plan dependencies are evaluated when the license is assigned to the group, while all other problems preventing the intended assignment (service plan conflicts, insufficient licensing, uniqueness violations, etc) are detected at the stage of actually assigning the license to each individual user.

In our example case, most users already have some flavor of Office product assigned. Hence, the prerequisite will most likely be fulfilled on the user level, regardless of which product the required service plan comes from. In the rare cases where the prerequisite is not met, the error will be reported and handled manually just like we need to do in the case of a service plan conflict (which is conceptually quite similar).

An "IgnoreDependencies" option would allow us to make a conscious decision to take responsibility for assigning licenses and service plans correctly, while maintaining a clean one-to-one relationship between product and licensing group.

Please consider this when support for adding licenses to groups is implemented in Powershell!

77 votes
Sign in
(thinking…)
Sign in with: Microsoft
Forgot password?
Create a password
Signed in as (Sign out)
Close
Close

We’ll send you updates on this idea

Henning Tranberg shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →
under review  ·  Azure AD Team responded  · 

This is something we are considering, but there is no timeline now. If it matters to you, keep voting to help us prioritize.

3 comments

Sign in
(thinking…)
Sign in with: Microsoft
Forgot password?
Create a password
Signed in as (Sign out)
Close
Close
Submitting...
An error occurred while saving the comment
  • Ryan P commented  ·   ·  Flag as inappropriate

    Agreed. Example scenario

    Today, I would need 6 separate groups for the following:

    O365 E3
    O365 E3 + AudioConferencing
    O365 E3 + AudioConferencing + PhoneSystem
    O365 E3 + EMS E3
    O365 E3 + EMS E3 + Audio Conferencing
    O365 E3 + EMS E3 + AudioConferencing + PhoneSystem

    Istead, I'd rather 'stack' groups properly, so I'd only need 4 groups:
    1) O365 E3
    2) O365 EMS E3
    3) O365 AudioConferencing
    4) PhoneSystem

    Then, I can just assign a user to 1 or more groups.

  • Erlend Moen commented  ·   ·  Flag as inappropriate

    I completely agree with this suggestion. However - I would like to add another option as well. We have - as the proposer has - several different Office-groups with several different plans activated. Our concern is that new services are added automatically and activated by default. We have a rather strict security policy in our company that requires new services to go through a risk assessement before we can start to use them. Our wish is that Microsoft also would add an organization option to set all new services as deactivated by default.

Azure Active Directory: Admin Portal

Categories

Feedback and Knowledge Base

(thinking…)
Hosted by UserVoice