AAD Licensing for Groups and Teams Features Burdens Office 365 Tenants
Microsoft Reveals New Licensing Information at Ignite
No one likes to be forced to pay extra for a facility that they have used for over a year. It is not a nice feeling to see a bill coming for something previously regarded as free. That’s what happened at the Ignite 2017 conference when Microsoft laid out the AAD licensing requirements for Office 365 Groups.
Premium AAD Features for Office 365
When Microsoft introduced recent new functionality to manage Groups, such as the expiration policy and the naming policy, they have been clear that these are premium features and need to be licensed. However, the overall situation around what features Microsoft regarded as premium was still unclear. It came as a relief when several Ignite sessions about Groups included a slide to clarify when premium licenses are necessary.
I included the slide (Figure 1) in my wrap-up for Ignite. Some questions from readers resulted. Some asked about the logic behind the need for premium licenses to have a URL displayed to users (usage guidelines) or to apply a default classification to a new group. Others were more upset that Microsoft charges for dynamic Office 365 Groups and the naming policy because the equivalent features for distribution lists are both free in Exchange Online.
Say Goodbye to Traditional PC Lifecycle Management
Traditional IT tools, including Microsoft SCCM, Ghost Solution Suite, and KACE, often require considerable custom configurations by T3 technicians (an expensive and often elusive IT resource) to enable management of a hybrid onsite + remote workforce. In many cases, even with the best resources, organizations are finding that these on-premise tools simply cannot support remote endpoints consistently and reliably due to infrastructure limitations.
A Short-Sighted Approach
I have some sympathy for this view because I think that Microsoft is being short-sighted here. After all, if Microsoft wants to convince Office 365 tenants to move from distribution lists to Groups, it surely makes sense to allow tenants to use dynamic Office 365 Groups or apply a naming policy to groups without charge.
Microsoft’s view is that Groups offer more functionality than distribution lists and therefore the two cannot be compared. I see the logic of this position, but I still consider the licensing requirement to be a barrier to migration. For instance, if you create a dynamic group called “All Employees,” you incur a licensing requirement for each user. Azure Active Directory Premium P1 costs $6/user/month, so if your tenant has 10,000 employees, your dynamic group just cost you $60,000 monthly.
In any event, an old-fashioned but perfectly good dynamic distribution group is a better choice for all-company communications and avoids any need for premium licenses.
Controlling Group Creation
It is easy to avoid using dynamic groups. Indeed, some applications (like Teams and Planner) do not support dynamic membership. Imposing some control over group creation is more difficult, if only because you can create Office 365 Groups in so many ways.
Fourteen months ago, Microsoft introduced a new method to control the creation of Office 365 Groups. The new mechanism, stored in an Azure Active Directory policy, replaced the original method based on a setting in OWA mailbox policies assigned to user mailboxes.
The old approach harked back to the early days of Groups when the only clients were OWA and Outlook. Much had changed since Groups first appeared in November 2014 as new applications like Teams and Planner lined up to use Groups as an identity and membership service. Now, settings in the Azure Active Directory policy define whether group creation is restricted and a security group holding a list of users who can create groups.
One Policy Across Office 365
Groups uses the same policy for other settings, like the expiration and naming policies. The critical point is that because the new policy is in Azure Active Directory, its settings are available to all Office 365 applications who choose to respect the policy settings.
Having a policy that works across Office 365 is good. What is not so good is the way that Microsoft has changed the rules around licensing of the ability to control group creation. If you want to restrict the creation of new Office 365 Groups from any application – OWA, Outlook, Teams, SharePoint, Planner, Stream, StaffHub, and so on, you need Azure Active Directory Premium P1 licenses for all user accounts in your tenant.
The Licensing Shock
Introducing a change like this without any warning or documentation came as a real shock. It is unconscionable for Microsoft to suddenly look for licensing fees when Office 365 tenants have used a feature for over a year, especially when the feature is such a critical management tool for so many applications.
AAD Wags the Groups Tail
The culprit here is Azure Active Directory. If you look at the slide heading in Figure 1, it is “Azure Active Directory licensing requirements” and not “Office 365 Groups licensing requirements.” Groups, Teams, Planner, and so on incur collateral damage because people assume that these applications decided to impose the need for premium licenses.
Before we get too excited, it is important to put premium licenses into context. Two mitigating factors exist. First, these features are not important to every tenant. You might not want to control group creation or apply naming conventions.
Second, you already have the necessary licenses if your tenant uses the Enterprise Mobility and Security or Microsoft 365 suites. Again, these offerings are most interesting to enterprise customers and anecdotal evidence is that over 50% of large tenants use EM+S.
And if you do not want to pay for licenses, you can write PowerShell scripts for group management. The big issue here is that you might need to recreate the wheel for each new application that comes along and uses the Groups identity and management service.
The Azure portal checks for premium licenses and you cannot create new dynamic Office 365 Groups or amend the expiration policy if your account does not have the right license. PowerShell or the client applications do not check for premium licenses at present but Microsoft could implement such a check at any time in the future.
Clarity is good and at least Microsoft has laid out its stall when it comes to licensing requirements for what they consider to be premium features. I think the set of features they settled on is flawed because some features are not premium (like default classification) and some should be included in Office 365 E3 and E5 (like group creation).
However, premium licensing covers a bundle of features and that is how you should look at the situation. If you are an enterprise tenant and need to take control of Groups and its associated applications, you need these features – or be ready to write a lot of PowerShell scripts to do the same job.
Follow Tony on Twitter @12Knocksinna.
Want to know more about how to manage Office 365? Find what you need to know in “Office 365 for IT Pros”, the most comprehensive eBook covering all aspects of Office 365. Available in PDF and EPUB formats (suitable for iBooks) or for Amazon Kindle.