Latest ITAM News

Managing MS Office 365 Licensing for a Global Enterprise

Managing Microsoft Office 365 Licensing for a Global Enterprise

Microsoft license administrators of global enterprises face many questions when purchasing and managing Office 365 licenses. What type of licenses should be purchased, and how many? When should you purchase additional licenses? How and when can you recover licenses from workers who are no longer with your company? What is the process for assigning a license to a new hire or changing a worker to a new license? The suggestions that follow are dependent on what profiles and licensing rules are in your company’s agreement with Microsoft and may not work in all situations.

Determining what Office 365 license to assign a worker can be straight forward, but not all worker needs are identical. The first thought is to give everyone the same license, typically an O365 suite. While this license is appropriate for a Knowledge Worker, who use their own computer for much of the day, it could be more than that is needed for a Front Line Worker, who occasionally uses a computer shared with several other workers. If you have access to a full current worker list, look at which users are most likely to be assigned one license over another. Classifying workers by department or division and by job title can quickly show you who should receive what O365 license

One option would be to use a combination of user-based and device-based licensing. Knowledge Workers would benefit from a O365 E3 license. This will give them access to collaboration tools like Microsoft Teams and Delve, and allow them the ability to be assigned other Microsoft applications like PowerApps and Power BI Pro.

Front Line workers typically don’t have the same licensing needs. A more cost-effective solution than assigning them an O365 E3 license would be to identify the shared computers in your organization and use device-based licenses for the desktop OS and device CALs (Windows Server, SCCM), then license those workers who use these computers with an O365 F1 license. You could end up with significant cost savings by purchasing O365 F1 plus shared computer licenses as compared to assigning all your workers an O365 E3 license.

The Front Line Workers are a bit trickier to assess for Office 365 licensing. If you have a manufacturing or production department, look closely at the job titles or whatever user field that best represents the different user types in your company. For example, Front Line workers listed as assemblers can be assigned O365 F1 license in most situations, but to get a better idea of what license to assign try running a PowerShell script on the User IDs or whatever field your company would use to show when a worker last changed their password, when they last logged on to a computer, their location, or any other relevant data from Active Directory. Work with your email team to get reports on how many emails the workers sent over the last 30/60/90 days. Pull SCCM or CMDB reports to show the computers in your environment and who frequently accesses those computers. When you compile and filter all this this data, you’ll get a much clearer idea of who should be assigned what license. It’s a lot of work, but it will pay off in lower overall license costs.

When ordering licenses, it can take anywhere from two to 72 hours for licenses to appear in the Office Portal after they are reserved in the Volume Licensing Service Center. Not having available licenses to assign to new workers could result in loss of productivity and result in a poor end-user experience, so having an additional supply of unassigned Office 365 licenses is critical for any business. How quickly you can recover licenses once a user is terminated is important and will drive down your license spend.

Monitor the subscriptions listed in the Office Portal daily to chart trends and to determine when additional subscriptions need to be reserved. This will show you how many subscriptions are assigned every day. Use this information to project how many licenses will be required per month and make your license reservations based on your analysis. Also work with management to get any information about plans on hiring or new acquisitions so you can anticipate when additional licenses are needed.

Here’s a key tip when ordering new license: DO NOT RESERVE MONTHLY SUBSCRIPTIONS ON THE FIRST DAY OF THE MONTH. Microsoft considers subscription licenses reserved after the first of each month to have a start date on the first following month. Placing reservations on the second day of the month will effectively give you the subscription at no cost for the current month. This could result in a significant cost savings.

Timely and automated license recovery can return Office 365 licenses to your available pool quickly and efficiently and will extend the time between needing to reserve additional licenses. Review any license or mailbox retention requirements with your legal team. For the sake of argument, let’s say that you need to retain a mailbox for 90 days, and because of this you are required to keep the Office 365 license assigned to that worker. If you have Exchange Online Plan 2 through your M365 E3 subscription or if purchased separately, you are entitled to Microsoft’s In-Place Hold option. Using an In-Place Hold on a mailbox will prevent any data in mailbox from being deleted, even if the Office 365 license expires. Once you’ve confirmed a mailboxes In-Place Hold status, you can recapture the license in a few days instead of what your internal policy dictates. You can then remove the In-Place Hold after 90 days and allow the mailbox to age out.

Assigning Office 365 licenses in a global enterprise is complicated at best. Directly assigning licenses to Azure Active Directory groups manually is time consuming and subject to human error. It also may require authorized users in multiple regions to assign licenses. Having an Azure Active Directory global administrator with strong PowerShell scripting skills will allow you to automate most of your licensing tasks.

From a legal standpoint, the person or persons reserving licenses should never assign these licenses, from a SOX compliance standpoint. Doing so will put your organization at risk in a government audit. Group-based license assignment in Azure Active Directory can be used to assign licenses to new and existing workers. Workers can be added to Azure AD groups for the license they are to receive via a PowerShell script, then have the license applied during directory synchronization. If you have access to a daily list of new hires, typically provided by your Human Resources organization, you can have the list saved to a specific location and use PowerShell to parse the most current list on a set schedule for username, department and job title, then assign the User IT to the appropriate Azure AD group. A list of results can then be created and reviewed for which workers were not assigned licenses via this method. Use this list to update the PowerShell script.

Direct license assignment can also be scripted and made available to your global help desks for when a user calls in for assistance. Using the same rules as the license assignment for new hires, a utility can be created to show which licenses a user is eligible to receive, and the help desk can assign only the license calculated for that works. This minimizes the risk of assigning the wrong license.

Upgrading or changing the Office 365 license for existing workers is technically challenging. Dynamic rule processing in Azure AD takes a different amount of time than Microsoft license assignments. When the Office 365 license assignment groups have a high number of User IDS, it takes a long time to process the changes, and users can experience brief outages for Exchange and SharePoint. You can create transitional groups which mimic the new license and leave the User IDs in these groups until you ensure that the worker’s new license has been fully applied. Once this is complete (sometimes it takes up to three hours) the users can be removed from the transitional group.

Managing licenses in Office 365 can be complex and time consuming, but by understanding your contract with Microsoft, having experienced PowerShell script writers, knowledgeable Exchange administrators, engaged VAR partners with strong expertise in Microsoft, and access to software inventory and user reports, you can successfully manage your Office 365 licenses, decrease software spend and improve user satisfaction by timely license assignment.

About David Lawrence

David Lawrence is a Sr IT Business Systems Analyst for Medtronic.