skip to Main Content

Assign Office 365 licenses with Azure group-based licensing

What is an excellent way to manage and assign Office 365 licenses? If you have a small organization with a couple of users, you can assign the Office 365 licenses directly to the user. If you manage a large environment and want to have a structure, your best way is to assign Office 365 licenses with Azure group-based licensing. In this article, you will learn how to assign Office 365 license with groups.

Add Office 365 license directly to user

If you don’t have many users in the organization, you can enable the licenses and apps to the user directly.

Sign in to Microsoft 365 admin center. Navigate to Active users and select the user. Click on Licenses and apps and enable Office 365 license.

Add office 365 license to user in Microsoft 365 admin center

A better situation is to create groups and manage the Office 365 licenses from there. How will that work? Let’s see in the next step.

Azure group-based licensing

You can assign one or more product licenses to a group. Azure AD ensures that the licenses are assigned to all members of the group. Any new members who join the group are assigned the appropriate licenses. When they leave the group, those licenses are removed. This licensing management eliminates the need for automating license management via PowerShell to reflect changes in the organization and departmental structure on a per-user basis.

Read more: What is group-based licensing in Azure Active Directory?

Azure group-based licensing requirements

You must have one of the following licenses to use group-based licensing:

  • Paid or trial subscription for Azure AD Premium P1 and above
  • Paid or trial edition of Office 365 Enterprise E3 or Office 365 A3 or Office 365 GCC G3 or Office 365 E3 for GCCH or Office 365 E3 for DOD and above

Create Office 365 security groups on-premises

We recommend you to create a base group, which you will assign the must-have Office 365 products. Create other groups for products that not everyone needs to use.

In this example, we will create two groups in Active Directory Users and Computers:

  • O365_Licenses_E3_Base
  • O365_Licenses_E3_Exchange

The security groups will look as below.

Create security groups on-premises

Verify security groups in Azure AD

Go to Microsoft Azure and sign in with your admin credentials.

Select Azure Active Directory in Microsoft Azure portal

If you search for the group, the chance is big that you will not see them.

No groups found in Azure Active Directory

It’s because Azure AD Connect needs to sync the on-premises objects to Azure AD.

Note: Verify in Azure AD Connect that the OU where you placed the security groups is enabled for syncing.

Microsoft Azure Active Directory Connect sync groups

You can wait a maximum of 30 minutes, and it will synchronize the objects. Another option to speed it up is to force sync Azure AD Connect.

Sign in on the Azure AD connect server or make a remote session with PowerShell.

PS C:\> Start-ADSyncSyncCycle -PolicyType Delta

Assign licenses to group

Wait a couple of minutes and do a refresh in Microsoft Azure or search again for the groups. In this case, O365.

Office 365 groups available in Azure Active Directory

Click on the groups to assign the licenses, or another way is to go to Azure Active Directory > Licenses > All products.

Select the checkbox Office 365 E3 and click Assign.

Office 365 E3 assign license

Click on Users and groups and select the Office365_License_E3_Base.

Select users and groups

Click Assignment options and select the license options for the group.

Select assignment options

Do the same, but this time add the group O365_License_E3_Exchange.

Select users and groups

Select the license option Exchange Online (Plan 2).

Select assignment options

Verify licensed groups

Click on the product Office 365 E3.

Office 365 E3 product

Click in the menu Licensed groups and verify that you see both the groups. The state is Active, and the Enabled Services shows how many services you assigned.

Verify Office 365 licensed groups

Add user to security group

Add a user to the group O365_License_E3_Base.

Add user to security group O365_License_E3_Base

Force sync with Azure AD.

PS C:\> Start-ADSyncSyncCycle -PolicyType Delta

Click on the group.

Select O365_License_E3_Base group

Click Members and verify you see the user.

Verify members in Office 365 security group

Another way to check and which we recommend is to select Licensed users in the menu. Verify the user in the list and check which groups show up in the Assignment Paths.

Verify licensed users in Office 365 security group

Looks great! You can assign Office 365 licenses in bulk by adding all the users to the security group on-premises. Don’t forget to sync!

In the next article, we will look at Exchange Hybrid test plan.


In this article, you learned how to assign Office 365 licenses with Azure group-based licensing. Make the organization easier to manage and license the users with ease. No more challenges when assigning licenses.

Did you enjoy this article? You may also like the complete course Exchange Hybrid. Don’t forget to follow us and share this article.



ALI TAJRAN is a passionate IT Architect, IT Consultant, and Microsoft Certified Trainer. He started Information Technology at a very young age, and his goal is to teach and inspire others. Read more »

This Post Has 7 Comments

  1. Hi,
    I am looking for a similar Group based licensing, but for cloud only accounts.
    Can you suggest a way in which we can do that through Dynamic Grouping?

  2. I did not had this configured. Now I do. This will help a lot. Thanks.

    Your attention to detail is perfect. Great work as always.

  3. Hi,

    I ask out of curiosity .

    1. I created a group “Communication_Basic” with Business Basic licenses with plan: Exchange, MS Teams and SharePoint
    2. I added user to that group and after while he got Business Basic license with Exchange, Teams and SP.

    And question is –

    3. If I want assign another (additional) license for user – for example Whiteboard – the group assign licenses won’t override this and remove that licenses?


    1. Hi Przemek,

      If you assign the “Whiteboard” license directly to the user, you will get the error:
      “One or more of the licenses could not be modified because they are inherited from a group membership. To view or modify group based licenses visit the Azure admin portal.”

      It’s best for you to:

      1. Create a new security group. For example, give it the name “Communication_Whiteboard”.
      2. Assign the license “Whiteboard” to the group that you created in step 1.
      3. Assign the security group to the user.

      The user will have “Communication Basic” assigned licenses and “Communication_Whiteboard” assigned license. These are the licenses for Exchange, MS Teams, SharePoint, and Whiteboard.

      It’s the same example as I did in the article. Only I used Exchange Online instead of Whiteboard.

Leave a Reply

Your email address will not be published. Required fields are marked *