Resolve group license assignment problems - Azure Active Directory - Microsoft Entra (2023)

  • Article
  • 10 minutes to read

Group-based licensing in Azure Active Directory (Azure AD), part of Microsoft Entra, introduces the concept of users in a licensing error state. In this article, we explain the reasons why users might end up in this state.

When you assign licenses directly to individual users, without using group-based licensing, the assignment operation might fail for reasons that are related to business logic. For example, there might be an insufficient number of licenses or a conflict between two service plans that can't be assigned at the same time. The problem is immediately reported back to you.

When you're using group-based licensing, the same errors can occur, but they happen in the background while the Azure AD service is assigning licenses. For this reason, the errors can't be communicated to you immediately. Instead, they're recorded on the user object and then reported via the administrative portal. The original intent to license the user is never lost, but it's recorded in an error state for future investigation and resolution.

Find license assignment errors

To find users in an error state in a group

  1. Open the group to its overview page and select Licenses. A notification appears if there are any users in an error state.

    Resolve group license assignment problems - Azure Active Directory - Microsoft Entra (1)

  2. Select the notification to open a list of all affected users. You can select each user individually to see more details.

    Resolve group license assignment problems - Azure Active Directory - Microsoft Entra (2)

  3. To find all groups that contain at least one error, on the Azure Active Directory blade select Licenses, and then select Overview. An information box is displayed when groups require your attention.

    Resolve group license assignment problems - Azure Active Directory - Microsoft Entra (3)

  4. Select the box to see a list of all groups with errors. You can select each group for more details.

    (Video) Microsoft Entra .. the new Azure Active Directory portal

    Resolve group license assignment problems - Azure Active Directory - Microsoft Entra (4)

The following sections give a description of each potential problem and the way to resolve it.

Not enough licenses

Problem: There aren't enough available licenses for one of the products that's specified in the group. You need to either purchase more licenses for the product or free up unused licenses from other users or groups.

To see how many licenses are available, go to Azure Active Directory > Licenses > All products.

To see which users and groups are consuming licenses, select a product. Under Licensed users, you see a list of all users who have had licenses assigned directly or via one or more groups. Under Licensed groups, you see all groups that have that products assigned.

PowerShell: PowerShell cmdlets report this error as CountViolation.

Conflicting service plans

Problem: One of the products that's specified in the group contains a service plan that conflicts with another service plan that's already assigned to the user via a different product. Some service plans are configured in a way that they can't be assigned to the same user as another, related service plan.

Consider the following example. A user has a license for Office 365 Enterprise E1 assigned directly, with all the plans enabled. The user has been added to a group that has the Office 365 Enterprise E3 product assigned to it. The E3 product contains service plans that can't overlap with the plans that are included in E1, so the group license assignment fails with the “Conflicting service plans” error. In this example, the conflicting service plans are:

  • Exchange Online (Plan 2) conflicts with Exchange Online (Plan 1).

To solve this conflict, you need to disable one of the plans. You can disable the E1 license that's directly assigned to the user. Or, you need to modify the entire group license assignment and disable the plans in the E3 license. Alternatively, you might decide to remove the E1 license from the user if it's redundant in the context of the E3 license.

The decision about how to resolve conflicting product licenses always belongs to the administrator. Azure AD doesn't automatically resolve license conflicts.

PowerShell: PowerShell cmdlets report this error as MutuallyExclusiveViolation.

Other products depend on this license

Problem: One of the products that's specified in the group contains a service plan that must be enabled for another service plan, in another product, to function. This error occurs when Azure AD attempts to remove the underlying service plan. For example, this can happen when you remove the user from the group.

(Video) Microsoft Entra Identity & Access Management

To solve this problem, you need to make sure that the required plan is still assigned to users through some other method or that the dependent services are disabled for those users. After doing that, you can properly remove the group license from those users.

PowerShell: PowerShell cmdlets report this error as DependencyViolation.

Usage location isn't allowed

Problem: Some Microsoft services aren't available in all locations because of local laws and regulations. Before you can assign a license to a user, you must specify the Usage location property for the user. You can specify the location under the User > Profile > Edit section in the Azure portal.

When Azure AD attempts to assign a group license to a user whose usage location isn't supported, it fails and records an error on the user.

To solve this problem, remove users from unsupported locations from the licensed group. Alternatively, if the current usage location values don't represent the actual user location, you can modify them so that the licenses are correctly assigned next time (if the new location is supported).

PowerShell: PowerShell cmdlets report this error as ProhibitedInUsageLocationViolation.

Note

When Azure AD assigns group licenses, any users without a specified usage location inherit the location of the directory. We recommend that administrators set the correct usage location values on users before using group-based licensing to comply with local laws and regulations.

Duplicate proxy addresses

If you use Exchange Online, some users in your organization might be incorrectly configured with the same proxy address value. When group-based licensing tries to assign a license to such a user, it fails and shows “Proxy address is already being used”.

Tip

(Video) What is Microsoft Entra Admin Center? | Azure Active Directory Part1

To see if there is a duplicate proxy address, execute the following PowerShell cmdlet against Exchange Online:

Get-Recipient -Filter "EmailAddresses -eq 'user@contoso.onmicrosoft.com'" | fl Name, RecipientType,Emailaddresses

For more information about this problem, see "Proxy addressis already being used" error message in Exchange Online. The article also includes information on how to connect to Exchange Online by using remote PowerShell.

After you resolve any proxy address problems for the affected users, make sure to force license processing on the group to make sure that the licenses can now be applied.

Azure AD Mail and ProxyAddresses attribute change

Problem: While updating license assignment on a user or a group, you might see that the Azure AD Mail and ProxyAddresses attribute of some users are changed.

Updating license assignment on a user causes the proxy address calculation to be triggered, which can change user attributes. To understand the exact reason of the change and solve the problem, see this article on how the proxyAddresses attribute is populated in Azure AD.

LicenseAssignmentAttributeConcurrencyException in audit logs

Problem: User has LicenseAssignmentAttributeConcurrencyException for license assignment in audit logs.When group-based licensing tries to process concurrent license assignment of same license to a user, this exception is recorded on the user. This usually happens when a user is a member of more than one group with same assigned license. Azure AD will retry processing the user license and will resolve the issue. There is no action required from the customer to fix this issue.

More than one product license assigned to a group

You can assign more than one product license to a group. For example, you can assign Office 365 Enterprise E3 and Enterprise Mobility + Security to a group to easily enable all included services for users.

Azure AD attempts to assign all licenses that are specified in the group to each user. If Azure AD can't assign one of the products because of business logic problems, it won't assign the other licenses in the group either. An example is if there aren't enough licenses for all, or if there are conflicts with other services that are enabled on the user.

You can see the users who failed to get assigned and check which products are affected by this problem.

When a licensed group is deleted

You must remove all licenses assigned to a group before you can delete the group. However, removing licenses from all the users in the group may take time. While removing license assignments from a group, there can be failures if user has a dependent license assigned or if there is a proxy address conflict issue which prohibits the license removal. If a user has a license that is dependent on a license which is being removed due to group deletion, the license assignment to the user is converted from inherited to direct.

For example, consider a group that has Office 365 E3/E5 assigned with a Skype for Business service plan enabled. Also imagine that a few members of the group have Audio Conferencing licenses assigned directly. When the group is deleted, group-based licensing will try to remove Office 365 E3/E5 from all users. Because Audio Conferencing is dependent on Skype for Business, for any users with Audio Conferencing assigned, group-based licensing converts the Office 365 E3/E5 licenses to direct license assignment.

Manage licenses for products with prerequisites

Some Microsoft Online products you might own are add-ons. Add-ons require a prerequisite service plan to be enabled for a user or a group before they can be assigned a license. With group-based licensing, the system requires that both the prerequisite and add-on service plans be present in the same group. This is done to ensure that any users who are added to the group can receive the fully working product. Let's consider the following example:

(Video) What is Microsoft Entra ?

Microsoft Workplace Analytics is an add-on product. It contains a single service plan with the same name. We can only assign this service plan to a user, or group, when one of the following prerequisites is also assigned:

  • Exchange Online (Plan 1)
  • Exchange Online (Plan 2)

If we try to assign this product on its own to a group, the portal returns a notification message. If we select the item details, it shows the following error message:

"License operation failed. Make sure that the group has necessary services before adding or removing a dependent service. The service Microsoft Workplace Analytics requires Exchange Online (Plan 2) to be enabled as well."

To assign this add-on license to a group, we must ensure that the group also contains the prerequisite service plan. For example, we might update an existing group that already contains the full Office 365 E3 product, and then add the add-on product to it.

It is also possible to create a standalone group that contains only the minimum required products to make the add-on work. It can the be used to license only selected users for the add-on product. Based on the previous example, you would assign the following products to the same group:

  • Office 365 Enterprise E3 with only the Exchange Online (Plan 2) service plan enabled
  • Microsoft Workplace Analytics

From now on, any users added to this group consume one license of the E3 product and one license of the Workplace Analytics product. At the same time, those users can be members of another group that gives them the full E3 product, and they still consume only one license for that product.

Tip

You can create multiple groups for each prerequisite service plan. For example, if you use both Office 365 Enterprise E1 and Office 365 Enterprise E3 for your users, you can create two groups to license Microsoft Workplace Analytics: one that uses E1 as a prerequisite and the other that uses E3. This lets you distribute the add-on to E1 and E3 users without consuming additional licenses.

Force group license processing to resolve errors

Depending on what steps you've taken to resolve the errors, it might be necessary to manually trigger the processing of a group to update the user state.

For example, if you free up some licenses by removing direct license assignments from users, you need to trigger the processing of groups that previously failed to fully license all user members. To reprocess a group, go to the group pane, open Licenses, and then select the Reprocess button on the toolbar.

Force user license processing to resolve errors

Depending on what steps you've taken to resolve the errors, it might be necessary to manually trigger the processing of a user to update the users state.

(Video) Microsoft Entra The MUST KNOW Guide for Admins

For example, after you resolve duplicate proxy address problem for an affected user, you need to trigger the processing of the user. To reprocess a user, go to the user pane, open Licenses, and then select the Reprocess button on the toolbar.

Next steps

To learn more about other scenarios for license management through groups, see the following:

  • What is group-based licensing in Azure Active Directory?
  • Assigning licenses to a group in Azure Active Directory
  • How to migrate individual licensed users to group-based licensing in Azure Active Directory
  • How to migrate users between product licenses using group-based licensing in Azure Active Directory
  • Azure Active Directory group-based licensing additional scenarios
  • PowerShell examples for group-based licensing in Azure Active Directory

FAQs

What is group based licensing in Azure Active Directory? ›

Azure AD includes group-based licensing, which allows you to assign one or more product licenses to a group. Azure AD ensures that the licenses are assigned to all members of the group. Any new members who join the group are assigned the appropriate licenses. When they leave the group, those licenses are removed.

How do group assigned Licenses show up for individual Users? ›

Go to Azure Active Directory > Groups. Select the group that licenses were assigned to. On the group page, select Licenses. This lets you quickly confirm if licenses have been fully assigned to users and if there are any errors that you need to look into.

How do I assign a group license? ›

Assigning Licenses to a Group

Go to the Azure AD blade and select "Licenses." Next, select "All products" under manage and you'll see a listing of the licenses available within your tenant. Select the license you want to work with (for this example, I selected E3) and then select "Assign" from the top of the menu.

What are the 2 types of licensing models of enterprise applications? ›

User Licensing: Named Users vs Concurrent Users. User licensing allows software vendors to set their licensing fees based on the number of people who will use the software at your IT organization. The most common user licensing types are named user licensing and concurrent user licensing.

What does group licensing mean? ›

Group licensing deals are typically defined in an agreement in which a licensee (i.e., the party who pays for and receives the license) uses a certain minimum number of player names, images, or likenesses in conjunction with or on products that are sold at retail or used as promotional or premium items, such as trading ...

What commands would you use to see the group membership? ›

To display the members of a group, or the groups to which a user belongs, use the pts membership command. To display the groups that a user or group owns, use the pts listowned command.

How do I give permission to group ads? ›

Go to AD Mgmt > File Server Management > Modify NTFS permissions. Choose which folders you want to enable a user or group access to. Now go to the Accounts section and choose the users or groups you want to grant permission to access the folder.

Does Azure AD sync back to on premise? ›

If you configure write-back, changes from Azure AD are synchronized back to the on-premises AD DS environment. For example, if a user changes their password using Azure AD self-service password management, the password is updated back in the on-premises AD DS environment.

What are key differences between role based assignment and group assignment when assigning rights? ›

Roles help you manage permissions. Groups help you manage objects and subjects. Moreover, one could think of roles as 'contexts'. A role 'X' can describe a security context that rule how subject Y access (or does not access) object Z.

Why is add role assignment disabled? ›

If you don't have permissions to assign roles, the Add role assignment option will be disabled. To add or remove role assignments, you must have: Microsoft. Authorization/roleAssignments/write.

Which user role can manage the assignment of Azure AD directory roles for users? ›

Select the role to assign

Sign in to the Azure portal using the Privileged Role Administrator role for the directory.

What are the 3 phases of licensing process? ›

As those persons gain driving experience and competencies, the restrictions are removed, typically in three stages. Those stages begin with a learner's stage/permit, followed by an intermediate stage or provisional license, and then a full privilege stage/license.

What are the 4 correct licensing objectives? ›

The 4 licensing objectives

the prevention of crime and disorder. public safety. the prevention of public nuisance. the protection of children from harm.

What are the two 2 types of licensing agreement? ›

Generally, there are three types of licensing agreements: exclusive, sole, or non-exclusive. In an exclusive license, the licensee is only the party that can use the licensed intellectual property.

What are the two main forms of licensing? ›

Licensing activity comes in two forms: Licensorsgive licenses to others; licensees receive licenses from others.

What is group licensing nil? ›

In the context of name, image and likeness licensing, collegiate group licensing typically involves several individual student athletes pooling their NIL rights into a collective license to be marketed and sold as one.

Which one is an example of licensing? ›

An example of a licensing agreement is a contract between the copyright holders of software and another company, allowing the latter to use the computer software for their daily business operations.

What is the process of licensing? ›

Licensing involves obtaining permission from a company (licensor) to manufacture and sell one or more of its products within a defined market area. The company that obtains these rights (the licensee) usually agrees to pay a royalty fee to the original owner.

Which command is used to pass control of group membership to another? ›

Correct answer: 2

The gpasswd command is used to pass control of group membership to another user.

Which of the following can be used for assigning or licensing? ›

Copyright. Explanation: Copyright can be defined as the legitimate right of the person to the non-physical asset. In simple terminology, copyright refers to the rights reserved by the creator, and the people that they provide authorization to, are the sole people that retain the right to copy the content.

How do you dynamically assign Office 365 licenses to users? ›

In Group type, select Microsoft 365. In Group name, enter Sales. In Membership type, select Dynamic user. Select Dynamic user members.

How do I manage Microsoft licenses? ›

In the Microsoft 365 admin center, go to the Billing > Licenses page. On the Licenses page, choose Microsoft 365 Apps for Education (device) or Microsoft 365 Apps for enterprise (device). On the next page, choose a subscription, then choose Assign licenses.

What is the difference between a Microsoft 365 Group and a distribution group? ›

Microsoft 365 Groups are used for collaboration between users, both inside and outside your company. They include collaboration services such as SharePoint and Planner. Distribution groups are used for sending email notifications to a group of people.

How do group assigned licenses show up for individual users? ›

Go to Azure Active Directory > Groups. Select the group that licenses were assigned to. On the group page, select Licenses. This lets you quickly confirm if licenses have been fully assigned to users and if there are any errors that you need to look into.

Can you create groups within Azure Active Directory? ›

To create a basic group and add members: Sign in to the Azure portal. Go to Azure Active Directory > Groups > New group. Select a Group type.

Can you create Group Policy in Azure AD? ›

With Azure AD DS, you can create or import your own custom group policy objects and link them to a custom OU. If you need to first create a custom OU, see create a custom OU in a managed domain.

How do I assign a dynamic license? ›

Return to the Microsoft 365 admin center and go to Users > Active users and select the user you want to assign a license to. The settings for that user open in a fly-out. Select the Licenses and Apps tab in the flyout and then select the Dynamics 365 Marketing User License check box to assign the license to this user.

What permissions can be assigned to users in groups? ›

You can change what owners, managers, and members can do in your group, such as approve messages, view members, or delete posts. Depending on your organization's group settings, you can allow everyone in your organization or everyone on the web to perform certain tasks.

Which allows you to assign permissions to users so that they can create resources in Azure? ›

Azure role-based access control (Azure RBAC) is the authorization system you use to manage access to Azure resources. To grant access, you assign roles to users, groups, service principals, or managed identities at a particular scope.

What can be used to synchronize on-premises Active Directory users to Azure Active Directory? ›

Azure AD Connect sync server.

This service synchronizes information held in the on-premises Active Directory to Azure AD.

Which actions can you perform with Microsoft Azure Active Directory Sync? ›

Microsoft AAD Connect can connect to multiple on-premises forests and can exchange organizations and synchronized the customer defined attributes but cannot use Forefront Identity Management synchronization rules.

Which role will allow the user to manage all the groups in your Azure Active Directory tenant and be able to assign other administrator roles for the users? ›

The User Access Administrator role enables the user to grant other users access to Azure resources.

Can a resource group have the owner role assigned to multiple users? ›

A resource group can have the Owner role assigned to multiple users.

Which IAM entity can be used for assigning permissions to AWS services? ›

You should use IAM roles to grant access to your AWS accounts by relying on short-term credentials, a security best practice. Authorized identities, which can be AWS services or users from your identity provider, can assume roles to make AWS requests. To grant permissions to a role, attach an IAM policy to it.

How do I grant access to a resource group in Azure? ›

Grant access

In the list of Resource groups, open the new example-group resource group. In the navigation menu, click Access control (IAM). Click the Role assignments tab to see the current list of role assignments. Click Add > Add role assignment.

Which type of group allows you to assign users access to a resource? ›

Security groups can provide an efficient way to assign access to resources on your network. By using security groups, you can: Assign user rights to security groups in Active Directory. Assign user rights to a security group to determine what members of that group can do within the scope of a domain or forest.

Is it true that a user account in Azure Active Directory can only be assigned one license? ›

Each user account in Azure Active Directory (Azure AD) can be assigned only one license.

Can companies synchronize users from Active Directory into Azure AD? ›

If you have an on-premises Active Directory Domain Services (AD DS) domain or forest, you can synchronize your AD DS user accounts, groups, and contacts with the Azure AD tenant of your Microsoft 365 subscription. This is hybrid identity for Microsoft 365.

Which Azure Active Directory feature can you use to evaluate group membership and automatically? ›

You can create attribute-based rules to enable dynamic membership for a group in Azure Active Directory (Azure AD), part of Microsoft Entra. Dynamic group membership adds and removes group members automatically using membership rules based on member attributes.

Videos

1. Microsoft Entra -Verified ID
(Atul Raizada)
2. Assign Microsoft 365 licenses fast using Groups
(Alex de Jong)
3. Looking at Entra Permissions Management to Manage Permissions Across AWS, GCP and Azure
(John Savill's Technical Training)
4. Unpacking Microsoft Entra | Under the hood of Microsoft's Identity & Access solution
(Cloud Conversations)
5. How to conduct an Azure AD Access Review
(Andy Malone MVP)
6. Multicloud Permissions Management using Microsoft Entra
(Oxford Computer Group US)
Top Articles
Latest Posts
Article information

Author: Delena Feil

Last Updated: 03/05/2023

Views: 5707

Rating: 4.4 / 5 (45 voted)

Reviews: 92% of readers found this page helpful

Author information

Name: Delena Feil

Birthday: 1998-08-29

Address: 747 Lubowitz Run, Sidmouth, HI 90646-5543

Phone: +99513241752844

Job: Design Supervisor

Hobby: Digital arts, Lacemaking, Air sports, Running, Scouting, Shooting, Puzzles

Introduction: My name is Delena Feil, I am a clean, splendid, calm, fancy, jolly, bright, faithful person who loves writing and wants to share my knowledge and understanding with you.