Managing Microsoft Licensing Effectively During Migration

Organisations first moving to O365 can often become overwhelmed with the vast amount of services and products affiliated with Office365 E5 licenses.

Evros Microsoft Solutions Architect Sean O’Farrell outlines best practices that enterprises should be implementing with their licensing during migration:

On many of my recent projects, I have focused on desktop readiness and security before moving any users or production data to Office365.

The initial action that many companies should be doing is disabling many of these license services until the organisation is ready for these services like ATP, Teams, and OneDrive for Business.

One of the first things I recommend on new Office 365 tenants is to perform the following tasks:

  • Remove the ability for end users to install Office365 ProPlus from the Office365 portal. If end users require Office365 ProPlus, they must submit a service request to their organisation.
  • Remove Skype for Business, Teams and OneDrive from the Office365 ProPlus installation package. These applications can be added when your customer is ready to roll out Teams, OneDrive and SharePoint.
  • Always assign all users as a minimum: Azure Active Directory P1 license to enable features like:
    • Combined security information registration
    • Self-service Password Reset
    • Multi Factor Authentication
    • Azure Password Protection service
    • Conditional Access
  • Create an AD security group synchronised to Azure AD via AD connect via licensing scenario.

Sometimes when an organisation subscribes to Office365, they do not apply the same governance and control to the allocation of Office365 licenses as they would in an on premise scenario e.g. provisioning an Exchange On-Premise mailbox, SharePoint On-Premise license or SQL client access license.

Quite often an organisation that starts using the Office365 platform, admins of the organisation assign licenses to IT users via the Office365 portal and do not track the license assignment or follow change control on Office365 tenant configuration changes.

Global organisations with over 10,000 users that make a strategic decision to move to Office365 must embark on a user profiling exercise. It is not a real-world scenario to expect an organisation with 10,000 users+ to assign M365 E3 or M365 E5 licenses to all users. There may be a scenario where manufacturing employees only need SharePoint Online licenses to update reports or record their work hours.


If the license assignment process is managed by Azure Active Directory license management, then organisations can continue to follow their existing on-premise change control and monitor the addition and removal of users in on-premise ad security groups with tools such as:

  • Manage Engine – Windows AD Change Auditor
  • Quest – Change Auditor
  • Microsoft Identity Manager (To manage user provisioning and user life cycle)

The key to successfully rolling out these features is when your users are ready. Thorough end-user training and user adoption ensures an organisation maximise their investment in the Office365 platform.

On all Office365 projects, Evros design and configure an end user training portal that is included in all communications to end users that are being migrated to Office365. The portal helps drive user adoption, when a user clicks on the portal link included in the comms, they can experience single sign on via Azure Seamless Sign on and FAQs to cut down on helpdesk calls.

As previously mentioned, I always recommend to customers that ALL users should have at the very minimum: Azure Active Directory P1 licenses.

The next set of screen shots will demonstrate how to assign Azure AD P1 and Office365 Pro Plus ONLY to an on-premise synced security group.

The following steps will outline how to setup Azure Active Directory licensing:

  1. Create an Active Directory security group named LIC_O365ProPlus_ADP1, add all relevant users and run an AD Connect delta sync.
  2. Login to Azure Active Directory portal and click on license.


3. Click on all products.

4. Select the product that you would like to license, in this instance I will select Office365 ProPlus from the Office365 E3 product.

5. Click on licensed groups and assign.

6. Assign the licenses to the security group synchronised from on-premise Active Directory.

7. Move onto assignment options and turn off all features in Office365 E3 except for Office365 Pro Plus.

8. Then click on the assign button.

9. Next step is to assign an Azure AD Premium Plan 1 license to the same group, follow the process in the previous steps but this time, select EMS E3.

10. And in the assignment options, select Azure Active Directory premium edition plan 1 ONLY.

Once users are added or removed from the security groups, AD Connect will synchronise the additions, and removal of users in the relevant security groups every 30 minutes.

Bulk license group management (add and removal)

Most enterprise organisations want to manage the license assignment process and the licenses cost money. In a scenario where the groups are managed at the root forest level, child domains do not have access to the root forest license management groups.

Most organisations block or have not enabled Active Directory Web Services port and protocol which is required remote Active Directory PowerShell. I am a big fan of Quest Active server roles PowerShell module as it does not require Active Directory Web Services ports to be open, it uses standard AD & LDAP ports like 389.

This sample Quest Active Server Roles command an add 900 users in a csv from a child domain into the root forest AD security group for license assignment to the child domain.

Import-Csv “CSV PATH” | For Each-Object{ Add-QADGroupMember -Identity “Distinguished Name of group license security group for child domain” -Member $_.UserPrincipalName

Quest Active Server Roles PowerShell can also be used to add and remove users from security groups. Microsoft Identity Manager can also manage user lifecycle, addition of new users and removal of disabled users.

Do you have more questions about your licensing? Contact Evros today for an Office365 license audit, maximise your investment in Office365 and Microsoft cloud services, and save money on unnecessary license assignments and expenditure.