Group-Based Licensing in Microsoft Entra ID for M365
Learn to configure, verify, and safely roll back group-based licensing in Microsoft Entra ID for reliable Microsoft 365 license automation.
Mission brief
What you will achieve
Complete a production-safe implementation and leave with verification and rollback evidence.
Practical steps
4 guided stages
Follow these in order as your working checklist.
Time to set aside
About 45 minutes
Includes configuration, validation and rollback checks.
Tutorial navigation
Before you begin
- Basic Entra ID user and group administration
- Microsoft Graph PowerShell SDK familiarity
- Understanding of Microsoft 365 license SKUs
One of the most common tickets a junior engineer inherits in an enterprise Microsoft 365 environment is inconsistent or missing license assignment: a new hire can sign in but Outlook never provisions a mailbox, or Teams is missing for an entire department. In most tenants this traces back to manual, per-user license assignment that nobody maintains as staff join, move, or leave. The production-grade fix is group-based licensing in Microsoft Entra ID, where licenses are attached to a security group rather than individual accounts, and membership (ideally dynamic, attribute-driven membership) does the assignment work automatically.
This tutorial walks through configuring group-based licensing end to end, verifying it actually applied, and safely rolling it back if it causes a service disruption — the exact skill set expected of a new engineer supporting a live tenant. It also covers the operational discipline around change control, monitoring, and evidence collection that separates a demo-quality configuration from something a service desk can rely on at 2 a.m. without paging a senior engineer.
#Scenario
You have been asked to automate Microsoft 365 E3 and a Power Automate per-user plan for everyone in the Sales department, using the department attribute synchronised from on-premises Active Directory (or set directly in Entra ID for cloud-only tenants). Today this is done manually by the helpdesk team, and it is regularly missed for new starters. The business impact is concrete: a new account executive without Exchange Online for their first three days is a recurring, avoidable complaint, and repeated manual assignment errors erode confidence in the identity team.
#Prerequisites
- Microsoft Entra ID P1 (or higher) licensing in the tenant — required for dynamic group membership rules. Assigned/static groups work on any tier but require manual membership maintenance.
- An account with the License Administrator Entra role, or Groups Administrator if you also need to create the dynamic group. Avoid using Global Administrator for this task.
- Confirmed available license units for the target SKU (checked in Microsoft 365 admin center > Billing > Licenses).
- Microsoft Graph PowerShell SDK installed locally for verification and auditing (
Install-Module Microsoft.Graph). - A confirmed, healthy Azure AD Connect (or Entra Connect) sync cycle if
departmentis sourced from on-premises AD — check the last successful sync timestamp before relying on the attribute. - A change ticket or request record already logged, even at pilot stage, so the configuration is traceable back to an approved request rather than an ad hoc console change.
#Least-privilege note
License Administrator can assign, remove, and update license assignments for users and groups but cannot create Conditional Access policies or reset arbitrary passwords. Request this role specifically rather than accepting a broader admin role bundled with it — if your organisation uses Privileged Identity Management (PIM), activate it as a time-bound, just-in-time assignment rather than holding it standing. If you also need to create the dynamic group itself, request Groups Administrator for the same limited window; do not request Global Administrator as a shortcut to avoid two separate PIM activations.
#Step 1: Confirm the target SKU and available seats
- Sign in to the Microsoft 365 admin center at
admin.microsoft.com. - Go to Billing > Licenses and locate the SKU (for example,
Microsoft 365 E3). - Note the Unassigned count. If it is lower than your expected department headcount, raise a licensing procurement request before proceeding — group-based licensing will silently fail assignments once seats run out, and affected users show an error state rather than a clear alert.
- Repeat the same seat check for the Power Automate per-user plan SKU independently; teams frequently confirm the primary SKU has capacity and overlook a smaller add-on SKU running out first.
#Step 2: Create or identify the group
For an attribute-driven population, a dynamic security group is the correct choice.
- Open the Entra admin center at
entra.microsoft.comand navigate to Groups > All groups > New group. - Set Group type to Security, provide a clear name such as
LIC-Sales-E3, and set Membership type to Dynamic User. - Add the dynamic query rule. For a department-based rule:
1(user.department -eq "Sales") - Save the group. Dynamic membership evaluation is not instant — initial population can take anywhere from a few minutes to several hours depending on tenant size and directory sync load.
If this tenant does not have Entra ID P1, create an Assigned security group instead and accept that membership additions/removals will be manual, or handled through an existing HR-driven provisioning workflow. Name the group consistently regardless of type (a LIC- prefix convention) so that anyone auditing group-based licensing later can distinguish licensing groups from access-control groups at a glance, and so that a future migration from assigned to dynamic membership does not require renaming and re-linking dependent documentation.
#Step 3: Assign the license to the group
- In the Entra admin center, go to Identity > Users > All users is not the path here — instead go to Identity > Groups, open
LIC-Sales-E3, and select Licenses under Manage. - Click Assignments > Add assignment, choose the Microsoft 365 E3 SKU.
- Expand Options and review the individual service plans (Exchange Online, SharePoint, Teams, Stream, etc.). Disable any service plans not approved for this department — for example, if Sales should not receive Yammer/Viva Engage, toggle it off here rather than relying on a separate policy.
- Confirm the assignment. Entra ID begins processing membership and pushing licenses to each qualifying user.
- Repeat the assignment step for the Power Automate per-user plan SKU on the same group, reviewing its service plan options separately — each SKU assignment on a group is configured independently, so disabling a plan on one SKU has no effect on another.
#Step 4: Verify the assignment actually applied
Do not close the ticket on the assumption that the group configuration succeeded — verify against real user objects.
- In the Entra admin center, open a known Sales user’s profile and go to Licenses. Confirm the SKU shows as assigned via group with status Success, not Error or Processing.
- Cross-check with Microsoft Graph PowerShell:
1Connect-MgGraph -Scopes "User.Read.All","Directory.Read.All" 2Get-MgUserLicenseDetail -UserId "jane.doe@contoso.com" - Confirm the mailbox actually provisioned in Exchange Online (can take up to a few hours after license success):
1Get-Mailbox -Identity jane.doe@contoso.com - Check the group’s Licenses > error status tab in the Entra admin center for any users stuck in an error state — this is the single most useful screen for this feature and is often missed by new engineers.
- Capture evidence for the change ticket: a screenshot or exported CSV of the group’s license assignment status, and the PowerShell output for at least two sampled users. This evidence is what distinguishes a verified change from an assumed one during a post-incident review.
#Verification evidence checklist
Before marking the pilot or rollout complete, confirm each of the following independently rather than inferring success from the console alone.
| Evidence item | Where to check | Acceptable result |
|---|---|---|
| Group membership populated | Entra admin center > Groups > Members | All expected pilot/department accounts listed, no unexpected accounts |
| License assignment status | Group > Licenses > Assignments | Status shows Success for all target SKUs, zero in Error |
| Per-user license detail | Get-MgUserLicenseDetail | SKU listed with correct service plans enabled/disabled as configured |
| Mailbox provisioning | Get-Mailbox in Exchange Online PowerShell | Mailbox object exists within a few hours of license Success |
| Teams and SharePoint access | Manual sign-in test by pilot user | User can open Teams and access a SharePoint site without manual intervention |
#Common failure modes
| Symptom | Likely cause | Resolution |
|---|---|---|
| User shows license error, no seats consumed | Unassigned unit count reached zero | Procure additional seats or remove the SKU from users no longer needing it, then reprocess |
| User in two groups both assigning the same SKU with different disabled service plans | Conflicting group-based license definitions | Entra ID merges assignments; the most permissive plan combination usually wins — consolidate into a single authoritative group per SKU where possible |
| New hire not licensed after 24 hours | Dynamic membership rule attribute not populated (e.g. department blank in on-prem AD) or sync delay from AD Connect | Verify the attribute on the source object and confirm the last AD Connect sync cycle completed |
| Mailbox missing despite license showing Success | Exchange Online provisioning backlog | Normal within a few hours; escalate only if it exceeds 24 hours |
| Group shows correct membership but zero licenses processed | Available seat count exhausted after the assignment was configured but before initial processing completed | Recheck Billing > Licenses, procure seats, then force reprocessing by removing and reapplying the assignment |
| Pilot user retains old manually assigned license alongside the new group-based one | Manual assignment was never removed before enabling group-based licensing | Manually unassign the legacy direct license once group-based assignment is confirmed Success, to avoid double consumption of seats |
#Change management before wider rollout
Do not enable this for the full Sales department directly in production without a controlled test:
- Log a standard change request describing the SKU, group name, and dynamic rule.
- Pilot with a static test group containing two or three volunteer accounts first, and validate mailbox, Teams, and SharePoint provisioning end to end.
- Only after pilot sign-off, switch the group to the live dynamic rule or expand static membership.
- Record the change in your ticketing/change system with before/after license counts and the rollback procedure below attached.
- Notify the helpdesk team of the go-live window and the new authoritative process, since they are the front line for any provisioning complaints during the first week and need to stop performing the old manual assignment step.
- Schedule the dynamic rule switch outside peak business hours where practical, since a large department-wide membership evaluation can generate a burst of simultaneous mailbox and Teams provisioning requests.
#Rollback procedure
If group-based licensing causes unexpected service loss (for example, a disabled service plan removes access someone actually depended on):
- Do not delete the group immediately — this can trigger bulk license removal and associated data retention timers (Exchange mailbox conversion, OneDrive retention countdown) across every member simultaneously.
- First, remove only the specific license assignment from the group under Group > Licenses > Assignments, leaving the group itself intact for later reuse.
- Monitor affected users’ license status until it returns to unassigned, then reassign the previous manual licenses if an interim state is required.
- For a single problem user rather than a group-wide issue, add them to an exclusion group pattern instead of unwinding the whole group assignment — this is the standard production approach and avoids re-litigating the entire rollout.
- Document the rollback outcome in the same change ticket and note the root cause for the post-incident review.
- If the rollback was triggered by a disabled service plan rather than a licensing failure, re-enable that specific service plan on the group assignment rather than removing the whole SKU, then re-verify with the same evidence checklist used during initial rollout before considering the incident closed.
#Ongoing operations
Once live, periodically audit license error states rather than waiting for helpdesk tickets:
1Get-MgGroup -Filter "displayName eq 'LIC-Sales-E3'" | Select-Object Id
2Get-MgGroupMember -GroupId <group-id> | ForEach-Object { Get-MgUserLicenseDetail -UserId $_.Id }Consider scheduling this as a runbook in Azure Automation or a scheduled task feeding an alert into your team’s monitoring channel so license errors surface before end users notice missing services. At minimum, review the seat consumption trend against total purchased seats weekly, since gradual headcount growth in a dynamic group can exhaust a SKU quietly over several months with no single change event to point to. Also review group membership drift monthly against HR records; a dynamic rule based on a single attribute like department can misfire if that attribute is repurposed elsewhere in the directory for an unrelated reporting or Conditional Access rule, so treat any change to that attribute’s meaning as a change to this licensing configuration as well and route it through the same change process.
Group-based licensing removes one of the most persistent sources of manual error in enterprise Microsoft 365 administration, but it introduces its own failure surface around seat exhaustion, conflicting group definitions, and directory sync timing. Treat it like any other production identity change: pilot it, verify against real service provisioning rather than just the license blade, keep a clean rollback path that does not force a disruptive full removal when only one user is affected, and fold the ongoing seat and membership audits into the same monitoring discipline you would apply to any other tenant-wide automation. Done this way, the configuration stops being a one-off console task and becomes a durable, auditable piece of the tenant’s identity operations that a graduate engineer can hand off, extend to other departments, and defend confidently during a change review or an audit.
Advanced suggested reading
Ready to go deeper?
These articles come from KBY’s senior engineering editorial. Expect denser architecture, fewer introductory explanations and deeper production trade-offs.
DevOps & Automation
Ephemeral Preview Environments: Namespace-per-PR
How namespace-per-PR ephemeral preview environments handle TTL cleanup, wildcard ingress, resource quotas, and DB isolation without leaking cluster capacity.
DevOps & Automation
Expand-Contract: Zero-Downtime Schema Migrations
How the expand-contract pattern gates schema migrations behind dual-write flags, batched backfills, and parity checks to avoid version skew.
DevOps & Automation
Taming Argo CD Sync Storms in Shared Clusters
Why a single monorepo push can trigger thousands of simultaneous Argo CD reconciliations, and how sharding, repo-server caching, and sync windows stop it.
Comments
Add a thoughtful note on Group-Based Licensing in Microsoft Entra ID for M365. Comments are checked for spam and held for moderation before appearing.
Continue the track
Related Graduate tutorials
Endpoint and Device Management: A Production Playbook
A practical guide to managing endpoints and devices in production, covering Intune compliance, Conditional Access, rollback, and verification.
Deploying Entra ID Conditional Access Without Locking Everyone Out
A staged, reversible method for enforcing MFA via Entra ID Conditional Access, covering break-glass accounts, Report-only validation, and rollback steps.