Resolve group license assignment problems - Azure Active Directory - Microsoft Entra (2023)

  • Article
  • 10 minutes to read

Group-based licensing in Azure Active Directory (Azure AD), part of Microsoft Entra, introduces the concept of users in a licensing error state. In this article, we explain the reasons why users might end up in this state.

When you assign licenses directly to individual users, without using group-based licensing, the assignment operation might fail for reasons that are related to business logic. For example, there might be an insufficient number of licenses or a conflict between two service plans that can't be assigned at the same time. The problem is immediately reported back to you.

When you're using group-based licensing, the same errors can occur, but they happen in the background while the Azure AD service is assigning licenses. For this reason, the errors can't be communicated to you immediately. Instead, they're recorded on the user object and then reported via the administrative portal. The original intent to license the user is never lost, but it's recorded in an error state for future investigation and resolution.

Find license assignment errors

To find users in an error state in a group

  1. Open the group to its overview page and select Licenses. A notification appears if there are any users in an error state.

    Resolve group license assignment problems - Azure Active Directory - Microsoft Entra (1)

  2. Select the notification to open a list of all affected users. You can select each user individually to see more details.

    Resolve group license assignment problems - Azure Active Directory - Microsoft Entra (2)

  3. To find all groups that contain at least one error, on the Azure Active Directory blade select Licenses, and then select Overview. An information box is displayed when groups require your attention.

    Resolve group license assignment problems - Azure Active Directory - Microsoft Entra (3)

  4. Select the box to see a list of all groups with errors. You can select each group for more details.

    (Video) Microsoft Entra .. the new Azure Active Directory portal

    Resolve group license assignment problems - Azure Active Directory - Microsoft Entra (4)

The following sections give a description of each potential problem and the way to resolve it.

Not enough licenses

Problem: There aren't enough available licenses for one of the products that's specified in the group. You need to either purchase more licenses for the product or free up unused licenses from other users or groups.

To see how many licenses are available, go to Azure Active Directory > Licenses > All products.

To see which users and groups are consuming licenses, select a product. Under Licensed users, you see a list of all users who have had licenses assigned directly or via one or more groups. Under Licensed groups, you see all groups that have that products assigned.

PowerShell: PowerShell cmdlets report this error as CountViolation.

Conflicting service plans

Problem: One of the products that's specified in the group contains a service plan that conflicts with another service plan that's already assigned to the user via a different product. Some service plans are configured in a way that they can't be assigned to the same user as another, related service plan.

Consider the following example. A user has a license for Office 365 Enterprise E1 assigned directly, with all the plans enabled. The user has been added to a group that has the Office 365 Enterprise E3 product assigned to it. The E3 product contains service plans that can't overlap with the plans that are included in E1, so the group license assignment fails with the “Conflicting service plans” error. In this example, the conflicting service plans are:

  • Exchange Online (Plan 2) conflicts with Exchange Online (Plan 1).

To solve this conflict, you need to disable one of the plans. You can disable the E1 license that's directly assigned to the user. Or, you need to modify the entire group license assignment and disable the plans in the E3 license. Alternatively, you might decide to remove the E1 license from the user if it's redundant in the context of the E3 license.

The decision about how to resolve conflicting product licenses always belongs to the administrator. Azure AD doesn't automatically resolve license conflicts.

PowerShell: PowerShell cmdlets report this error as MutuallyExclusiveViolation.

Other products depend on this license

Problem: One of the products that's specified in the group contains a service plan that must be enabled for another service plan, in another product, to function. This error occurs when Azure AD attempts to remove the underlying service plan. For example, this can happen when you remove the user from the group.

(Video) Microsoft Entra Identity & Access Management

To solve this problem, you need to make sure that the required plan is still assigned to users through some other method or that the dependent services are disabled for those users. After doing that, you can properly remove the group license from those users.

PowerShell: PowerShell cmdlets report this error as DependencyViolation.

Usage location isn't allowed

Problem: Some Microsoft services aren't available in all locations because of local laws and regulations. Before you can assign a license to a user, you must specify the Usage location property for the user. You can specify the location under the User > Profile > Edit section in the Azure portal.

When Azure AD attempts to assign a group license to a user whose usage location isn't supported, it fails and records an error on the user.

To solve this problem, remove users from unsupported locations from the licensed group. Alternatively, if the current usage location values don't represent the actual user location, you can modify them so that the licenses are correctly assigned next time (if the new location is supported).

PowerShell: PowerShell cmdlets report this error as ProhibitedInUsageLocationViolation.

Note

When Azure AD assigns group licenses, any users without a specified usage location inherit the location of the directory. We recommend that administrators set the correct usage location values on users before using group-based licensing to comply with local laws and regulations.

Duplicate proxy addresses

If you use Exchange Online, some users in your organization might be incorrectly configured with the same proxy address value. When group-based licensing tries to assign a license to such a user, it fails and shows “Proxy address is already being used”.

Tip

(Video) What is Microsoft Entra Admin Center? | Azure Active Directory Part1

To see if there is a duplicate proxy address, execute the following PowerShell cmdlet against Exchange Online:

Get-Recipient -Filter "EmailAddresses -eq 'user@contoso.onmicrosoft.com'" | fl Name, RecipientType,Emailaddresses

For more information about this problem, see "Proxy addressis already being used" error message in Exchange Online. The article also includes information on how to connect to Exchange Online by using remote PowerShell.

After you resolve any proxy address problems for the affected users, make sure to force license processing on the group to make sure that the licenses can now be applied.

Azure AD Mail and ProxyAddresses attribute change

Problem: While updating license assignment on a user or a group, you might see that the Azure AD Mail and ProxyAddresses attribute of some users are changed.

Updating license assignment on a user causes the proxy address calculation to be triggered, which can change user attributes. To understand the exact reason of the change and solve the problem, see this article on how the proxyAddresses attribute is populated in Azure AD.

LicenseAssignmentAttributeConcurrencyException in audit logs

Problem: User has LicenseAssignmentAttributeConcurrencyException for license assignment in audit logs.When group-based licensing tries to process concurrent license assignment of same license to a user, this exception is recorded on the user. This usually happens when a user is a member of more than one group with same assigned license. Azure AD will retry processing the user license and will resolve the issue. There is no action required from the customer to fix this issue.

More than one product license assigned to a group

You can assign more than one product license to a group. For example, you can assign Office 365 Enterprise E3 and Enterprise Mobility + Security to a group to easily enable all included services for users.

Azure AD attempts to assign all licenses that are specified in the group to each user. If Azure AD can't assign one of the products because of business logic problems, it won't assign the other licenses in the group either. An example is if there aren't enough licenses for all, or if there are conflicts with other services that are enabled on the user.

You can see the users who failed to get assigned and check which products are affected by this problem.

When a licensed group is deleted

You must remove all licenses assigned to a group before you can delete the group. However, removing licenses from all the users in the group may take time. While removing license assignments from a group, there can be failures if user has a dependent license assigned or if there is a proxy address conflict issue which prohibits the license removal. If a user has a license that is dependent on a license which is being removed due to group deletion, the license assignment to the user is converted from inherited to direct.

For example, consider a group that has Office 365 E3/E5 assigned with a Skype for Business service plan enabled. Also imagine that a few members of the group have Audio Conferencing licenses assigned directly. When the group is deleted, group-based licensing will try to remove Office 365 E3/E5 from all users. Because Audio Conferencing is dependent on Skype for Business, for any users with Audio Conferencing assigned, group-based licensing converts the Office 365 E3/E5 licenses to direct license assignment.

Manage licenses for products with prerequisites

Some Microsoft Online products you might own are add-ons. Add-ons require a prerequisite service plan to be enabled for a user or a group before they can be assigned a license. With group-based licensing, the system requires that both the prerequisite and add-on service plans be present in the same group. This is done to ensure that any users who are added to the group can receive the fully working product. Let's consider the following example:

(Video) Microsoft Entra: Permissions Management Demo

Microsoft Workplace Analytics is an add-on product. It contains a single service plan with the same name. We can only assign this service plan to a user, or group, when one of the following prerequisites is also assigned:

  • Exchange Online (Plan 1)
  • Exchange Online (Plan 2)

If we try to assign this product on its own to a group, the portal returns a notification message. If we select the item details, it shows the following error message:

"License operation failed. Make sure that the group has necessary services before adding or removing a dependent service. The service Microsoft Workplace Analytics requires Exchange Online (Plan 2) to be enabled as well."

To assign this add-on license to a group, we must ensure that the group also contains the prerequisite service plan. For example, we might update an existing group that already contains the full Office 365 E3 product, and then add the add-on product to it.

It is also possible to create a standalone group that contains only the minimum required products to make the add-on work. It can the be used to license only selected users for the add-on product. Based on the previous example, you would assign the following products to the same group:

  • Office 365 Enterprise E3 with only the Exchange Online (Plan 2) service plan enabled
  • Microsoft Workplace Analytics

From now on, any users added to this group consume one license of the E3 product and one license of the Workplace Analytics product. At the same time, those users can be members of another group that gives them the full E3 product, and they still consume only one license for that product.

Tip

You can create multiple groups for each prerequisite service plan. For example, if you use both Office 365 Enterprise E1 and Office 365 Enterprise E3 for your users, you can create two groups to license Microsoft Workplace Analytics: one that uses E1 as a prerequisite and the other that uses E3. This lets you distribute the add-on to E1 and E3 users without consuming additional licenses.

Force group license processing to resolve errors

Depending on what steps you've taken to resolve the errors, it might be necessary to manually trigger the processing of a group to update the user state.

For example, if you free up some licenses by removing direct license assignments from users, you need to trigger the processing of groups that previously failed to fully license all user members. To reprocess a group, go to the group pane, open Licenses, and then select the Reprocess button on the toolbar.

Force user license processing to resolve errors

Depending on what steps you've taken to resolve the errors, it might be necessary to manually trigger the processing of a user to update the users state.

(Video) Assign Microsoft 365 licenses fast using Groups

For example, after you resolve duplicate proxy address problem for an affected user, you need to trigger the processing of the user. To reprocess a user, go to the user pane, open Licenses, and then select the Reprocess button on the toolbar.

Next steps

To learn more about other scenarios for license management through groups, see the following:

  • What is group-based licensing in Azure Active Directory?
  • Assigning licenses to a group in Azure Active Directory
  • How to migrate individual licensed users to group-based licensing in Azure Active Directory
  • How to migrate users between product licenses using group-based licensing in Azure Active Directory
  • Azure Active Directory group-based licensing additional scenarios
  • PowerShell examples for group-based licensing in Azure Active Directory

FAQs

What is group based licensing in Azure Active Directory? ›

Azure AD includes group-based licensing, which allows you to assign one or more product licenses to a group. Azure AD ensures that the licenses are assigned to all members of the group. Any new members who join the group are assigned the appropriate licenses. When they leave the group, those licenses are removed.

How do group assigned Licenses show up for individual Users? ›

Go to Azure Active Directory > Groups. Select the group that licenses were assigned to. On the group page, select Licenses. This lets you quickly confirm if licenses have been fully assigned to users and if there are any errors that you need to look into.

How do I manage Licenses in Azure AD? ›

Sign in to the Azure portal using a License administrator account in your Azure AD organization. Select Azure Active Directory > Users, and then open the Profile page for a user. Select Licenses. Select Assignments to edit license assignment for the user or group.

How do I sync Azure Active Directory to premises Active Directory? ›

Steps
  1. Create Azure AD and Activate Azure AD Sync.
  2. Download and Install Azure AD Sync tool in on-premise AD.
  3. Configure Azure AD Sync tool in on-premise AD.
  4. Testing Sync between on-premise AD and Azure AD.
  5. Create Azure AD and Activate Azure AD Sync.
May 28, 2014

How do you enable Azure AD roles can be assigned to the group? ›

Azure portal
  1. Sign in to the Azure portal or Azure AD admin center.
  2. Select Azure Active Directory > Groups > All groups > New group.
  3. On the New Group tab, provide group type, name and description.
  4. Turn on Azure AD roles can be assigned to the group. ...
  5. Select the members and owners for the group.
Aug 21, 2022

How can company assign licenses to all users? ›

Assign licenses to multiple users
  1. Select the circles next to the names of the users that you want to assign licenses to.
  2. At the top, select Manage product licenses.
  3. In the Manage product licenses pane, select Assign more: Keep the existing licenses and assign more > Next.
Jan 11, 2023

What commands would you use to see the group membership? ›

To display the members of a group, or the groups to which a user belongs, use the pts membership command. To display the groups that a user or group owns, use the pts listowned command.

Which of the following can be used for assigning and licensing? ›

Copyright. Explanation: Copyright can be defined as the legitimate right of the person to the non-physical asset. In simple terminology, copyright refers to the rights reserved by the creator, and the people that they provide authorization to, are the sole people that retain the right to copy the content.

How do I assign a license to permissions? ›

To assign a permission set license to one user:
  1. From Setup, enter Users in the Quick Find box, then select Users.
  2. Click the name of the user to whom you want to assign the permission set license.
  3. In the Permission Set License Assignments related list, click Edit Assignments.
  4. Select the permission set license to assign.

How does licensing manager install and update licenses? ›

Use license access code

Select the licenses and the quantity to install. Select a product from the displayed list, type the number of licenses to install, and click Install. To select multiple products, click Install every time you select a product. The products are processed in order of selection.

How do I assign my AD license? ›

Assigning Licenses to a Group

Go to the Azure AD blade and select "Licenses." Next, select "All products" under manage and you'll see a listing of the licenses available within your tenant. Select the license you want to work with (for this example, I selected E3) and then select "Assign" from the top of the menu.

What are the three types of licensing? ›

How to decide between types of licensing agreements
  • Patent Licensing. Patents cover science and innovation. ...
  • Trademark Licensing. Trademarks are signifiers of commercial source, namely, brand names and logos or slogans. ...
  • Copyright Licensing. ...
  • Trade Secret Licensing. ...
  • Exclusive. ...
  • Non-exclusive. ...
  • Sole. ...
  • Perpetual.
Oct 24, 2019

What are the 2 types of licensing models of enterprise applications? ›

User Licensing: Named Users vs Concurrent Users. User licensing allows software vendors to set their licensing fees based on the number of people who will use the software at your IT organization. The most common user licensing types are named user licensing and concurrent user licensing.

What does group licensing mean? ›

Group licensing deals are typically defined in an agreement in which a licensee (i.e., the party who pays for and receives the license) uses a certain minimum number of player names, images, or likenesses in conjunction with or on products that are sold at retail or used as promotional or premium items, such as trading ...

How do I manually sync Active Directory? ›

To manually run synchronization with the Active Directory domain controller:
  1. In the application web interface, select the Settings → External services → LDAP server connection section.
  2. Click Synchronize now.

How do I force ad to sync between domain controllers? ›

To force Active Directory replication run the command 'repadmin /syncall /AeD' on the domain controller. Run this command on the domain controller in which you wish to update the Active Directory database. For example, if DC2 is out of Sync, run the command on DC2.

How do I force ad to sync with Office? ›

Force AD Sync Using AD Users & Computers

After making the changes to your user account that you want to replicate, select the check box in the bottom left corner of the Office 365 tab: Clicking Apply or OK will force an AD sync immediately.

Which user role can manage the assignment of Azure AD directory roles for users? ›

Select the role to assign

Sign in to the Azure portal using the Privileged Role Administrator role for the directory.

What are key differences between role based assignment and group assignment when assigning rights? ›

Roles help you manage permissions. Groups help you manage objects and subjects. Moreover, one could think of roles as 'contexts'. A role 'X' can describe a security context that rule how subject Y access (or does not access) object Z.

Which level allows admins to assign roles and permissions? ›

Administrator : Community administrators can assign roles and permissions to users and user groups to define different levels of access to the community A use can have the role of community administrator in more than one community, and one community can have multiple administrators.

How many users can use Microsoft license? ›

You can share your Microsoft 365 Family subscription with up to five other people. Each person will use their own Microsoft account to install Office on all their devices and be signed in to five at the same time.

How do I manage Microsoft licenses? ›

In the Microsoft 365 admin center, go to the Billing > Licenses page. On the Licenses page, choose Microsoft 365 Apps for Education (device) or Microsoft 365 Apps for enterprise (device). On the next page, choose a subscription, then choose Assign licenses.

How do you dynamically assign Office 365 licenses to users? ›

In Group type, select Microsoft 365. In Group name, enter Sales. In Membership type, select Dynamic user. Select Dynamic user members.

How do I query an Active Directory group membership? ›

You can check group membership with the Active Directory Users and Computers (ADUC) console snap-in by finding the user or group of interest and drilling down into the object's properties and clicking the “Members” or “Member Of” tab.

How to check Active Directory group membership command line? ›

Using the Command Line
  1. Open up a command promt (cmd.exe or PowerShell)
  2. Run: gpresult /V.
Aug 20, 2011

How do I get a list of users from an ad group? ›

Use Get-ADGroupMember cmdlet to List Members of an Active Directory Group. The PowerShell Get-ADGroupMember cmdlet is used to list the members of an Active Directory group. You can just type the cmdlet in a PowerShell window and you'll be prompted to enter the name of the group you want to use.

What are the 4 correct licensing objectives? ›

The 4 licensing objectives

the prevention of crime and disorder. public safety. the prevention of public nuisance. the protection of children from harm.

What is the main difference between assignment and licensing? ›

The key difference between a license and an assignment is that an assignment transfers rights away from the original copyright or patent holder. Whereas the licensor retains ownership of the intellectual property rights, the assignor gives up the rights entirely.

What is the key difference between a license and an assignment? ›

The main difference between an assignment and a license is who owns the copyright. In an assignment the copyright holder gives up ownership and in a licence, the copyright holder retains it.

What is the easiest way to assign permissions? ›

Setting Permissions
  1. Access the Properties dialog box.
  2. Select the Security tab. ...
  3. Click Edit.
  4. In the Group or user name section, select the user(s) you wish to set permissions for.
  5. In the Permissions section, use the checkboxes to select the appropriate permission level.
  6. Click Apply.
  7. Click Okay.
Sep 9, 2022

How do I allocate my license to Automation Anywhere? ›

Procedure
  1. Log in to the Control Room as an Administrator, and select Administration > Licenses.
  2. Click Install license or you can click Show details on the notification bar in the Control Room header, then click Install a new license.
  3. Click Browse to select a . ...
  4. Click Install license.
Aug 11, 2022

How do I assign a license to a shared mailbox? ›

Go to the Exchange Admin center > Recipients > shared > Click on Edit > mailbox features > choose a retention policy and then enable litigation hold. Go Office 365 Admin Center > Active Users > choose unlicensed > select the specific shared mailbox to give it a license. Was this reply helpful?

What are the 3 phases of licensing process? ›

As those persons gain driving experience and competencies, the restrictions are removed, typically in three stages. Those stages begin with a learner's stage/permit, followed by an intermediate stage or provisional license, and then a full privilege stage/license.

How do you fix License Manager is not functioning or is improperly installed? ›

  1. Solution: ...
  2. Option 1: Check whether the FlexNet Licensing Service is running for versions 2017 to 2019. ...
  3. Option 2: Check software restrictions. ...
  4. Option 3: Verify that Active X controls are enabled. ...
  5. Option 4: Increase Permissions. ...
  6. Option 5: Recreate the licensing data file. ...
  7. Option 6: Restore CLM component.
Nov 6, 2022

Why do I receive license manager error? ›

This error typically indicates that you are running the license manager on a host that has a different host ID than the one for which your License File was generated. Note You must restart the license manager after making any changes to the License File on the license server.

How do I assign a license to an Azure AD group? ›

To assign a license to a group
  1. On the Products page, select the name of the license plan you want to assign to the user.
  2. On the Azure Active Directory Premium Plan 2 page, select Assign.
  3. On the Assign page, select Users and groups, and then search for and select the group you're assigning the license.
Jan 11, 2023

What license is needed for Azure AD? ›

The licensing you select actually depends on the Windows version on the device, if it comes with Windows Professional a simple Microsoft 365 F1 (1.8€) will work as it updates a Professional to an Enterprise, on the other hand if you have a device with Windows Home you'll need Microsoft 365 F3 (6€) license.

How do I change the ad attribution settings? ›

Go to your ads set in your Ads Manager and click Edit. Scroll down to the Optimization & Delivery section, and expand the Show More Options to see more. Update your Attribution Setting by choosing one of the options in the dropdown and save.

Which allows you to assign permissions to users so that they can create resources in Azure? ›

Azure role-based access control (Azure RBAC) is the authorization system you use to manage access to Azure resources. To grant access, you assign roles to users, groups, service principals, or managed identities at a particular scope.

Which actions can you perform with Microsoft Azure Active Directory Sync? ›

Microsoft AAD Connect can connect to multiple on-premises forests and can exchange organizations and synchronized the customer defined attributes but cannot use Forefront Identity Management synchronization rules.

What can be used to synchronize on-premises Active Directory users to Azure Active Directory? ›

Azure AD Connect sync server.

This service synchronizes information held in the on-premises Active Directory to Azure AD.

How do I grant permissions in Azure AD? ›

Grant admin consent in App registrations

Select Azure Active Directory, and then select App registrations. Select the application to which you want to grant tenant-wide admin consent. Select API permissions. Carefully review the permissions that the application requires.

How do I assign permissions in Azure? ›

Assign a role
  1. Sign in to the Azure portal or Azure AD admin center.
  2. Select Azure Active Directory > Roles and administrators to see the list of all available roles.
  3. Select a role to see its assignments. ...
  4. Select Add assignments and then select the users you want to assign to this role. ...
  5. Select Add to assign the role.
Aug 21, 2022

Which IAM entity can be used for assigning permissions to AWS services? ›

You should use IAM roles to grant access to your AWS accounts by relying on short-term credentials, a security best practice. Authorized identities, which can be AWS services or users from your identity provider, can assume roles to make AWS requests. To grant permissions to a role, attach an IAM policy to it.

Which type of group allows you to assign users access to a resource? ›

Security groups can provide an efficient way to assign access to resources on your network. By using security groups, you can: Assign user rights to security groups in Active Directory. Assign user rights to a security group to determine what members of that group can do within the scope of a domain or forest.

How do I assign a user access administrator to Azure? ›

  1. Step 1: Open the subscription. Sign in to the Azure portal. ...
  2. Step 2: Open the Add role assignment page. Access control (IAM) is the page that you typically use to assign roles to grant access to Azure resources. ...
  3. Step 3: Select the Owner role. ...
  4. Step 4: Select who needs access. ...
  5. Step 5: Assign role.
Aug 21, 2022

Videos

1. Microsoft Entra -Verified ID
(Atul Raizada)
2. What is Microsoft Entra ?
(CloudManagement.Community)
3. Microsoft Entra The MUST KNOW Guide for Admins
(Andy Malone MVP)
4. Unpacking Microsoft Entra | Under the hood of Microsoft's Identity & Access solution
(Cloud Conversations)
5. Looking at Entra Permissions Management to Manage Permissions Across AWS, GCP and Azure
(John Savill's Technical Training)
6. How to conduct an Azure AD Access Review
(Andy Malone MVP)
Top Articles
Latest Posts
Article information

Author: Manual Maggio

Last Updated: 11/14/2022

Views: 6170

Rating: 4.9 / 5 (49 voted)

Reviews: 88% of readers found this page helpful

Author information

Name: Manual Maggio

Birthday: 1998-01-20

Address: 359 Kelvin Stream, Lake Eldonview, MT 33517-1242

Phone: +577037762465

Job: Product Hospitality Supervisor

Hobby: Gardening, Web surfing, Video gaming, Amateur radio, Flag Football, Reading, Table tennis

Introduction: My name is Manual Maggio, I am a thankful, tender, adventurous, delightful, fantastic, proud, graceful person who loves writing and wants to share my knowledge and understanding with you.