What is EmpowerID Azure License Manager?

Azure License Manager (ALM) is an optional module within the EmpowerID Suite designed to assist organizations in managing and auditing their Azure licenses and expenses across various Azure tenants. This module is crucial for cost reporting and effective internal allocation of license expenses.

Understanding Azure Licensing

In Azure, each tenant is associated with an Azure Active Directory, within which various Microsoft products can be enabled and licensed. These products encompass multiple Service Plans detailing the services offered, such as Office 365 Enterprise E3, Visio, and Project. For instance, subscribing to Office Enterprise E3 includes a specific number of licenses priced per user per month.

Open

Azure Licensing Challenges

Organizations face significant challenges in managing and reporting on license distribution when using Microsoft Office 365 and Azure, primarily because:

• Azure and Office 365 licenses can only be subscribed to once per organization.

• Large organizations with multiple departments or business units find tracking license usage difficult and allocating costs accordingly.

• There is no straightforward method to determine license consumption per unit or to manage license assignments and approvals within different business segments.

Illustrative Scenario

Consider a hypothetical company with headquarters and two business units, one in Germany and the other in the United States. The company subscribes to Office 365 Enterprise E3 for 10,000 users at $20 per user per month, totaling $2,400,000 annually. Allocating these costs and managing licenses per unit is complex without adequate tools. Azure Licensing Manager provides the necessary functionality to view total licensing costs and manage and assign responsibilities for these costs effectively.

Open

How Does Azure Licensing Manager Help?

EmpowerID provides a flexible cost and responsibility allocation mechanism within Azure License Manager called "license pools and bundles." License pools and bundles allow an organization to break up its subscriptions to match its logical organizational structure.

Azure Licensing Manager introduces "license pools and bundles," allowing an organization to segment their subscriptions according to their structural hierarchy. This setup enhances visibility and control over licensing allocations and expenditures.

License Pools and Bundles

In our previous example of a hypothetical company with a headquarters department and business units in the United States and Germany, license pools and bundles were discussed. These tools give organizations the ability to see and control licensing. For instance, the company has 10,000 Office 365 Enterprise E3 licenses, with each business unit having its license pool and owner. There are also several license bundles, each with an assigned license count per bundle. For example, the business unit in Germany has been allocated 6,000 Office 365 Enterprise E3 licenses, which are spread across two license bundles: the "DE Standard Employees" and "DE Interns." The bundles have owners who can manage user and group assignments and can determine who has access to a license in the bundle. They also become the default approvers for license access requests for their respective license bundles. Using license pools and bundles, organizations can control license costs and bundle up the cost for a total expenditure allowed per license pool.

The image below displays how Azure License Manager helps organizations visualize and control licensing costs. Azure has several subscriptions that the organization purchased, including 10,000 Office 365 Enterprise E3 licenses and 800 Visio Plan 1 licenses. These licenses are divided into two logically-based license pools for cost allocations and expenditure, one for the German business unit and another for the US unit. Each license pool has assignable bundles, each with a specified number of user licenses mapped to a single Office or Azure product or subscription.

On the right side of the image, in the Azure tenant, each license bundle is mapped to a single Azure Active Directory group for fulfillment. That group has been configured for group-based licensing and mapped to that subscription with service plans enabled or disabled. So, in the Germany example, users in the DE Standard Employees license bundle are fulfilled by a licensed Office 365 Enterprise E-3 full group, which grants all service plans as enabled. In contrast, the license bundle for the DE Interns is mapped to a licensed Office 365 E-3 Limited group, which has two of those service plans disabled. The bundles deliver the same subscription but have been configured and mapped to provide different features to their assignees.

License Bundles - Key Points

• License bundles are the assignable policy object you create in EmpowerID to grant users a subscription in Azure

• Each license bundle creates a single Azure subscription and pushes the resultant assignees of the bundle into a single Azure AD group

• License bundles are mapped to a specific group in Azure that fulfills it

• License bundles are assignable policy objects that can be assigned to any EmpowerID actor type, including users, groups, Management Roles, Business Roles, and Query-based Collections.

• License bundles can have exclusion rules to prevent license assignments to certain people and enforce regulatory restrictions. Exclusion rules can be applied to any EmpowerID actor type.

• License bundles can be requested by self-service users in the IAM Shop

License Bundle Assignees

At its core, license bundle assignees are individuals assigned to a license bundle who, as a result of the assignment, are eligible to receive the license granted by the bundle. As mentioned, license bundles can be assigned to any EmpowerID actor type. You can base your assignments on any criteria for your organization.

The license bundle assignees can be selected from a diverse pool that includes:

• Directly assigning user accounts to a license bundle

• Assigning a group from another system (such as on-premise Active Directory, Amazon AWS, Salesforce, or ServiceNow) to a license bundle

• Assigning Business Roles and Locations to a license bundle, which grants all people with that Business Role and Location a license

• Assigning Management Roles to a license bundle, which grants all people with that role a license

• Assigning Query-based Collections (QBC) that return all users with a specific attribute value to a license bundle, which grants every user in each QBC a license

In addition to defining who should receive the license bundle, you can apply exclusion rules to define who should not receive a license. You can use the same actor types in your exclusion rules as in your assignments. Once a license bundle is defined with assignees and exclusion rules, Azure License Manager calculates the resultant set of license bundle assignees. This set includes everyone eligible for the license bundle minus everyone who should not have it. The end result is that everyone eligible for a license bundle will receive it.

Azure License Manager adds each of these assignees to the License Fulfillment Queue and pushes them into the mapped license bundle group in Azure AD, which grants them the actual license.

License Bundle Eligibility

Beyond defining who should receive a license bundle, ALM makes it possible for you to define who should be eligible to receive one. Returning to the company example mentioned earlier, consider how defining license bundle eligibility can benefit the company's structure.

As you may remember, the organization comprises:

• A headquarters department.

• Two business units, one in Germany and another in the United States.

This organization manages:

• An Azure subscription for Office 365 Enterprise E3 with 10,000 users.

• An Azure subscription for Visio Online Plan 1.

Using ALM, the organization has strategically created license pools and license bundles to align with both its structural and operational frameworks:

• One license pool is dedicated to Germany, and another to the United States.

• Four distinct license bundles for Office 365 Enterprise E3 have been established:

  • For standard employees and interns in both Germany and the United States.

• Similarly, four license bundles for Visio Online Plan I are allocated:

  • Also differentiated for standard employees and interns within each geographical location.

Although the organization's licensing structure is robust, the visibility of all license bundles in the IAM Shop poses potential challenges. Users across different business units could inadvertently or incorrectly request licenses intended for other groups. This could lead to improper allocation, affecting the accuracy of business unit license usage tracking.

To address this, EmpowerID employs an "Eligible Assignees" feature to refine license visibility and access within the IAM Shop. This feature ensures that:

• Each user group sees only the appropriate licenses based on their role and location within the organization.

• Standard employees and interns in Germany and the United States are restricted to viewing and requesting only the bundles designated for them.

By implementing these eligibility controls, the organization prevents cross-unit license requests and maintains accurate license distribution and usage tracking, aligning license management with organizational policies and structure.

Conclusion

Azure License Manager (ALM) within the EmpowerID Suite emerges as a pivotal solution for organizations grappling with the complexities of managing and auditing Azure licenses across diverse Azure tenants. ALM not only aids in the meticulous tracking and allocation of licensing costs but also enhances the strategic management of these assets. By integrating functionalities like license pools and bundles, ALM allows organizations to segment their licenses in alignment with their structural hierarchies, offering a granular level of control and visibility over license allocations and expenses.

Moreover, ALM's introduction of "Eligible Assignees" and the ability to apply specific eligibility criteria further refine the licensing process. This ensures that only appropriate user groups access specific license bundles, preventing misallocation and optimizing license utilization across departments. ALM supports a more accurate and fair distribution of resources tailored to each unit's needs by effectively preventing unauthorized access and ensuring each business unit only views and requests suitable licenses.

Ultimately, Azure License Manager is indispensable for enterprises seeking to streamline their license management processes, enforce compliance, and achieve a more accurate financial oversight over their Azure expenditures. This tool simplifies administrative burdens and drives operational efficiency and cost-effectiveness, making it an essential asset for modern digital enterprises.