You are viewing an earlier version of the admin guide. For the latest version, please visit EmpowerID Admin Guide v7.211.0.0.

Skip to end of banner
Go to start of banner

What is EmpowerID Azure License Manager?

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »

Azure License Manager (ALM) is an optional module available within the EmpowerID Suite designed to assist organizations in managing and auditing their Azure licenses and expenses across various Azure tenants. This module is crucial for cost reporting and effective internal allocation of license expenses.

Understanding Azure Licensing

In Azure, each tenant is associated with an Azure Active Directory, within which various Microsoft products can be enabled and licensed. These products encompass multiple Service Plans detailing the services offered, such as Office 365 Enterprise E3, Visio, and Project. For instance, subscribing to Office Enterprise E3 includes a specific number of licenses priced per user per month.

Azure Licensing Challenges

Organizations face significant challenges in managing and reporting on license distribution when using Microsoft Office 365 and Azure, primarily because:

  • Licenses for Azure and Office 365 can only be subscribed to once per organization.

  • Large organizations with multiple departments or business units find it difficult to track license usage and allocate costs accordingly.

  • There is no straightforward method to determine license consumption per unit or to manage license assignments and approvals within different business segments.

Illustrative Scenario

Consider a hypothetical company with headquarters and two business units in Germany and the United States, respectively. The company subscribes to Office 365 Enterprise E3 for 10,000 users at $20 per user per month, totaling $2,400,000 annually. Allocating these costs and managing licenses per unit is complex without adequate tools. Azure Licensing Manager provides the necessary functionality to not only view total licensing costs but also manage and assign responsibilities for these costs effectively.

How Does Azure Licensing Manager Help?

EmpowerID provides a flexible cost and responsibility allocation mechanism within Azure License Manager called "license pools and bundles." License pools and bundles allow an organization to break up its subscriptions to match its logical organizational structure.

Azure Licensing Manager introduces "license pools and bundles," allowing an organization to segment their subscriptions according to their structural hierarchy. This setup enhances visibility and control over licensing allocations and expenditures.

License Pools and Bundles

In our previous example of a hypothetical company with a headquarters department and business units in the United States and Germany, license pools and bundles were discussed. These tools give organizations the ability to see and control licensing. For instance, the company has a total of 10,000 Office 365 Enterprise E3 licenses, with each business unit having its license pool and owner. There are also several license bundles, each with an assigned license count per bundle. In Germany, for example, the business unit has been allocated 6,000 Office 365 Enterprise E3 licenses, which are spread across two license bundles: the "DE Standard Employees" and "DE Interns." The bundles have owners who can manage user and group assignments and can determine who has access to a license in the bundle. They also become the default approvers for license access requests for their respective license bundles. Using license pools and bundles, organizations can control license costs and bundle up the cost for a total expenditure allowed per license pool.

The image below displays how Azure License Manager helps organizations visualize and control licensing costs. Azure has several subscriptions that the organization purchased, including 10,000 Office 365 Enterprise E3 licenses and 800 Visio Plan 1 licenses. These licenses are divided into two logically-based license pools for cost allocations and expenditure, one for the German business unit and another for the US unit. Each license pool has assignable bundles, each with a specified number of user licenses mapped to a single Office or Azure product or subscription.

On the right side of the image, in the Azure tenant, each license bundle is mapped to a single Azure Active Directory group for fulfillment. That group has been configured for group-based licensing and mapped to that subscription with service plans enabled or disabled. So, in the Germany example, users in the DE Standard Employees license bundle are fulfilled by a licensed Office 365 Enterprise E-3 full group, which grants all service plans as enabled. In contrast, the license bundle for the DE Interns is mapped to a licensed Office 365 E-3 Limited group, which has two of those service plans disabled. The bundles deliver the same subscription but have been configured and mapped to provide different features to their assignees.

License Bundles - Key Points

  • License bundles are the assignable policy object you create in EmpowerID to grant users a subscription in Azure

  • Each license bundle creates a single Azure subscription and pushes the resultant assignees of the bundle into a single Azure AD group

  • License bundles are mapped to a specific group in Azure that fulfills it

  • License bundles are assignable policy objects that can be assigned to any EmpowerID actor type, including users, groups, Management Roles, Business Roles, and Query-based Collections.

  • License bundles can have exclusion rules to prevent license assignments to certain people and enforce regulatory restrictions. Exclusion rules can be applied to any EmpowerID actor type.

  • License bundles can be requested by self-service users in the IAM Shop

License Bundle Assignees

At its core, license bundle assignees are individuals who have been assigned to a license bundle and are eligible to receive the license granted by the bundle. As mentioned in the key points above, license bundles can be assigned to any EmpowerID actor type, which means that you can base your assignments on any criteria that make sense for your organization.

The license bundle assignees can be selected from a diverse pool that includes:

  • Directly assigning user accounts to a license bundle

  • Assigning a group from another system (such as on-premise Active Directory, Amazon AWS, Salesforce, or ServiceNow) to a license bundle

  • Assigning Business Role and Locations to a license bundle, which grants all people with that Business Role and Location a license

  • Assigning Management Roles to a license bundle, which grants all people with that role a license

  • Assigning Query-based Collections (QBC) that return all users with a specific attribute value to a license bundle, which grants every user in each QBC a license

In addition to defining who should receive the license bundle, you can also apply exclusion rules to the bundle to define who should not receive a license. You can use the same actor types in your exclusion rules as you do in your assignments. Once a license bundle is defined with assignees and exclusion rules, Azure License Manager calculates the resultant set of license bundle assignees. This set includes everyone who is eligible for the license bundle minus everyone who should not have it. The end result is that everyone eligible for a license bundle will receive it.

Azure License Manager adds each of these assignees to the License Fulfillment Queue and pushes them into the mapped license bundle group in Azure AD, which grants them the actual license.

License Bundle Eligibility

Azure License Manager (ALM) not only facilitates the assignment of license bundles but also enables organizations to define who is eligible to access these bundles. This capability is particularly useful for structuring license distribution according to organizational needs and ensuring that licenses are only available to appropriate user groups.

Overview of the Organization's Structure and License Configuration

The example organization comprises:

  • A headquarters department.

  • Two business units, one in Germany and another in the United States.

This organization manages:

  • An Azure subscription for Office 365 Enterprise E3 with 10,000 users.

  • An Azure subscription for Visio Online Plan 1.

Using ALM, the organization has strategically created license pools and license bundles to align with both its structural and operational frameworks:

  • One license pool is dedicated to Germany, and another to the United States.

  • Four distinct license bundles for Office 365 Enterprise E3 have been established:

    • For standard employees and interns in both Germany and the United States.

  • Similarly, four license bundles for Visio Online Plan I are allocated:

    • Also differentiated for standard employees and interns within each geographical location.

Challenges and Solutions in License Distribution

Although the organization's licensing structure is robust, the visibility of all license bundles in the IAM Shop poses potential challenges. Users across different business units could inadvertently or incorrectly request licenses intended for other groups. This could lead to improper allocation, affecting the accuracy of business unit license usage tracking.

To address this, EmpowerID employs a feature called "Eligible Assignees" to refine license visibility and access within the IAM Shop. This feature ensures that:

  • Each user group sees only the licenses appropriate for them based on their role and location within the organization.

  • Standard employees and interns in Germany and the United States are restricted to viewing and requesting only the bundles designated for them.

By implementing these eligibility controls, the organization prevents cross-unit license requests and maintains accurate license distribution and usage tracking, aligning license management with organizational policies and structure.

See Also

Azure License Manager Components

License Fulfillment

License Optimization

License Reclamation

  • No labels