SOLVED

Is Azure Active Directory (Azure AD) Premium still the only way to prevent group sprawl?

Deleted
Not applicable

Hi,

 

we don't use Exchange Online and the number of O365 groups created through various O365 applications are increasing. I've long been looking for a way to prevent group sprawl but the only documented way I can find requires an Azure Active Directory (Azure AD) Premium subscription.

 

Does anybody have any idea if there's something else that can be done to limit who can create O365 groups?

 

Thanks for your input.

10 Replies
best response
Solution
No, as you well mention to absolutely prevent Groups creation in your tenant, you need an Azure AD Premium subscription
@cfiessinger I don’t doubt Juan’s reply for a moment but can you double confirm this from Microsoft itself? This license requirement seems extraordinary. Is there a PowerShell command that could be scripted?

Thanks @cfiessinger.

 

That page's Feature's and Licensing section ends with this curious note:

 

IMPORTANT: For all the Groups features, if you have an Azure AD Premium subscription, users can join the group whether or not they have an AAD P1 license assigned to them. Licensing isn't enforced.

 

Periodically we will generate usage reports that tell you which users are missing a license, and need one assigned to them to be compliant with the licensing requirements. For example, let's say a user doesn't have a license and they are added to a group where the naming policy is enforced. The report will flag for you that they need a license.

It sure seems that Microsoft is highly dis-incentivizing organizations from managing their Groups. (Dynamic membership; Creation controls; Naming Policies; etc. all require a premium license)

I continue to find this an odd approach. It makes compliance difficult because of the many routes to generating an Office 365 Group. Admins beware just because there is no enforcement there is still a liability!

That is ridiculous !

 

I double checked the link as I'm pretty sure 18 months ago you never used to need AAD P!

 

Indeed. Microsoft positions Groups as a key ‘substrate’ to Office 365 and then makes management costly / difficult. This feels like a struggle between common sense and monetisation and it’s clear which one is winning. I’m a huge advocate of Groups but this approach is unfair. The possibility of a mistake in licensing is very likely. Again, admins need to either blanket license or monitor uptake very carefully.

Not only am I concerned because properly governing groups is an expensive feature, but if I use any of these features without licensing everyone, then I'll most likely be breaking our license agreement almost immediately.  Why? Because our business users maintaining Groups will add people to the group without knowing the license requirements and Microsoft doesn't enforce it when they do.

 

We enabled Groups creation in late May and didn't announce, nor publicize, it in anyway within our company.  In June, our end users created 180 groups, and in July they created another 209 -- all without these features enabled because only a fourth of our users have an Azure AD Premium license.  I imagine by the end of the year, every person in the company will be a member of at least one group.

 

Licensing everyone in my company for AD premium is a million+ dollar decision, so we're forced to govern groups without Microsoft's help.

I wouldn’t pretend this is a problem for me it - it isn’t - but @Deleted raises an important operational issue. There tends to be a marketing led assumption that customers will buy premium licensing across the tenant which simply can’t be true just based on the economics. With respect to the Microsoft participants in this thread, there needs to be a grown up discussion within Microsoft regarding AD functionality and features and how these match against product features within Office 365. Handing off risk to customers is not acceptable. When Microsoft entered the ‘cloud first’ era I truly believed that some of the on premises licensing nightmare was behind us. I might have been wrong...

I agree with everyone here that it's pretty 'unfortunate' that Microsoft has made this decision. Admins can't even govern this 100% with managing licenses. For example, users can create an O365 group through planner even without having a license assigned.

 

Soon we'll be looking into AAD Premium but it will be costly, no question so I really wish there was another option. Thanks for your input.

1 best response

Accepted Solutions
best response
Solution
No, as you well mention to absolutely prevent Groups creation in your tenant, you need an Azure AD Premium subscription

View solution in original post