On 17 March, Microsoft posted message center notification MC244882 to announce the immediate general availability of auto-claim policies in the Microsoft 365 admin center. Strangely, no roadmap item was cited, meaning that this feature never appeared on the Microsoft 365 roadmap. Thankfully, some documentation is available and the feature is disabled by default.
Apparently, the idea was around early last summer, but I never picked it up.
Auto-Claim Basics
The basic idea is that tenants can create policies to allow applications to claim from a pool of available licenses when a user needs a license to use the app. Auto-claim policies sounds like a good idea if you have:
Users who are unlicensed.
No other way of assigning licenses to users either manually during the account creation process, or automatically using your own scripts or with Azure AD group-based licensing.
Mature organizations usually have their own methods for license management and not many new accounts are created without the attachment of licenses.
Teams is the only app which supports auto-claim policies today but given that the policies are now integrated in the Microsoft 365 admin center, it’s likely that auto-claim policies will cover other apps in future. On the surface, it seems odd that Microsoft is now introducing another method. However, Azure AD group-based licensing requires Azure AD Premium P1 licenses and Office 365 E3 or E5, while apps like Teams have a much wider target audience.
Enabling Auto-Claim
Before you can define an auto-claim policy, you need to enable the feature. Go to the Billing section of the Microsoft 365 admin center, then Licenses, and select the Auto-claim policy tab. Finally, hit the big Turn on setting button (Figure 1).
Figure 1: Enabling the auto-claim policy for a tenant
You can also enable the setting through Org settings in the Microsoft 365 admin center. Go to User owned apps and services and check the option to let users auto-claim licenses the first time they sign in (Figure 2).
Figure 2: Org setting to allow users to auto-claim licenses
You can disable the auto-claim policy in Org settings. This doesn’t remove the policy if one is defined. Instead, the policy goes into abeyance until it is reactivated by switching the setting on again.
Creating a Policy
An auto-claim policy applies tenant-wide. There is no way to scope the policy to process only a selected group of accounts. Only one auto-claim policy exists for the tenant. This might change in time as additional apps support license auto-claim or Microsoft introduces policy scoping.
Creating a new auto-claim policy is straightforward. After giving the policy a name (always a test of creativity), the important part is when you link an app (Teams) with assignable licenses. In Figure 3, I define that if an unlicensed user accesses Teams, the auto-claim policy will step in to assign an Office 365 license to the user account. If no Office 365 licenses are available, the policy will attempt to assign an Office 365 E5 license (aka, the backup product).
Figure 3; Assigning the licenses for an auto-claim policy to manage
Licenses like Office 365 E3 span many apps. Some tenants like to disable apps covered by licenses because they don’t want people using them. For instance, you might decide that Microsoft Bookings is not needed by users and so disable that app in the license. When creating an auto-claim policy, it was noticeable that the policy removed Exchange Online Plan 2. I turned it back on to receive an odd warning (Figure 4) that enabling Exchange might disrupt email delivery. Given that Microsoft strongly advocates a position that Teams is best when coupled with Exchange, this is an interesting stance.
Figure 4: Defining the apps in a license to be assigned by the auto-claim policy
After checking all the apps available in the licenses to be assigned, save the policy. It becomes effective immediately.
Testing License Assignment
To test that the auto-claim policy worked, I created a new account in the Azure AD portal. I then added the new account to a team and logged into Teams as the user. After going through the normal routine for a new user (setting a new password, etc.), Teams started up as normal. No indication appeared that a license assignment happened. From a user experience perspective, this is how things should happen. People responsible for the delivery of training before people use apps might need to reconsider how they approach training if license auto-claim becomes the norm.
The auto-claim policy does not assign a license for Teams if a licensed account with the Teams app turned off attempts to use the app.
According to the documentation, an auto-claim policy report is available in the Microsoft 365 admin center to show all licenses assigned by policy over the last 90 days. No trace of a report is visible in my tenant, but this is probably due to the normal two-day delay before usage reports are available in the admin center. It’s easy to check if a license is assigned to an account by looking at its properties (Figure 5), where we find that the policy did indeed work and a license is present.
Figure 5: Checking that a user account has received the correct license from the auto-claim policy
You can also track license assignment in the audit events logged for the account in the Azure AD portal. Figure 6 shows details of an audit event captured after a license is assigned when a user logs into Teams for the first time.
Figure 6: Audit event for a license assignment
Audit records also appear in the Office 365 audit log. Search for “Update user” operations and look for license updates in the ModifiedProperties property of the Auditdata payload in the audit events. You’ll see a bunch of license assignments recorded there similar to those shown in Figure 6 (unsurprising, because it’s the same data).
Update: After 7 days, no auto-claim report has shown up in the admin center.
A Good Idea but Maybe Not for All
Auto-claim policies seem like a good idea. It’s hard to be definitive now because these policies need to be tested in the wild and assessed by organizations which already have their own methods for license assignment, including granular management of licenses at departmental or country level. Given that solutions already exist in this area (after ten years of Office 365, it would be hard if tools weren’t available), people will need to be convinced to move from what they do now. I could see this approach being popular in sectors with heavy account turnover, like schools, but perhaps less so in large enterprises where license management is often a well-defined art.
{"id":null,"mode":"button","open_style":"in_modal","currency_code":"EUR","currency_symbol":"\u20ac","currency_type":"decimal","blank_flag_url":"https:\/\/office365itpros.com\/wp-content\/plugins\/tip-jar-wp\/\/assets\/images\/flags\/blank.gif","flag_sprite_url":"https:\/\/office365itpros.com\/wp-content\/plugins\/tip-jar-wp\/\/assets\/images\/flags\/flags.png","default_amount":100,"top_media_type":"featured_image","featured_image_url":"https:\/\/office365itpros.com\/wp-content\/uploads\/2022\/11\/cover-141x200.jpg","featured_embed":"","header_media":null,"file_download_attachment_data":null,"recurring_options_enabled":true,"recurring_options":{"never":{"selected":true,"after_output":"One time only"},"weekly":{"selected":false,"after_output":"Every week"},"monthly":{"selected":false,"after_output":"Every month"},"yearly":{"selected":false,"after_output":"Every year"}},"strings":{"current_user_email":"","current_user_name":"","link_text":"Virtual Tip Jar","complete_payment_button_error_text":"Check info and try again","payment_verb":"Pay","payment_request_label":"Office 365 for IT Pros","form_has_an_error":"Please check and fix the errors above","general_server_error":"Something isn't working right at the moment. Please try again.","form_title":"Office 365 for IT Pros","form_subtitle":null,"currency_search_text":"Country or Currency here","other_payment_option":"Other payment option","manage_payments_button_text":"Manage your payments","thank_you_message":"Thank you for supporting the work of Office 365 for IT Pros!","payment_confirmation_title":"Office 365 for IT Pros","receipt_title":"Your Receipt","print_receipt":"Print Receipt","email_receipt":"Email Receipt","email_receipt_sending":"Sending receipt...","email_receipt_success":"Email receipt successfully sent","email_receipt_failed":"Email receipt failed to send. Please try again.","receipt_payee":"Paid to","receipt_statement_descriptor":"This will show up on your statement as","receipt_date":"Date","receipt_transaction_id":"Transaction ID","receipt_transaction_amount":"Amount","refund_payer":"Refund from","login":"Log in to manage your payments","manage_payments":"Manage Payments","transactions_title":"Your Transactions","transaction_title":"Transaction Receipt","transaction_period":"Plan Period","arrangements_title":"Your Plans","arrangement_title":"Manage Plan","arrangement_details":"Plan Details","arrangement_id_title":"Plan ID","arrangement_payment_method_title":"Payment Method","arrangement_amount_title":"Plan Amount","arrangement_renewal_title":"Next renewal date","arrangement_action_cancel":"Cancel Plan","arrangement_action_cant_cancel":"Cancelling is currently not available.","arrangement_action_cancel_double":"Are you sure you'd like to cancel?","arrangement_cancelling":"Cancelling Plan...","arrangement_cancelled":"Plan Cancelled","arrangement_failed_to_cancel":"Failed to cancel plan","back_to_plans":"\u2190 Back to Plans","update_payment_method_verb":"Update","sca_auth_description":"Your have a pending renewal payment which requires authorization.","sca_auth_verb":"Authorize renewal payment","sca_authing_verb":"Authorizing payment","sca_authed_verb":"Payment successfully authorized!","sca_auth_failed":"Unable to authorize! Please try again.","login_button_text":"Log in","login_form_has_an_error":"Please check and fix the errors above","uppercase_search":"Search","lowercase_search":"search","uppercase_page":"Page","lowercase_page":"page","uppercase_items":"Items","lowercase_items":"items","uppercase_per":"Per","lowercase_per":"per","uppercase_of":"Of","lowercase_of":"of","back":"Back to plans","zip_code_placeholder":"Zip\/Postal Code","download_file_button_text":"Download File","input_field_instructions":{"tip_amount":{"placeholder_text":"How much would you like to tip?","initial":{"instruction_type":"normal","instruction_message":"How much would you like to tip? Choose any currency."},"empty":{"instruction_type":"error","instruction_message":"How much would you like to tip? Choose any currency."},"invalid_curency":{"instruction_type":"error","instruction_message":"Please choose a valid currency."}},"recurring":{"placeholder_text":"Recurring","initial":{"instruction_type":"normal","instruction_message":"How often would you like to give this?"},"success":{"instruction_type":"success","instruction_message":"How often would you like to give this?"},"empty":{"instruction_type":"error","instruction_message":"How often would you like to give this?"}},"name":{"placeholder_text":"Name on Credit Card","initial":{"instruction_type":"normal","instruction_message":"Enter the name on your card."},"success":{"instruction_type":"success","instruction_message":"Enter the name on your card."},"empty":{"instruction_type":"error","instruction_message":"Please enter the name on your card."}},"privacy_policy":{"terms_title":"Terms and conditions","terms_body":null,"terms_show_text":"View Terms","terms_hide_text":"Hide Terms","initial":{"instruction_type":"normal","instruction_message":"I agree to the terms."},"unchecked":{"instruction_type":"error","instruction_message":"Please agree to the terms."},"checked":{"instruction_type":"success","instruction_message":"I agree to the terms."}},"email":{"placeholder_text":"Your email address","initial":{"instruction_type":"normal","instruction_message":"Enter your email address"},"success":{"instruction_type":"success","instruction_message":"Enter your email address"},"blank":{"instruction_type":"error","instruction_message":"Enter your email address"},"not_an_email_address":{"instruction_type":"error","instruction_message":"Make sure you have entered a valid email address"}},"note_with_tip":{"placeholder_text":"Your note here...","initial":{"instruction_type":"normal","instruction_message":"Attach a note to your tip (optional)"},"empty":{"instruction_type":"normal","instruction_message":"Attach a note to your tip (optional)"},"not_empty_initial":{"instruction_type":"normal","instruction_message":"Attach a note to your tip (optional)"},"saving":{"instruction_type":"normal","instruction_message":"Saving note..."},"success":{"instruction_type":"success","instruction_message":"Note successfully saved!"},"error":{"instruction_type":"error","instruction_message":"Unable to save note note at this time. Please try again."}},"email_for_login_code":{"placeholder_text":"Your email address","initial":{"instruction_type":"normal","instruction_message":"Enter your email to log in."},"success":{"instruction_type":"success","instruction_message":"Enter your email to log in."},"blank":{"instruction_type":"error","instruction_message":"Enter your email to log in."},"empty":{"instruction_type":"error","instruction_message":"Enter your email to log in."}},"login_code":{"initial":{"instruction_type":"normal","instruction_message":"Check your email and enter the login code."},"success":{"instruction_type":"success","instruction_message":"Check your email and enter the login code."},"blank":{"instruction_type":"error","instruction_message":"Check your email and enter the login code."},"empty":{"instruction_type":"error","instruction_message":"Check your email and enter the login code."}},"stripe_all_in_one":{"initial":{"instruction_type":"normal","instruction_message":"Enter your credit card details here."},"empty":{"instruction_type":"error","instruction_message":"Enter your credit card details here."},"success":{"instruction_type":"normal","instruction_message":"Enter your credit card details here."},"invalid_number":{"instruction_type":"error","instruction_message":"The card number is not a valid credit card number."},"invalid_expiry_month":{"instruction_type":"error","instruction_message":"The card's expiration month is invalid."},"invalid_expiry_year":{"instruction_type":"error","instruction_message":"The card's expiration year is invalid."},"invalid_cvc":{"instruction_type":"error","instruction_message":"The card's security code is invalid."},"incorrect_number":{"instruction_type":"error","instruction_message":"The card number is incorrect."},"incomplete_number":{"instruction_type":"error","instruction_message":"The card number is incomplete."},"incomplete_cvc":{"instruction_type":"error","instruction_message":"The card's security code is incomplete."},"incomplete_expiry":{"instruction_type":"error","instruction_message":"The card's expiration date is incomplete."},"incomplete_zip":{"instruction_type":"error","instruction_message":"The card's zip code is incomplete."},"expired_card":{"instruction_type":"error","instruction_message":"The card has expired."},"incorrect_cvc":{"instruction_type":"error","instruction_message":"The card's security code is incorrect."},"incorrect_zip":{"instruction_type":"error","instruction_message":"The card's zip code failed validation."},"invalid_expiry_year_past":{"instruction_type":"error","instruction_message":"The card's expiration year is in the past"},"card_declined":{"instruction_type":"error","instruction_message":"The card was declined."},"missing":{"instruction_type":"error","instruction_message":"There is no card on a customer that is being charged."},"processing_error":{"instruction_type":"error","instruction_message":"An error occurred while processing the card."},"invalid_request_error":{"instruction_type":"error","instruction_message":"Unable to process this payment, please try again or use alternative method."},"invalid_sofort_country":{"instruction_type":"error","instruction_message":"The billing country is not accepted by SOFORT. Please try another country."}}}},"fetched_oembed_html":false}
3 Replies to “Using an Auto-Claim Policy for Automatic Assignment of Licenses to Teams Users”