Azure Active Directory 中基于组的许可是什么?What is group-based licensing in Azure Active Directory?

Microsoft 付费云服务(如 Microsoft 365、企业移动性 + 安全性、Dynamics 365 及其他类似产品)需要许可证。Microsoft paid cloud services, such as Microsoft 365, Enterprise Mobility + Security, Dynamics 365, and other similar products, require licenses. 这些许可证将分配给需要访问这些服务的每个用户。These licenses are assigned to each user who needs access to these services. 若要管理许可证,管理员可以使用某种管理门户(Office 或 Azure)和 PowerShell cmdlet。To manage licenses, administrators use one of the management portals (Office or Azure) and PowerShell cmdlets. Azure Active Directory (Azure AD) 是支持所有 Azure 云服务的标识管理的底层基础结构。Azure Active Directory (Azure AD) is the underlying infrastructure that supports identity management for all Azure cloud services. Azure AD 存储有关用户许可证分配状态的信息。Azure AD stores information about license assignment states for users.

到目前为止,只能在单个用户级别分配许可证,因此,大规模管理可能会变得困难。Until now, licenses could only be assigned at the individual user level, which can make large-scale management difficult. 例如,若要根据组织变化(例如用户加入或离开组织或部门)添加或删除用户许可证,管理员通常必须编写一个复杂的 PowerShell 脚本。For example, to add or remove user licenses based on organizational changes, such as users joining or leaving the organization or a department, an administrator often must write a complex PowerShell script. 此脚本对云服务进行单独的调用。This script makes individual calls to the cloud service.

为了解决这些难题,Azure AD 现在提供基于组的许可功能。To address those challenges, Azure AD now includes group-based licensing. 可将一个或多个产品许可证分配给某个组。You can assign one or more product licenses to a group. Azure AD 确保将许可证分配给该组的所有成员。Azure AD ensures that the licenses are assigned to all members of the group. 将向加入该组的任何新成员分配适当的许可证。Any new members who join the group are assigned the appropriate licenses. 在这些成员离开组时,将删除相应的许可证。When they leave the group, those licenses are removed. 使用此许可管理功能后,将不再需要通过 PowerShell 自动执行许可证管理以反映每个用户的组织和部门结构变化。This licensing management eliminates the need for automating license management via PowerShell to reflect changes in the organization and departmental structure on a per-user basis.

许可要求Licensing requirements

必须具有以下许可证之一才能使用基于组的许可:You must have one of the following licenses to use group-based licensing:

  • Azure AD Premium P1 及更高版本的付费或试用订阅Paid or trial subscription for Azure AD Premium P1 and above

  • 付费版或试用版 Office 365 企业版 E3 或 Office 365 A3 或 Office 365 GCC G3 或 Office 365 E3 for GCCH 或 Office 365 E3 for DOD 及更高版本Paid or trial edition of Office 365 Enterprise E3 or Office 365 A3 or Office 365 GCC G3 or Office 365 E3 for GCCH or Office 365 E3 for DOD and above

所需许可证数Required number of licenses

对于分配了许可证的任何组,你还必须具有用于每个唯一成员的许可证。For any groups assigned a license, you must also have a license for each unique member. 虽然不是必须为组的每个成员分配一个许可证,但是你必须至少具有足够的许可证来包括所有成员。While you don't have to assign each member of the group a license, you must have at least enough licenses to include all of the members. 例如,如果你的租户中经许可的组有 1,000 个唯一成员,则必须至少具有 1,000 个许可证才满足许可协议。For example, if you have 1,000 unique members who are part of licensed groups in your tenant, you must have at least 1,000 licenses to meet the licensing agreement.


基于组的许可功能提供以下主要功能:Here are the main features of group-based licensing:

  • 可以将许可证分配到 Azure AD 中的任何安全组。Licenses can be assigned to any security group in Azure AD. 可以使用 Azure AD Connect 从本地同步安全组。Security groups can be synced from on-premises, by using Azure AD Connect. 还可以在 Azure AD 中直接创建安全组(也称为仅限云的组)。You can also create security groups directly in Azure AD (also called cloud-only groups).

  • 将产品许可证分配到组时,管理员可以禁用产品中的一个或多个服务计划。When a product license is assigned to a group, the administrator can disable one or more service plans in the product. 通常,在组织尚未准备好开始使用产品中包含的服务时会执行此分配。Typically, this assignment is done when the organization is not yet ready to start using a service included in a product. 例如,管理员可能会将 Microsoft 365 分配给某个部门,但暂时禁用 Yammer 服务。For example, the administrator might assign Microsoft 365 to a department, but temporarily disable the Yammer service.

  • 支持需要用户级许可的所有 Azure 云服务。All Azure cloud services that require user-level licensing are supported. 此支持包括所有 Microsoft 365 产品、企业移动性 + 安全性和 Dynamics 365。This support includes all Microsoft 365 products, Enterprise Mobility + Security, and Dynamics 365.

  • 基于组的许可目前仅通过 Azure 门户提供。Group-based licensing is currently available only through the Azure portal. 如果主要使用其他管理门户来管理用户和组,可以继续这样做。If you primarily use other management portals for user and group management, you can continue to do so. 但是,应该使用 Azure 门户在组级别管理许可证。But you should use the Azure portal to manage licenses at group level.

  • Azure AD 会自动管理由组成员身份更改导致的许可证修改。Azure AD automatically manages license modifications that result from group membership changes. 通常,在组成员身份发生更改时,许可证修改在几分钟内就会生效。Typically, license modifications are effective within minutes of a membership change.

  • 用户可以是指定了许可证策略的多个组的成员。A user can be a member of multiple groups with license policies specified. 用户也可以拥有在任何组外部直接分配的许可证。A user can also have some licenses that were directly assigned, outside of any groups. 生成的用户状态是所有已分配产品和服务许可证的组合。The resulting user state is a combination of all assigned product and service licenses. 如果为用户分配了来自多个源的同一许可证,则该许可证将仅使用一次。If a user is assigned same license from multiple sources, the license will be consumed only once.

  • 在某些情况下,无法向用户分配许可证。In some cases, licenses cannot be assigned to a user. 例如,当租户中可用许可证不足时,或者同时分配了冲突服务时。For example, there might not be enough available licenses in the tenant, or conflicting services might have been assigned at the same time. 对于 Azure AD 无法为其完全处理组许可证的用户,管理员有权访问其信息。Administrators have access to information about users for whom Azure AD could not fully process group licenses. 然后,可以根据这些信息采取纠正措施。They can then take corrective action based on that information.

我们欢迎反馈!Your feedback is welcome!

如果有反馈或功能请求,请使用 Azure AD 管理员论坛将其与我们共享。If you have feedback or feature requests, share them with us using the Azure AD admin forum.

后续步骤Next steps

若要详细了解通过基于组的许可进行许可证管理的其他方案,请参阅:To learn more about other scenarios for license management through group-based licensing, see: