Office 365 License Management: How to Avoid License Rustling
My dad probably should have been born a cowboy. Despite being born as a Cajun in south Louisiana, he loved everything about the American West, from Louis L’Amour novels to Frederic Remington bronzes to horses and cowboy hats. Because of this, I grew up on a steady diet of Western movies, books, and TV shows, which is where I came to appreciate the terrible wickedness of horse thieves and cattle rustlers.
Brief side note: if you didn’t grow up with cowboy movies, cattle rustling is the practice of stealing other people’s livestock so you can sell it as your own. You might be forgiven for thinking that cattle rustling is a thing of the past, and it mostly is, except it’s still around in places like Uruguay, New Mexico, and Hawaii.
Anyway.
One of the reasons cattle rustling thrived in the American West was that cattle are interchangeable. Unless and until you brand or tag them, there’s no way to prove that a particular cow belongs to Mr. Jones vs Mr. Smith.
You know what that reminds me of? Randy Bias, a founder of the OpenStack Foundation, had a famous analogy contrasting two approaches to managing enterprise cloud architectures.
One is to treat servers like pets: individual named resources that are nursed back to health when they fail and whose loss can cause catastrophic upset. The other is to treat them like cattle: interchangeable units that you just replace on demand. Clearly Microsoft, Facebook, Google, Apple, and other major cloud providers have adopted the cattle approach.
You know what else cattle reminds me of? Office 365 license management.
No, seriously.
Lassoing Office 365 License Management
Think about what happens in an enterprise Microsoft 365 tenant. When someone buys a license, that license is immediately added to the tenant and can be assigned by anyone who has the required permissions (Global admin and User management admin roles can assign or remove licenses).
This seems reasonable at first glance. For example, even though my Quadrotech teammates are spread across eight countries, and although for regulatory reasons we have operating companies registered in the UK, US, Slovakia, and Switzerland, we all work for the same team, and our IT resources are all pooled. However, for many enterprises, this is not the case.
Let me illustrate that with two examples drawn from our customer experience.
First: Contoso Foods (not their real name, of course) is a major US-based food producer. They have a single M365 tenant, in which a number of logically separate business units operate. For example, there’s Contoso Creamery, which makes cheese, and ConTaco, which makes taco shells. These business units all share a single IT department and set of centrally-managed IT resources, but each business unit has people designated to manage that business unit’s IT assets. These people have Global admin access in the M365 tenant.
Second: Wingtip Media, a large multi-national media company, has grown to its present size mostly through mergers and acquisitions. Some business units (let’s say Woodgrove Productions and Tailspin Films) have their own separate M365 tenants, with their own designated admins; other business units (Volcano Media and Fourth Coffee Digital) share the main Wingtip Media tenant.
Clearly these two businesses will have different strategies for purchasing, assigning, and managing licenses… but they’re both vulnerable to rustling. That’s because any Global admin or User management admin role holder in the tenant can assign licenses to anyone she wants to.
Consider the case where Contoso Creamery wants to start using Power BI Pro to analyze their dairies’ productivity. They allocate some money from their operating budget and give it to Contoso Foods’ IT team to buy the licenses. The licenses are purchased and then boom! One of the ConTaco admins sees the licenses available and assigns them to some of his users, not realizing that the licenses are earmarked for another use.
Once you recover from the pun in the preceding sentence, you might object that Wingtip’s immune from license rustling – after all, licenses stop at the tenant boundary, so someone with admin rights to Woodgrove Productions’ tenant can’t rustle licenses purchased for users in Volcano Media. It turns out that they’re not really immune, though, because if the Volcano PR department wants to buy some Visio licenses, there’s no built-in way to stop an admin from the Fourth Coffee team from rustling them.
License Policies
An apparently natural solution is to restrict who can assign licenses by clamping down on who has the Global admin and User management admin roles. That’s a good idea, and you should do that anyway. However, that doesn’t completely solve the problem – now you’ve put the burden of Office 365 license management (and preventing rustling!) on the shoulders of your admin team, while at the same time reducing the number of people with admin access means the ones who keep it have to do more work to keep up.
We have a better solution to clamp down on license rustlers: we call them license policies, and they’re a key part of the delegation and policy control features in Quadrotech Nova.
License policies let you delegate the ability to assign and remove licenses to any user, in any tenant you manage, across, and between tenants – and they can never allocate more than the number of licenses you grant the policy because Nova delegation means they work without having admin rights on M365 itself.
The screenshot below shows a policy we use internally to allow our business unit leads to assign Power BI licenses to their teams without requiring support from our IT admin team.
For both the customers I mentioned above, Nova license policies deliver the tools they need to intelligently assign licenses while still taking advantage of delegated authority and ending the rustling problem.
For Contoso Foods, each independent business unit has a pool of licenses that are theirs alone. They can’t assign more than the number of licenses they have available, so they can’t snatch up another business unit’s newly-bought licenses. For Wingtip, license policies allow the core Wingtip IT staff to assign licenses across all the tenants in Wingtip’s empire, even though they’re separate M365 entities, while still allowing individual business units to preserve their own license herds.
I tried to come up with a clever closing metaphor about calling the sheriff or whistling up a posse or something else Western-themed, but none of them came out very well. Rather than torment you further, I’ll close by saying that Nova can help you keep your license costs – and those pesky rustlers – under control.
Learn more about our Office 365 license management solution here.