Eligibility groups
Represent governed business populations such as employees, contractors, clinicians, field staff, or specific departments. Use reliable source attributes and avoid mixing unrelated entitlement decisions into one broad group.
Build a predictable path from authoritative identity attributes to governed Entra groups, approved product and service-plan profiles, visible assignment errors, and timely license removal.

For any user, an administrator should be able to identify the business eligibility decision, the group that grants the product, the membership source, the enabled and disabled service plans, any overlapping assignments, the current processing status, and the removal trigger. That evidence turns group-based licensing into an operational control instead of hidden automation.
Worker type, department, role, location, status, start/end date, and approved eligibility.
Purpose, membership method, rule, owner, approval, exceptions, and change control.
SKU, service plans, dependencies, capacity, monitoring, and lifecycle outcome.
Nested groups: Microsoft documents that group-based license assignment does not currently support nested groups. Only direct, first-level user members of a licensed group receive its license assignment.
Represent governed business populations such as employees, contractors, clinicians, field staff, or specific departments. Use reliable source attributes and avoid mixing unrelated entitlement decisions into one broad group.
Map a specific product and service-plan configuration to a clearly named group. A profile group should answer which SKU is assigned, which plans are disabled, and who owns changes.
Use narrow, time-bound exception groups for add-ons or deviations. Require an approver, owner, review/expiration date, business rationale, and documented removal path.
Avoid one giant “all users” license group when worker populations, locations, service-plan needs, or security requirements differ. Broad groups make change blast radius and exception ownership harder to control.
| Field | Required decision | Evidence | Failure if omitted |
|---|---|---|---|
| Purpose | Business population and product entitlement represented by the group. | Description, design record, service owner. | Membership grows without an accountable reason. |
| Membership | Assigned or dynamic; authoritative attributes; joiner/mover/leaver behavior. | Rule/query, source-system owner, test cases. | Wrong users are added or legitimate users are missed. |
| License profile | SKU, enabled/disabled service plans, dependencies, conflicts, and prerequisites. | Profile map, change approval, test results. | Users receive inconsistent capability or assignment failures. |
| Ownership | Business approver, technical owner, backup owner, and cost center. | Owner fields, support record, periodic attestation. | No one accepts change, error, or renewal decisions. |
| Capacity | Minimum available buffer, threshold alert, purchase escalation, and forecast. | Capacity report, alert, purchase authority. | Group growth creates silent “not enough licenses” errors. |
| Removal | Membership removal trigger and required data/access handoff before reclaim. | Offboarding workflow, validation, closure ticket. | Licenses remain assigned or are removed before continuity decisions. |
Use small test populations and explicit rollback decisions before a license group affects a broad workforce.
Identify purchased products, direct assignments, existing licensed groups, service-plan variations, errors, duplicate entitlement sources, and users with no clear owner.
Map business roles to product SKUs, enabled/disabled plans, security or device prerequisites, usage location, cost owner, and support expectation.
Create stable names and descriptions, owners, membership logic, and a representative pilot population. Test additions, exclusions, movers, and removals.
Apply the product and service-plan profile. Monitor status until processing completes; do not assume a successful group change means every user was licensed.
After verifying group assignment, remove redundant direct licenses in controlled batches. Confirm the user retains the intended effective services.
Review errors, capacity, group owners, rule changes, direct exceptions, inactive populations, and removal evidence on a defined cadence.
Dynamic groups can reduce manual work, but a fragile attribute or broad expression can change access for many users. Treat rule changes as production changes.
Usage location: include accurate usage location in the user provisioning process. Microsoft notes that users without a specific location can inherit the tenant location for group-based assignment, which may be inappropriate for multi-location organizations.
Compare capacity, pending population growth, direct/group overlap, stale assignments, and purchase authority. Restore adequate capacity before retrying affected users.
Identify products and service plans that cannot coexist. Correct the target profile or overlapping entitlement while validating dependencies.
Confirm required plans remain enabled through the same or another product. Do not remove a dependency merely to clear the error.
Correct the user location at the authoritative source and ensure the onboarding workflow prevents recurrence.
Investigate duplicate Exchange proxy addresses and directory synchronization authority before reprocessing.
Capture group, user, SKU, time, error detail, recent changes, and correlation information. Escalate through Microsoft support when necessary.
Microsoft documents support for security groups, mail-enabled security groups, and Microsoft 365 groups in the Microsoft 365 admin center. Validate the current supported group types and operational behavior in your tenant before rollout.
No. Microsoft documents that nested groups are not currently supported; only direct, first-level user members receive the license assignment.
No. Use dynamic membership only where authoritative, stable attributes can reliably express eligibility. Assigned membership may be safer for exceptions or populations requiring explicit approval.
Inventory current licenses and service plans, design and test the target group profile, assign the group license, verify effective services for pilot users, then remove redundant direct assignments in controlled batches with rollback and evidence.
Monitor assignment errors and capacity routinely, reconcile direct overlaps and exceptions monthly, and attest group purpose, owners, membership logic, service plans, and renewal needs at least quarterly.
IT Perfection helps Orange County and Southern California organizations design license profiles, Entra groups, dynamic membership, error monitoring, migration from direct assignment, offboarding, and audit-ready operations.
Created by Ali Hassani, CISO — 25+ years of IT, cybersecurity, compliance, and infrastructure experience. Licensing terms and product behavior change; validate current Microsoft documentation and contractual requirements. This guide is for initial guidance only and does not replace a professional cybersecurity audit, compliance assessment, penetration test, or legal/compliance review.
We use necessary cookies and limited analytics and advertising-measurement cookies. Select Accept to allow optional cookies or Deny to continue with necessary cookies only. No name or email is required. You may close this website at any time.