License Profiles

License Profiles is the Cayosoft Administrator functionality allows enforcing more advanced Microsoft 365 licensing scenarios as well as existing scenarios covered by attribute policies.

Creating a License Profile

To create a License Profile:

1. In the Cayosoft Administrator Console, navigate to Home > Microsoft 365 Licensing > License Profiles.

   

2. Click Add License Profiles:

   

3. Specify License Profiles settings:

   • Profile Name: This is the friendly name you give to your profile. The actual profile is assigned and stored as a GUID in the Cayosoft Administrator database, so this name can be changed without affecting existing profile assignments or policies.

   • Description: The description is shown on profile selection UIs and helps delegated administrators to choose the right one.

   • Profile Scope: Each profile is scoped to one or more Virtual Admin Units:

By default, the profile is made available only to license assignment commands of the virtual admin units that are included in its scope. If a profile is set to “No Virtual Admin Units”, it will not be available for selection in any Web UI.

NOTE: The License Profile Attribute Policy overrides the scope settings. For example, you can set a profile to be generally unavailable for all virtual admin units but make it available to a specific trustee as part of an attribute policy.

4. Configured licenses: You can select a list of licenses whose enforcement behavior is explicitly configured by the profile as well as a <All other licenses> parameter that sets the behavior for the licenses that are not explicitly defined.

   NOTE: It is important to understand that every profile sets the behavior of every license.

5. Click Save Changes.

Enforcement options

• Assign (enforced) - a license with this enforcement option is always shown and will always be assigned when the profile is applied.

• Revoke (enforced) - a license set to Revoke will always be revoked if already assigned when the profile is applied. Revoked licenses will always be hidden from the available licenses for new user assignments.

• Free selection (selected) - the license assignment is not strictly enforced, leaving the administrator to decide the assignment during profile application, but the license is selected by default for new user provisioning scenarios.

• Free selection (unselected) - the license assignment is not strictly enforced, leaving the administrator to decide the assignment during profile application, but the license remains unselected by default for new user provisioning commands.

• Read-only (do not change) - the existing assignment of the license cannot be changed in the UI and will remain enforced when the profile is applied.

Visibility Options

Along with the above enforcement options, you can choose whether a license is displayed in the UI with the following options:

• Show always - always shows the license in the profile assignment UI, for both new user scenarios and existing assignments.

• Show already assigned - only shows the license when it is already assigned to the user for license modification scenarios. If the license is not assigned, for example when creating a new user, it will be hidden from the UI.

NOTE: Licenses that are already assigned to a user are always shown in the Web UI for license modification scenarios and cannot be hidden.

As mentioned previously, licenses that are not explicitly defined in the profile use the enforcement and visibility options set for <All other licenses> in the table. These options are identical to the above per-license options except that Assign is not available as the default value.

The combination of these two options allows for different scenarios. For example, setting Free selection and Show already assigned will mean that the license cannot be assigned during profile application for new users (because it will not be shown), but can be optionally revoked by the delegated admin when applying the profile. More detailed scenarios can be found below.

License Profiles Settings

This tab provides controls for the exclude list shared among all profiles. Add licenses to this list if you want them hidden from the profile creation UIs. All licenses are added to the exclude list with one of the following enforcement options:

• Revoke (enforced): all existing assignments of excluded licenses are hidden from new license assignments and revoked whenever any profile is assigned.

• Read-only (do not change): all existing assignments of excluded licenses are hidden from new license assignment scenarios and are left as-is if the license is already assigned.

Using License Profiles in Web Portal

License profiles are used primarily in the Web Portal in different licensing commands. The commands can be split into two basic categories:

1. Provisioning (new user profile assignment):

   1. New User (AD)

   2. New User (Office 365)

   3. Enable Mailbox

   4. Clone User

   5. New Linked Mailbox

   6. New User with Linked Mailbox

2. Modify (change existing license assignment/profile):

   1. Office 365 License (AD)

   2. Office 365 License (Office 365)

The profile enforcement options are treated differently in UI depending on the type of command being executed.

The license profile is selected from a dropdown on the relevant provisioning command:

Licenses can be modified within the restrictions set by the profile by clicking the existing License Options link:

License Profile drop-down can have a default/required value set by the License Profile Attribute Policy.

NOTE: If a profile is not selected, the UI is affected by existing License dialog attribute policies. Selecting a profile completely overrides the attribute policy.

License provisioning scenarios

Assign (enforced)

Licenses set to this enforcement behavior will be shown as a read-only checkbox for all license provisioning commands and will always be assigned when the profile is assigned:

This E5 license is selected for assignment and cannot be unchecked because the assignment is enforced by the selected Office Worker profile.

Free selection

• Free selection (selected), show always: Licenses set to this option are checked by default (and will be assigned) but can be unchecked by the delegated admin.

• Free selection (unselected), show always: Licenses set to this option are unchecked by default but can be optionally assigned by the delegated admin.

The checkboxes are set according to the enforcement setting but they are not read-only and the can be changed.

Read-only (do not change), show always

These licenses are shown in the UI, but cannot be selected for assignment because they are necessarily not currently assigned for new users:

The Power Automate Free is visible but is set to read-only.

Show already assigned

All licenses set to this visibility option regardless of the enforcement option are hidden from the license provisioning UIs:

The Power Automate Free is hidden because it is not assigned.

Application provisioning scenarios

In some cases, you will want to control the assignment of specific apps/services inside a license. This can also be done through profiles, using the same enforcement options as described above.

By default, the applications inside a license use the parent enforcement setting, but this can be changed per each individual application:

Assign (enforced) for license, different setting for app(s)

In some cases, you may want to enforce assignment of the license in general but change the behavior for one more specific apps. For example, you can hide an app from view, prevent anyone from assigning it or give a delegated admin the choice to assign an app:

As you can see from the example above, the E5 license is assigned and cannot be unselected. The first two apps are set to free selection and can be optionally excluded or included by the delegated admin. The third app is set to read-only and cannot be checked but is visible and the fourth app is hidden entirely since it is not assigned yet (and thus cannot be assigned).

Free selection for license, but certain must be included/excluded

This is the inverse of the previous scenario where the license in general is freely selectable by the delegated admin. However, if the license is selected, certain apps will be set according to their own enforcement options:

In this scenario, the E5 is freely selectable and does not have to be assigned. However, if it is assigned, the first two apps are always required, the third is visible but cannot be selected while the fourth is hidden entirely.

Using License Profiles in Quotas

Admin Console

In the Cayosoft Administrator Console a filter by license profile is available in each quota definition in AD Users and Users (Office 365) web queries:

This filter shows all licenses that are set to Assign or Free selection in the profile.

Web Portal

In the Web Portal, on the Office 365 License Quotas dashboard filter by license profile is available in the Edit License Quota web action for the AD Users and Users (Office 365) web queries. Learn more in: Edit License Quota web action.

This filter shows all licenses that are set to Assign or Free selection in the profile.

License modification scenarios

When modifying an existing license assignment, the same profile options will behave differently from the previous provisioning views.

When opening an existing user with the Office 365 License command, the existing license is always shown as-is. The changes enforced by the profile are displayed over the existing assignment. The licenses that will be assigned when executing the command correspond exactly to the checkboxes shown in the UI.

Assigning the first profile to user with existing licenses:

This user does not yet have a profile assigned, but already has an E5 license:

If a profile is selected, its enforcement options will take effect on the UI. In this example, the new profile revokes all assigned licenses:

The Power Automate license is hidden since it is not assigned and the E5 license is unchecked and grayed out as it will be revoked.

Note that any enforced changes to the existing licenses are displayed with a warning symbol and corresponding text that describes what will happen.

Profile Violation

If the currently assigned licenses do not correspond to the assigned profile, a message to that effect is displayed when opening the Office 365 License command:

Switching profiles

Opening the license dialog on a user with an existing profile assignment will show the currently assigned profile, and unassigned licenses not hidden by the profile and all the currently assigned licenses:

In this case, all the licenses are hidden by the Revoke All Licenses profile and none of them are assigned. Clicking the Change button and selecting a different profile will show the assigned licenses and any changes enforced by the new selection:

Continuing the example above, there are still no licenses assigned to this user, but the new profile selection now shows a very different result in the UI. The new profile will enforce the assignment of the E5 license as stated by the message in parenthesis while also giving the delegated administrator the choice to assign Power Automate. Since the Power Automate selection is not enforced, no messages are displayed:

Free selection on specific apps

Using profiles, you can also control the per-app enforcement on users with existing licenses. For example, you can strictly enforce a core Enterprise license assignment while providing the delegated administrator the ability to turn specific apps on or off on request:

In this example, the delegated administrator can choose to assign or remove the two apps set to Free selection in the profile.

Enforce assign or remove specific apps

You can also enforce the removal or assignment of specific apps over existing users and license assignment by selecting the corresponding enforcement option in the license profile:

In this example, the license can be freely assigned or modified except for the two apps where the enforcement is explicitly specified. Exchange online will always be assigned if it isn’t and Flow will always be revoked if it is already assigned:

In this case, the change is to the Flow app is also clearly stated. Exchange Online is not affected since it is already assigned which corresponds to the enforcement state of the profile.

Using License Profiles in Quotas

Cayosoft Administrator Console

In the Cayosoft Administrator Console a filter by license profile is available in each quota definition in AD Users and Users (Office 365) web queries:

This filter shows all licenses that are set to Assign or Free selection in the profile.

Web Portal

In Web Portal, locate the Office 365 License Quotas dashboard filter by license profile is available in the Edit License Quota web action for the AD Users and Users (Office 365) web queries.

This filter shows all licenses that are set to Assign or Free selection in the profile.

Bulk Assign License Profile

There are automation rules available to assign profiles in bulk. For example, if you are rolling out this functionality across an existing environment or if you want to regularly sync users back to their profile enforcement settings:

1. AD Users | Enforce License Profile rule - this hybrid rule queries the specified Active Directory scope and for each user that satisfies specific criteria assigns the selected license profile to the related Office 365 account.

2. Office 365 Users | Enforce License Profile rule - this Microsoft 365 rule queries the specified scope and assigns the selected license profile for each user that satisfies the criteria.