When Do Contractors Need Licenses

Please Pardon Our Dust

7/1/2018: You may have noticed some changes to our web site. We've updated our code to allow pages us to make our content publicly available from SharePoint Online. Things have improved a lot since April, but we still have the odd bug here or there. If you see something broken or out of date please understand that we're working on it and will have things fixed as quickly as we can.

Do You Need Office 365 Help?

Most Office 365 customers don't realize they're entitled to better quality support than Microsoft provides. If you're purchasing licenses from Microsoft or elsewhere, you can easily make us your Cloud Solution Provider and you'll be automatically enrolled in Support Plus.

It's easy to switch today. The transition is invisible to end-users. Plus, there's no increase in the cost for licenses, you may even save some money.

Check our our Cloud Services page to learn more, Contact Us to get started, or use the chat icon in the corner to start a conversation. We're happy to answer any questions you may have.

This concludes our commercial interlude. Please enjoy this article with our compliments!

5/1/2018

This article contains information shared with customers who have sought to understand why some Microsoft services require a license in order to let your support partner work with certain features in Office 365.

As a Microsoft CSP partner, one of the best aspects of the service is that we can support our customers through Delegated Administration without the need to acquire additional licenses for Office 365. Without this capability, supporting customers would quickly become unsustainable, since each member of the IT staff would require 50, 100, or more licenses - one at each customer's tenant.

However, our customers are often surprised to hear there are limitations to delegated administration and situations where it doesn't apply. Other times, customers just assume they will have to purchase a license for our staff to support them, just as if they had hired their own employee to manage IT internally.

The reality is a lot more complicated - basically like everything Microsoft does.

Partner Access via Delegated Administration

For most Office 365 features - such as adding or deleting a user, resetting passwords, and creating groups - Delegated Administration will be plenty to get the job done.

Partners can assign their own staff to use delegated admin permissions at several different levels:

No special access
Global administrator of the partner's Office 365 tenant but no access to customer tenants
Limited access customers' tenants - equivalent to the Password Admin role
Full access to customers' tenants - equivalent to the Global Admin role

As you can see, we're able to assign our staff to act in full admin capacity or just to help users reset their passwords. We can also make sure that any salespeople or managers who need access to Microsoft Partner Center (or even the admin to our own tenant) do not get unfettered access to customer data.

Global Admin Not So Global After All

But, there are situations where even Global Administrator is insufficient to get the job done.

Contrary to its name, the Global Administrator role doesn't have rights to everything in Office 365. Here are a few examples:

Most of the functionality in Security & Compliance Administration portal
RBAC in Exchange, which gives administrators the ability to do things like read the contents of a user's mailbox
Mobile Device Management in Office 365
Device Management via Intune, which is part of EMS
Management of Conditional Access Policies or Privileged Identity Management in Azure AD, which is another part of EMS

This may seem counterintuitive, but it's actually done this way by design. Smaller organizations probably don't care much about separation of duties, but in larger companies (especially those who must meet security regulations) it is very important to ensure that someone is watching the watchers.

If you truly want a user to have access to everything, you'll need to add them to several different roles. Fortunately, this is something that Global Administrators can do.

You May Think You Know the Location of "The Lock Box", and Maybe You Do.

For Microsoft support personnel, there is the option of Customer Lockbox Requests, which are part of the Office 365 E5 plan and can be added a-la-carte. To our knowledge, it's not possible for a supporting partner to make lockbox requests. However, they do give you some peace of mind when it comes to Microsoft's support staff accessing your data, such as the contents of a user's mailbox.

Got the Role; You [Still] Need a License

Some administrative needs can be met by creating an unlicensed administrative user on the customer's tenant. For example, this is the approach we'd typically use to configure core features within Security & Compliance.

However, there are many cases where certain functionality will not be made available unless a user has a license to that part of the product. For instance, you can't add an Office 365 user to any role based access controls in Exchange unless they have an Exchange mailbox of their own, and you can't perform most duties associated with Enterprise Mobility and Security unless you have at least the EMS E3 license. Likewise, your admin can't do much in Dynamics 365 or Project Online without a license to those products. Many aspects of e-discovery will require a license to Azure Rights Management, whether that's obtained as part of an E3 or with EMS.

To sum up, admins will need a license to access these products:

Exchange Online
Enterprise Mobility and Security (Intune, Azure AD Premium and Azure Rights Management)
Project Online
Dynamics 365

For the first two above, there are a couple ways to do this cost effectively:

Office E3, which includes Exchange and Azure RM : $20
Exchange Online Plan 2 and an EMS E3 : $8 + $8.70 = $16.70
(Adding both would set you back $28.70)

Unfortunately, for Project and Dynamics, you're probably stuck buying premium licenses for your admins.

Cost Control Strategies

Given that licenses are needed to get certain jobs done, and that your Microsoft partner may assign any number of people to support you, it's quite possible for administrator account license costs to spiral out of control.

Here are some things we have tried to keep this problem in check.

Idea #1: Create an account with all the licenses set aside. Use it only when you need it.

This strategy is fairly common in small to midsize companies and works equally well with your own IT staff as well as support partners.

The idea here is that you have one or more special admin accounts. You assign the licenses needed to each one and you set the password randomly, sharing it when needed and changing it when the assignment is completed.

In this case it is a good idea to partition out the licenses in case more than one person needs to be working on different things at the same time. For example:

Admin365 - a Global Admin with no licenses that is not shared with others, but kept as a backup
TempAdmin - a secondary admin account whose password can be shared with outside IT help as needed, then changed
MailAdmin - has an Exchange Plan 1 license needed to manage mailboxes and Exchange Admin Role
ComplianceAdmin - has an E3 license and roles needed for Security & Compliance, e-Discovery, etc.
DeviceAdmin - has EMS license and administrator access to Azure AD and Intune
CrmAdmin - has a Dynamics 365 license and roles to manage the product
ProjectAdmin - has a Project Online Pro license and roles to manage the product (they shouldn't require Premium)

The above list is by no means definitive. There are other possible ways to arrange these. For example a security admin would need access to Azure AD and some things granted by rights management, so they could end up with both an E3 and EMS.

Here are the pros to this approach:

Use of the license is active immediately, without any delay.
Set it and forget it.
You can combine it with privileged identity management (Azure AD Premium Plan 2) for added protection.

And the cons:

Lack of accountability on shared account may violate security requirements such as NIST.
Users may maintain control of privileged accounts if you neglect to change the passwords frequently.
Admins may need to access the system through in-private browser. (Is this a bug or a feature?)

Once you have accounts in place, you'll be responsible for managing access to them as needed. Most admins and support staff would use their own unlicensed super-user accounts until they run into some limitation where they can't complete a task without the elevated permissions, then they would obtain these from you.

Idea #2: Have a handful of extra licenses. Assign them to admin or support staff only for the day they are needed.

This strategy works by requiring that each administrator has their own "super-user" account which is used to get their job done. If they have a regular account for e-mail, it is a separate login.

You keep a small pool of licenses set aside for whenever the need arises. Depending on which products are in use, one or two Office 365 E3, EMS E3, Project, and Dynamics licenses should be sufficient.

There are a few advantages to doing things this way:

Each administrator has their own identity, so you can track who performed what change. This is important for accountability purposes and complying with security regulations/requirements.
Self-service: As these super users are admins in their own right, they can assign themselves the license as needed and remove it when they are done.

There are also a few drawbacks:

Some licenses take time before they will work. For example, an Exchange license will take time to provision a mailbox.
The admins may have to log out and back in again for the effect of the license to kick in.
You would be responsible for checking to ensure that people do not forget to free up licenses they no longer need.

Whose Problem Is It Anyway?

There are some customers who have said to us that we should be willing to eat the cost of the licenses needed to allow our team to work. The rationale behind this line of thinking isn't totally unreasonable. Their idea is that since we are a Microsoft partner and we are being paid by them to do work, we should accept this as a cost of doing business.

Sometimes there's also a misconception that since we're a partner, we somehow have a back-door to add licenses to the customer's site for free - or at substantially lower cost. Let us say that this is not the case at all; in fact, profit margins on licenses are so small that adding a single license for an administrator account costs enough to offset the profit from seven regular users with the same license - and this is before you consider the costs of providing support and other parts of selling Office 365 that drive down the margins.

There's another way to look at this circumstance. Consider that in most cases, we do not need special licenses to support Office 365. There are only a handful of business cases where it becomes necessary.

When there is an unusual technical limitation.
When there are special security compliance needs.
When Microsoft products are used that require it.

Technical edge cases are very rare, and normally they only apply for a very short time. If your IT operation has you running afoul of these on a frequent basis, there is something more interesting going on at your organization that makes you unique. That's not your partner's fault, but may be something we can help you with.

When you consider security requirements, this is a matter of the customer's choice. This is especially ture where a customer may - for whatever reason - be unwilling or unable to grant Delegated Admin permissions. Even when the need exists because of government regulation, it is ultimately the decision of the business itself to operate in an industry with such regulations and requirements.

As for situations where Microsoft requires us to add a license, we are the first folks to state publicly that we think this is an unfair requirement that ought to be fixed. That being said, things could certainly be worse! We're also grateful that we are able to do so much using delegated administration and without any licenses at all.

Whether you think that the responsibility for licenses lies with the customer or that the partner should cover the cost of their own workers, we think that everyone can agree that it is not desirable to see line items on your invoice associated with however many people your partner has decided to assign to your project. At the very least, there is a clear need to develop a strategy and a policy around this situation in order to avoid any ruffled feathers or bruised feelings.

Our Policy Regarding Licenses Needed by Our Staff

Here's how we decided to tackle this challenge.

First, do all we can to limit the impact.
People are much less likely to make a big issues about one or two ten-dollar licenses than they are about a dozen folks with $100 in licenses each. It's one thing if that's what your team requires, but usually we can take steps to keep things reasonable or even trivial. You can see from the strategies above that we often need to consider how to control licensing costs without sacrificing productivity or security.
If you purchase licenses elsewhere, providing required licenses for our staff is your responsibility.
This policy is needed because there are plenty of folks out there who get licenses through an EA or direct from Microsoft, and we just don't have any control over that. There's no way for us to convince whomever you're buying Office 365 from to give us a break because, umm, we're... their competitor(?) Simply put, that dog won't hunt.
Project work isn't the same as a service plan, so different rules apply.
Just as we have to make a distinction when licenses are being bought somewhere else, we also have to draw the line at the difference between projects (whether T&M or fixed-price) and ongoing support. The perfect example would be a project developing functionality for Project Online or Dynamics 365. These cases require licenses that aren't particularly cheap, and the customer must absorb the cost of those for the members of our staff who are doing the work.
If you have security requirements that demand licenses for our staff, providing those is your responsibility.
For example, if you require each administrator to have an account associated to their unique identity, and you require enforcement of conditional access policies, multi-factor authentication, or privileged account elevation, then purchasing Azure AD Premium Plan 2 for each of our administrators is something we require. If you have some data in GCC and some data in the commercial cloud, you may need to create two accounts for each admin. These costs are considered normal for these kinds of circumstances.
If you're buying licenses from us, you have a service plan that covers a given workload, and that workload requires a license, then the cost that license is already embedded in the cost of the service plan.
For example, when we sell our desktop and mobile management service, Enterprise On Demand, we rely very heavily on Intune to deliver that solution. Intune requires a license for each customer user and also one for each administrator who manages the fleet. The cost for these licenses is included in the cost of our service plan, since practically speaking we couldn't offer the service without it. This includes the extra licenses needed for our staff.
In certain cases, we'll credit the cost of a license if it is being picked up in an unusual way.
There are times when two products include the same license. For example, you may purchase Microsoft 365 to take full advantage of the "combo-meal" like discount for bundling Office 365, EMS, and Windows 10 Enterprise subscriptions. If you also rely on Liquid Mercury Solutions to provide managed services for desktops and mobiles, we credit the cost of EMS from the plan for those users who are covered under licenses that you paid for. Such cases are rare, but we think it's only fair to give this cost back to the customer, since we would have normally included that license ourselves.

We hope we've been able to clearly and concisely explain the complicated issues that surround Office 365 licenses for administrator and support staff. We believe your IT vendor should always be willing to work with you to ensure that license costs are not growing in a way that is entirely self-serving. That's why we put a lot of thought into the issue and developed standard practices that are fair to both the consultant and the client.

We Want to Hear What You Think

Are you a Microsoft partner who has faced these challenges? Perhaps you're a Microsoft customer who is working with someone who handles this challenge a bit differently? We'd like to hear from you about what you're doing and why. Please reach out to us and start a conversation or share your feedback and comments below.

Gold Microsoft Certified Partner: Collaboration and Content; Cloud Productivity; Small and Midmarket Cloud Solutions

This fully armed and operational public facing web site is proudly developed and hosted using
SharePoint Online

Find out how we did it here

Search Our Site

Can't find what you're looking for? Try searching our web site.

Staff Login