Dynamic Office 365 Groups might come with a big cost

I was very happy when Microsoft announced the preview of dynamic Office 365 Groups because I saw this as another step along the road of being able to move away from old-style email distribution groups. But over the last week or so the penny dropped (no pun intended) that using dynamic groups incurred a substantial fee for Azure Active Directory Premium licenses. Not a problem if you've already coughed up, but certainly a big issue if you imagined that this is the kind of feature that should be included in Office 365 enterprise plans. Microsoft has time to fix the issue before dynamic Office 365 Groups become generally available. I hope they do something smart.

The law of unintended consequences erupted in full force after Microsoft announced their joy at being able to deliver dynamic Office 365 Groups in December. Dynamic distribution groups have been used since Exchange 2003 (when they were called Query-Based Groups or QBGs), so the concept is well understood. A query against a directory is associated with a group and whenever an application needs the membership of the group, the query is resolved against the directory and the current set of members is revealed.

Providing you pay attention to your directory and maintain the properties typically used for queries (department, office, country, and the set of custom attributes), dynamic groups are very useful. Group owners don’t have to spend time dealing with requests to join or leave the group, a task that can consume significant time for large groups.

You don’t have to pay anything extra to use dynamic distribution groups as they are part of the base Exchange product. But dynamic Office 365 Groups require you to have an Azure Active Directory premium license. And it’s not just the administrators who set up and maintain these groups: every single user account that comes under the scope of a directory query used by a dynamic Office 365 Group needs to be licensed. This is a small but terribly significant detail that Microsoft completely glossed over in the original publicity. They have since addressed that flaw and say up front that licensing is necessary, but it took some public criticism before clarity emerged.

I’ve no problem with the concept of charging to provide additional functionality over and above what’s bundled in a product. It’s a reasonable way to provide extra features to those who need them. In the case of Azure Active Directory Premium, it’s entirely possible that you might already pay the extra $6/user/month for features such as self-service password reset or write-back capability to on-premises directories. In this case, you’re fully licensed and dynamic Office 365 Groups are there to be exploited.

Although some tenants will be glad to see a new feature enabled for their Azure Active Directory Premium licenses, it’s disappointing to discover that a free capability in Exchange is not being brought forward to Office 365 Groups. In my mind, this erects a barrier for organizations that have listened to Microsoft wax lyrical about the wonders of Office 365 Groups and want to use them instead of traditional email groups. Not only does Microsoft not have the ability to migrate dynamic distribution groups to dynamic Office 365 Groups, they would rather like you to pay for the privilege of using the new groups after you do all the work to make the transition.

Consider the cost for a medium-size 10,000 user tenant who decides that dynamic Office 365 Groups are a good thing. To constrain cost, they attempt to restrict the scope of the queries in the groups but as time goes by changes to the directory or to the queries spread a wider and wider net. Eventually every user comes under the scope at least one query. Almost without realizing it, a bill of $60,000 monthly or $720,000 annually is incurred just to use dynamic groups. Even with a negotiated discount, the sum is large enough to make the CIO’s eyes water. After all, you could employ several full-time administrators to look after group membership and still have a hefty sum left over.

In this scenario, it’s possible that no one realizes that such a bill is due. The honestly held view might be that only 200 licenses are needed to cover the users who come under the scope of the queries that were originally planned and this is the number of licenses paid for each month. Microsoft doesn’t enforce a licensing restriction that prevents dynamic Office 365 Groups working if unlicensed users come within their scope, but they might in the future. Cue an unmitigated disaster as people come to realize where the problem lies and what they have to do to either buy the necessary licenses or stop using dynamic Office 365 Groups.

Another flaw that I see is the total lack of PowerShell support for dynamic Office 365 Groups. Today, you can’t use PowerShell to transfer a query from a dynamic distribution group to a dynamic Office 365 Group or to maintain the query in the Office 365 Group afterwards, which prevents any possibility to migrate dynamic distribution groups through scripting. Alas, where Exchange is happy for PowerShell to create and amend queries for its groups, Azure Active Directory requires that everything must be done through its portal. Once an Office 365 Group changes from static to dynamic membership, you can only manage members through the Azure Active Directory portal. Any attempt to update the membership through Outlook 2016 or OWA is blocked. You can attempt to edit membership using the Office 365 Admin portal but that operation doesn’t end well.

Switching from one type of dynamic group to the another is not just a matter of reading a query from one and writing it to another. Exchange allows any mail-enabled object to be addressed through a dynamic distribution group whereas Office 365 Groups only support accounts that belong to the same Office 365 tenant. This is reasonable because Office 365 Groups serve as an access mechanism as well as a way to address users, but it underlines the need to be able to script the migration.

I think the licensing problem has arisen because no one in Microsoft considered all the consequences that flow from the decision to base dynamic Office 365 Groups on top of the dynamic group capability that already existed in Azure Active Directory (and is covered by the Premium license). From a technology perspective, the decision makes perfect sense. If you believe that the customers who will want to use dynamic Office 365 Groups will already have Premium licenses, then there’s nothing to debate about cost.

But I suspect that there are a very large number of tenants in the middle who would like to use this feature but don’t want to pay $6/user/month for the privilege. Dynamic Office 365 Groups are still in preview so time is available for Microsoft to reconsider its options before the feature reaches General Availability.  

Given the central role that Office 365 Groups have taken in Microsoft’s team working and collaboration strategy, it seems a great pity that this feature isn’t bundled into the enterprise Office 365 plans. After all, if you’re paying for the going rates for the E3 or E5 plans, this is just the kind of feature you’d expect to get. And it’s so much more useful than adding “Likes” or “Mentions” or other dubious bling to clients. Don’t you agree?

Follow Tony @12Knocksinna

Discuss this Blog Entry 2

on Jun 10, 2016

However there is no “sync-back” of groups which means your on-premises users would not see that DDG in their copy of the Global Address List.

On prem would just continue using the on prem DDG, while 365 users use the mail contact pointed at the on prem DDG. So shouldn’t be a problem right?

on Jul 14, 2016

Dynamic Groups are already possible in Windows Server 2008+ Active Directories. FirstWare DynamicGroup would be a on premise solution if you need it.

Please or Register to post comments.

What's Tony Redmond's Exchange Unwashed Blog?

On-premises and cloud-based Microsoft Exchange Server and all the associated technology that runs alongside Microsoft's enterprise messaging server.


Tony Redmond

Tony Redmond is a senior contributing editor for Windows IT Pro. His latest books are Office 365 for Exchange Professionals (eBook, May 2015) and Microsoft Exchange Server 2013 Inside Out: Mailbox...
Blog Archive

Sponsored Introduction Continue on to (or wait seconds) ×