If I have both Azure joined and Hybrid Azure AD joined machines, how do I count the exact number of licenses I need?
First of all, we here at Netwrix Endpoint Policy Manager (formerly PolicyPak) do not want to charge you twice. If a machine is joined to On-Prem AD and also joined to Azure AD (called Hybrid Azure AD joined), then you should only have to pay for the machine one time. Here is a Microsoft's diagram below (borrowed from https://docs.microsoft.com/en-us/azure/active-directory/devices/concept-azure-ad-join-hybrid ).
In this case, if you had exactly one machine like this ,you would need to:
- Pay for one license (remember, you only need to pay once.) But…
- Engage both PolicyPak licensing mechanisms for this computer: Endpoint Policy Manager Group Policy and Endpoint Policy Manager MDM.
We recommend you do not deliver the same Endpoint Policy Manager settings from both Group Policy or MDM. But you might want to enable the ability to get those licenses from both sources, then transition away from Group Policy to MDM over time.
Knowing you will have some machines:
- Joined to on-prem AD & GPO (but not in Azure)
- Joined to Azure AD (but not on-prem AD) and
- Hybrid Azure AD Joined (dual enrolled to both)
How do you dial in exactly how many computers to license? We will go over this same math again at the end, but here is the gist. Let us pretend you had the following numbers (which we will explain more below):
- Part 1 (On-Prem AD & GPO machines): 1000
- Part 2 (Azure AD joined only): 250
- Part 3 (Hybrid AD joined): 150
To correctly pay for each computer one time you would pay for:
- Azure AD joined only: 250
- Hybrid AD joined: 150
- AD & GPO machines : 1000
- SUBTRACT the number of Hybrid AD joined: MINUS 150
Final number for purchase, where each machine is licensed once:
- 250 +
- 150 +
- 1000 MINUS
- 150
Grand total: 1,250 computers
There is no easy button for this, but it is a straightforward procedure.
Step 1: Counting your on-prem AD & GPO machines
Typically, you do this with the Endpoint Policy Manager on-prem licensing tool (preferred), or if you need to, you can use PowerShell. SeeMy organization doesn't permit me to run the LT (Endpoint Policy Manager Licensing Tool) or provide the XML information it produces. What are my other options?
Preparing for Steps 2 and 3: Before we count the Azure only, machines and before we count the Hybrid Azure AD joined machines
In Azure you can go to Devices > All Devices, then look at the Join Type. You should see four possible fields:
- Azure AD registered —This is not required for aEndpoint Policy Manager license, as this is not Azure or MDM enrolled.
- Azure AD joined — This means the machine is joined directly to Azure AD and is not Hybrid (that is, it is not also joined to on-prem AD).
- Hybrid Azure AD Joined — This means the machine is joined both to Azure AD and to on-prem AD.
- Blank: Unknown.
The problem is that you cannot count each type with this interface unless you have just a few machines. Instead you need to use Powershell and have it do the counting for you.
Next: Using PowerShell to connect to Azure AD
Start out by installing the Azure AD module. See the Microsoft article on How to install Azure PowerShell for additional information.
Here is a copy of the command:
if ($PSVersionTable.PSEdition -eq 'Desktop' -and (Get-Module
-Name AzureRM -ListAvailable)) { Write-Warning -Message
('Az module not installed. Having both the AzureRM and ' +
'Az modules installed at the same time is not supported.')}
else { Install-Module -Name Az -AllowClobber -Scope CurrentUser}
Here is the result.
Start out with the Connect-AZAccount cmdlet (not shown). You will get prompted for credentials the first time.
The command should finish and return you with a result like this:
Then use the connect-azuread command and provide credentials again, for a second time.
Results of connection are then seen here:
You can then list all Windows 10 devices with the following command:
Get-AzureADDevice -all $true | select displayname, DeviceOSType, DeviceTrustType
Step 2: Count your Joined to Azure AD only (but not on-prem domain joined machines)
To count Azure AD joined machines, run the first command:
Get-AzureADDevice -All $true | Where-Object {$_.DeviceTrustType -eq "AzureAd"} | measure
Step 3: Count Hybrid Azure AD joined machines (those joined to on-prem AD and also Azure AD)
To count your Hybrid Azure AD joined machines, run this command.
Get-AzureADDevice -All $true | Where-Object {$_.DeviceTrustType -eq "ServerAd"} | measure
Results of your counting:
Results examples are seen here:
A final example with Math
Let's pretend you got the following numbers:
- Part 1 (On-Prem AD & GPO machines): 1000
- Part 2 (Azure AD joined only): 250
- Part 3 (Hybrid AD joined): 150
To correctly pay for each computer one time you would pay for:
- Azure AD joined only: 250
- Hybrid AD joined: 150
- AD & GPO machines : 1000
- SUBTRACT the number of Hybrid AD joined: MINUS 150
Final number for purchase, where each machine is licensed once:
- 250 +
- 150 +
- 1000 MINUS
- 150
Grand total: 1,250 computers