SharePoint 2013: A look at the new options for managing users and their licensing

Tags: SharePoint 2013

In todays episode of discovering awesome features in SharePoint 2013 we’re going to take a look at something really interesting, a feature that has been requested for years, a better management of end-user licensing in SharePoint.

Even though this article contains a lot about SharePoint 2013 licensing I must make it very clear that nothing has yet been communicated from Microsoft regarding licensing on SharePoint 2013, and I am no expert on licensing and this is a Preview and this article must be considered as-is, things will and might change over the course of time. Remind me to go back to this article once SharePoint 2013 has gone gold. Microsoft has not made any statements about this and it might be so that you can forget about this article after RTM.

Background

SharePoint has historically existed in two versions, the free called SharePoint Services or SharePoint Foundation and the paid version named SharePoint Server (built on top of SharePoint Foundation). SharePoint Server has had two editions (I’ve no idea how it will be in SharePoint 2013 RTM, but most likely the same as today) – Standard and Enterprise, where Enterprise is the most expensive one requiring specific Enterprise CALs. For some companies it is just a too big expense to go for the Enterprise version, due to the limit that you need(ed) to have Enterprise licenses for all users in the SharePoint farm. But in some cases only a small subset of the users actually require the Enterprise license (which has a lot of the BI and integration stuff). And a lot of companies I’ve met can not justify the extra investment for this. I’ve seen numerous ways to work around this (remember I’m no licensing expert so I’m not saying it’s the legit way to do it). Multiple farms – one standard and one enterprise, is the most obvious one. Downside is that you need to double up on everything (almost)! I’ve seen companies use the multi-tenancy features in SharePoint 2010 to work around it – a really bad decision. And some other ways that we should not discuss here…

Introducing the User Licensing Features in SharePoint 2013 Preview

In SharePoint 2013 Preview there are eight new Windows PowerShell cmdlets, that we are going to cover in this post:

  • Get-SPUserLicensing
  • Enable-SPUserLicensing
  • Disable-SPUserLicensing
  • Get-SPUserLicense
  • Get-SPUserLicenseMapping
  • New-SPUserLicenseMapping
  • Add-SPUserLicenseMapping
  • Remove-SPUserLicenseMapping

What do these cmdlets do and how do we use them? I’ve been experimenting with the Preview and these cmdlets and set up a sample scenario, which is extremely interesting given the problem statement above about combining Standard and Enterprise licenses.

For another great example on how to use these cmdlets I recommend reading Spence Harbar’s post “Enabling Office Web Apps Preview editing with SharePoint 2013 Preview Licensing” which focuses on how to handle the licensing with the new Office Web Apps server.

Enforcing User Licensing in SharePoint 2013 Preview

Let’s start from the top of that list of cmdlets. If we execute the Get-SPUserLicensing cmdlet in a SharePoint 2013 Preview farm it will return false by default. If we take a look at the help text of that cmdlet we will see something really interesting, The synopsis says “Returns the state of user-license enforcement.”. Looks like we can control/enforce licensing in some way in SharePoint 2013!?

get-help get-spuserlicensing

If we move on to the Enable-SPUserLicensing cmdlet and run that cmdlet (Synopsis: “Enables user-license enforcement.”), and then run the Get-SPUserLicensing cmdlet again. It will now return true instead of false – wow, we’ve just enabled User License Enforcement in this farm! We’re on to something really interesting now!

To get back to normal, just run the Disable-SPUserLicensing cmdlet.

Actually, all these cmdlets do is to check or update the Farm property called UserLicensingEnabled. You can check it for yourself:

(Get-SPFarm).UserLicensingEnabled

Note: You should leave the user licensing disabled until you have configured all your license mappings, as I’ll describe in a minute. Not doing so can result in unwanted results.

Available licenses

If we now take a quick look at the Get-SPUserLicense cmdlet and run it. It will return four different licenses; Enterprise, Standard, Project and OfficeWebAppsEdit.

Get-SPUserLicense

Very cool, huh. I think now you’re starting to get a picture on where we are going with this scenario…

User and license mappings

Let’s take a look at the remaining cmdlets *-UserLicenseMapping. First let’s run Get-SPUserLicenseMapping – it will return nothing. So let’s try to create some.

Before we start that, let’s make sure we have something to do the mapping with. For this I created two Security Groups in Active Directory called “Standard Users” and “Enterprise Users”.

Security Groups

Now, let’s use the New-SPUserLicenseMapping cmdlet and try to create a mapping. The following command creates me a mapping using the “Standard Users” group (the name of the AD group) to the “Standard” license (the name of the license from the Get-SPUserLicense cmdlet):

$map = New-SPUserLicenseMapping -SecurityGroup "Standard Users" -License Standard

If we take a look at the $map variable it looks like this:

The mapping

There’s plenty of cool stuff in that picture. First of all notice that the –SecurityGroup argument to the cmdlet is converted to a claim, and if you take a look at the New-SPUserLicenseMapping cmdlet you can see that you actually can add a claim directly (for instance create a mapping for all users sitting in a specific building, belonging to a specific department etc…). Also notice that the WebApplication value is empty here – the New-SPUserLicenseMapping cmdlet can also take a Web Application as an argument, which means that you can configure licensing on a per Web Application basis.

This mapping is so far only created “in-memory”, we need to add it to the farm, this is done by just using the Add-SPUserLicenseMapping cmdlet like this:

Add-SPUserLicenseMapping -Mapping $map

We’ll add another mapping, this time using the other group and the “Enterprise” license, and add it to the farm:

$map = New-SPUserLicenseMapping -SecurityGroup "Enterprise Users" -License Enterprise
Add-SPUserLicenseMapping -Mapping $map

Now, we can run the Get-SPUserLicenseMapping again and see our result:

Licenses added

We have now created two license mappings – one for Enterprise license users mapped to the Active Directory group “Enterprise Users” and one for Standard license users mapped to the “Standard Users” group.

All that is left is to verify that it all works!

Verify the license assignment

To see if it all works, as we all now hope it should, let’s create a page with, let’s say, the Excel Viewer Web Part. In this case I use a user which is member of the “Enterprise Users” group to create the page and add the Web Part. It looks like this, just as we expect:

The Excel Viewer Web Part

Ok, let’s log in as a user who is member of the “Standard Users” group and go to the very same page:

image

What! Did you see that. It’s worth a close-up:

Sorry, we couldn't find your license to use this feature.

Woohaa! This must simply be one of the best features ever implemented in SharePoint!

Even if I take a look at that page using a user that is not part of any of the two groups with license mapping (i.e. not having any license) it will show me that I don’t have licenses to use it.

Let’s do another test – edit the page and look at the available Web Parts using the two users. And as you can see the Standard user cannot add the Enterprise Web Parts.

Enterprise user Standard User
Enterprise user Standard User

Where is this licensing enforced?

I’ve been fiddling around in excitement with this and found that the licensing is enforced in the following places, which seems the logical places to have it enforced:

  • Web Parts – just as you’ve seen above
  • Web Part Gallery – second example above
  • Web Templates – when creating new sites
  • In Document Libraries – in combination with Office Web Apps permissions (as Spence Harbar explains here)

What areas does it affect, prohibit usage?`

Although I have not tested all features, some testing and reverse engineering have told me that these are the things you get with the different licenses:

  • Standard: My Sites
  • Enterprise: Access Services, BCS, BI-stuff, InfoPath, PerformancePoint Services, Visio, My Sites (and some more)
  • Project: Project Server

A couple of notes…

To get this to work, you need to have a Claims Web Application – without it, it just don’t work!

This article is all about on-premises installations. There are features in this capability only for SharePoint Online/365 to satisfy those needs (desk less users etc.).

Do not “over design” your license mappings for a manageability reasons. It defeats the whole purpose of this feature – you need to know what users have what licenses. And nothing is worse than having your end-users getting the message that they don’t have permissions to use the features they are entitled to.

Make sure that you have a fallback mapping! As I mentioned if any user does not fit into any of these mappings they will not even have access to the “Standard” features.

There is only Windows PowerShell configuration for this. Nothing fancy in the Central Administration that helps you visualize it. It is all up to you to create the correct scripts. Oh, and to document this configuration!

Summary

I think Microsoft finally nailed it!  If all this works as above when SharePoint 2013 RTM’s and it actually can make clients combine Standard and Enterprise licenses in a single SharePoint farm, without violating any license agreements, this is going to be huge. Using these features you can actually have control of exactly how many users that have access to a specific license and pay for the correct amount of licenses. I can for sure tell you that Microsoft will get a handful of new clients and especially Enterprise CAL users, just from my set of clients. Also this will clear up a lot of the licensing discussions and most likely prohibit people from doing really stupid design decisions/mistakes. And this fits very nice where Microsoft is going as well, into a more versatile and agile licensing/subscription model and it will likely be easier for clients to move to the cloud/Office 365 if they start thinking about subscriptions internally (as in don’t let the IT department pay all the licenses, let the ones having needs for it pay it instead).

Finally SharePoint has a solid and manageable way to configure licensing within a single farm. Really looking forward to discuss this new feature with my clients.

No Comments

  • Owe Evans said

    Great news!

    Although only valid for the preview version it is officially on TechNet.

    "In SharePoint 2013 Preview, farm administrators now can assign licenses to users and enable license checks. WIth this new functionality, you can ensure that only users with the appropriate license can use a specific feature."

    http://technet.microsoft.com/en-us/library/jj219627(v=office.15).aspx

  • Hans Worst said

    There's an article from Bill Baer on Technet that reveals more or less what functionality is available only with the Enterprise license in SharePoint 2013 RTM:

    http://blogs.technet.com/b/wbaer/archive/2012/11/12/introduction-to-user-license-enforcement-in-sharepoint-server-2013.aspx

  • Raghavendra said

    If you have look at this article Configure licensing in SharePoint Server 2013(http://technet.microsoft.com/en-us/library/jj219627.aspx) Applies to: SharePoint Server 2013 Standard | SharePoint Server 2013 Enterprise.
    which indicates there can be only one key. It would be helpful if you can provide your guidance/opinion here
    http://social.technet.microsoft.com/Forums/en-US/sharepointgeneral/thread/cf56bc51-e17a-46fe-ac9d-413c82c8bb46

  • Tony Pounder @WorTony said

    Hi Wictor,
    Does the License Enforcement require all users to be allocated to Std License before they can access SharePoint? Your blog (and others including TechNet) states that they do. My vm testing seems to indicate they don’t.

    Thanks for any advice

    Tony

  • pasha90 said

    Hello Wictor,

    In your blog you say:
    "Make sure that you have a fallback mapping! As I mentioned if any user does not fit into any of these mappings they will not even have access to the “Standard” features."

    Can you please cite either your source or an example of this? We are finding that the fallback mapping falls under Standard feature set.

    I believe this is the same issue as Tony is bringing up.

    Thank you.

  • Katie said

    My friend Brian Miehe, a guy who drives a LOT of traffic to various offers through his large blog network, has just released a traffic service with a free trial so webmasters can "try before they buy". If you are interested in driving lots of web traffic to your website then don't miss this offer: http://gmbal.com/079x

  • Daniel said

    Hi

    This is very interesting an timely. I had configured a brand new sp2013 test farm and after installing the April CU and running through Spencers' post of enabling editing in OWA 13, I found that none of my users could not create MYsites ... a detailed look at my ULS revealed that none of my users were licensed or in other words, I had inadvertently run: (Get-(SPFarm).UserLicensingEnabled but not Added -EnterpriseFeatures to my mapping. Ouch as this wasted a lot time

  • EmilyBen said

    I am getting an error for users trying to create mysites after enabling this feature. I enabled because users were able to add Enterprise webparts which we only purchased the standard edition license. Now users aren't able to create mysites and I am getting this error:
    "Skipping creation of personal site from MySitePersonalSiteUpgradeOnNavigationWebPart::CreatePersonalSite() because one or more of the creation criteria has not been met. [SPWeb Url=https://my.com/Person.aspx?accountname=Domain\user] https://my.com/Person.aspx?accountname=Domain\userr]Self-Service Site Creation == True Can Create Personal Site == False Is user licensed == False :
    "
    I have added a mapping of "Standard" for a security group this user belongs to but still getting the same error. Do you need to enable Enterprise for users to create Mysites? That doesn't seem to make sense. Any ideas?

    Identity : da936113-9e57-47a8-ae23-1f42aad1db06
    License : Standard
    Name : Domain\Users
    ClaimValue : S-1-5-21-494745725-312220573-749543506-1116
    ClaimType : http://schemas.microsoft.com/ws/2008/06/identity/claims/groups
    id
    OriginalIssuer : Windows
    ValueType : http://www.w3.org/2001/XMLSchema#string


Comments have been disabled for this content.

About Wictor...

Wictor Wilén is the Nordic Digital Workplace Lead working at Avanade. Wictor has achieved the Microsoft Certified Architect (MCA) - SharePoint 2010, Microsoft Certified Solutions Master (MCSM) - SharePoint  and Microsoft Certified Master (MCM) - SharePoint 2010 certifications. He has also been awarded Microsoft Most Valuable Professional (MVP) for seven consecutive years.

And a word from our sponsors...