How to effectively manage and assign AVD license
Maximising Cost Efficiency with Azure Virtual Desktop Licensing
Azure Virtual Desktop (AVD) presents a remarkably economical solution for managed desktop delivery at scale. However, achieving optimal cost-efficiency hinges on precise licensing. I’ve encountered various organisations where a staggering 30–40% of their monthly licensing expenses are wasted. This misallocation stems from assigning inappropriate tiers to users, maintaining stale accounts for ex-employees, and unnecessarily issuing costly E5 licences without assessing if E3 would suffice. This guide draws on real-world experiences and provides a comprehensive overview, from the core principles of AVD licensing eligibility to KQL queries and Entra ID automation strategies that can help reclaim unnecessary expenditures automatically.
25% Average AVD licensing overspend in organisations with over 500 users
$120K Annual waste from assigning E5 instead of E3 for 1,000 users
$27K Savings by moving 500 shift workers from E3 to F3
80% Reduction in manual offboarding efforts with Lifecycle Workflows
AVD Licensing Essentials: Understanding Your Costs
Before diving into optimisation, it’s crucial to grasp the two distinct layers of AVD costs: user entitlement licences (access rights) and infrastructure expenses (including VMs, storage, and networking). Many organisations mistakenly conflate these layers and focus on optimising the wrong one. This guide centres on user licences as they frequently represent the largest cost-saving opportunity.
Which Licences Provide AVD Access?
| Licence | Includes AVD? | Notes |
|---|---|---|
| Microsoft 365 E3 / E5 | Yes | Full AVD access; E5 includes enhanced security features. |
| Microsoft 365 F3 | Yes | Complete AVD access for frontline workers (often overlooked). |
| Microsoft 365 F1 | Limited | Read-only M365 access; not suitable for full AVD use. |
| Microsoft 365 Business Premium | Yes | All-in-one solution for small to medium businesses (limited to 300 users). |
| Windows 10/11 Enterprise E3/E5 | Yes | Per-user VDA entitlement; available as a bundle with M365 or standalone. |
| Microsoft 365 A3/A5 (Education) | Yes | Includes Student Use Benefit. |
The Windows Multi-Session Rule You Must Follow
The multi-session editions of Windows 10 and 11 are exclusive to Azure Virtual Desktop. You cannot use them legally on any other platforms or in on-premises Hyper-V environments. If your host pools utilise multi-session OS images, ensure they are hosted in AVD to avoid compliance issues.
RDS CALs vs AVD: Common Sources of Financial Drain
Remote Desktop Services Client Access Licences (RDS CALs) are unnecessary if your session hosts run Windows 10 or 11 Enterprise multi-session editions. The M365 E3/E5 or Windows Enterprise per-user licence already includes the requisite VDA entitlement. RDS CALs are only needed when using Windows Server session hosts, leading to unnecessary costs for many organisations migrating from an RDS-on-Server setup.
External User Licensing
When streaming apps or desktops to external users (like contractors or customers) without M365 licences, Microsoft offers a separate Per-User Access Pricing model, comprising two tiers: “Apps” for RemoteApp only, and “Desktops + Apps” for complete desktop access. Note: these licences only provide AVD access rights; they do not encompass Office, Defender, or Intune.
Selecting the Right Licence Tier: A Practical Guide
The most significant source of licensing waste I observe is assigning E5 as the default tier. Often, every user is assigned E5 simply due to its premier status, with little reassessment thereafter. Here’s a breakdown of each tier’s suitability for AVD users:
| SKU | Approx. Cost/User/Month | Ideal For | AVD Suitability |
|---|---|---|---|
| M365 F3 | ~$8 | Shift workers, retail, manufacturing, frontline healthcare staff | Full AVD access |
| M365 E3 | ~$36 | Standard knowledge workers: email, Teams, Office, basic DLP | Full AVD access + Intune P1 + Entra P1 |
| M365 E5 | ~$57 | Roles needing advanced compliance and security features | Full AVD access + enhanced security |
| Business Premium | ~$22 | SMBs under 300 users needing Intune + Entra P1 + Defender | Full AVD access |
| Windows Ent E3 (standalone) | ~$7 | VDA-only cases; user already has a productivity licence | AVD access only (no M365 apps included) |
Leveraging F3 for Frontline Workers
The Microsoft 365 F3 licence, priced at approximately $8/user/month, provides full AVD access rights. If your workforce includes shift workers, warehouse staff, or healthcare professionals who require AVD but have non-standard working hours, transitioning to F3 can yield significant savings. For example, moving 500 users from E3 to F3 could result in savings of around $14,000 each month, translating to an annual saving of $168,000.
Do All Users Need E5?
While E5 provides distinct benefits, it is crucial to assess who really needs it. The distinguishing features of E5 over E3 include: Microsoft Defender XDR Plan 2, Purview Advanced Compliance, Insider Risk Management, and more. For instance, does a warehouse staff member using AVD to access a business app genuinely need Insider Risk Management? For most organisations, under 20% of users require E5, with the majority being adequately served by E3 without losing functionality.
Smart Licence Assignment: The Power of Automation
Assigning licences on an individual basis is where inefficiencies start. The solution is a group-based approach. Microsoft Entra ID (formerly Azure AD) allows for assigning licences to security groups, ensuring all group members inherit the appropriate licences automatically. Effective from September 2024, group-based licence assignments will only be managed through the Microsoft 365 Admin Centre.
Dynamic Groups for Effortless Licence Management
The Entra ID P1, included in M365 E3, supports dynamic group memberships based on user attributes. This enables automated licence assignments, facilitating a seamless operations experience. For example:
- Frontline Workers: F3 licence can be assigned if the user’s department is “Frontline”.
- Standard Knowledge Workers: E3 licence for members not in the frontline department.
- Power Users: E5 licencing for users with explicit approval.
This ensures the right licences are assigned automatically as soon as a new hire starts, eliminating manual tasks and reducing potential errors.
Identifying Licensing Inefficiencies
Before optimising costs, one must identify areas of waste. Most organisations discover their licensing inefficiency during quarterly reviews, having incurred unnecessary expenses for months. Here are four key tools to detect this waste:
- AVD Diagnostics + Log Analytics: By integrating Log Analytics with your AVD settings, you can track user connections. Use the following KQL query to spot users with licenses who haven’t connected in the last 30 days:
- Microsoft 365 Usage Analytics: Check reports in the Admin Centre that provide insights on app usage. Focus on users who haven’t engaged with key apps over the last 60 days as candidates for licence review.
- Entra ID Sign-in Logs: Filter these by AVD usage. Users with no sign-ins in 60 days should trigger an automatic review process.
- Azure Monitor Workbooks for AVD Insights: Custom workbooks can be created to consolidate licence use and activity data.
WVDConnections | where TimeGenerated > ago(90d) | summarize lastConnection=max(TimeGenerated) by UserName | where lastConnection < ago(30d) | order by lastConnection ascEffective Cost Optimisation Strategies
Layer 1: Adjusting Licence Tiers
Conduct a thorough review of users currently assigned E5. For every user, consider whether they’ve engaged with any exclusive E5 features in the past 90 days. If not, transitioning to E3 could save approximately $21/month, amounting to substantial annual savings for large deployments.
Layer 2: Segment Frontline Workers
Work with HR to identify users classified as frontline and verify their attributes within Entra ID. If they primarily access AVD for one application, offering them the F3 licence will significantly lower costs.
Layer 3: FSLogix Cost Recovery
FSLogix profile containers come included with M365 E3/E5, A3/A5, F1/F3, and Business Premium. If your organisation had previously paid for standalone FSLogix licenses, you might be incurring duplicate expenses.
Layer 4: Enforcing Shared Computer Activation
When utilising pooled hosts, Microsoft 365 Apps for Enterprise must use Shared Computer Activation (SCA). Not enabling this can lead to licensing errors, limiting functionality for users. You can implement SCA through Group Policy settings.
Layer 5: Infrastructure Licensing Optimisation
While this guide focuses on user licences, remember to evaluate your infrastructure costs separately by leveraging the Azure Hybrid Benefit and considering Reserved Instances for consistent workloads, allowing for significant savings.
Ensuring Governance and Automation
Detection and manual adjustments are not sufficient alone. A robust governance framework is crucial to maintain licensing efficiency. Here are essential components:
Access Reviews in Entra ID
Set up recurring reviews of group memberships through Entra ID Governance. These should be managed by each user’s direct manager, enabling rapid responses to membership changes.
Lifecycle Workflows for Automated Offboarding
With Microsoft Entra Lifecycle Workflows, you can automate several processes triggered by changes in user attributes, such as removing departed users from licence assignment groups and disabling their accounts, thereby eliminating inefficiencies in licence management.
Common Licensing Pitfalls and Their Remedies
Mistake 1: Automatically assigning E5 licences—validate E5 necessity for each user.
Mistake 2: Failing to remove licences for departed users—Implement Lifecycle Workflows for automatic removal.
Mistake 3: Overlooking F3 for frontline employees—Coordinate with HR to classify and assign frontline workers correctly.
Mistake 4: Continuing to purchase RDS CALs for Windows 10/11 environments—Audit current host pool OS versions.
Mistake 5: Overpurchasing standalone Entra ID P2—Assess necessity against capabilities provided by P1.
Your 30-Day Licence Optimisation Action Plan
- Enable AVD Diagnostics: Configure diagnostic settings on all host pools and workspaces.
- Run the Inactive User Query: Identify users who haven’t interacted with AVD in over 30 days.
- Audit E5 Assignments: Review E5 access and its usage among users.
- Identify Frontline Workers: Collaborate with HR to ascertain frontline worker eligibility.
- Implement Group-Based Licensing: Set up security groups and rules for automated license assignments.
- Build Lifecycle Workflows: Automate the offboarding process for departing employees.
- Schedule Quarterly Access Reviews: Implement governance reviews for group memberships and automate the process.
- Establish Ongoing Monitoring: Set up monthly usage reviews and cost management alerts.
Introducing Turbo360 Cost Analyzer
To efficiently manage AVD licence costs alongside infrastructure expenditure, consider leveraging the Turbo360 Cost Analyzer. This tool aids in visualising your Azure spend across resources, allows for budget alerts, and helps identify idle resources for cost efficiency.
Conclusion: Key Insights
- AVD entitlement is included in various Microsoft 365 subscriptions; no separate AVD licence is required for internal users.
- Windows 10/11 multi-session hosts do not require RDS CALs—these only apply to Windows Server environments.
- Utilising Microsoft 365 F3 at around $8/user/month is a lucrative option for frontline staff, often overlooked in mixed-workforce scenarios.
- FSLogix is bundled with E3/E5/F3 at no additional cost—paying separately results in unnecessary expenses.
- Dynamic grouping in Entra ID is the optimal approach for scalable licensing management.
- Lifecycle Workflows automate offboarding, maintaining license hygiene with minimal manual effort.
- Significant cost savings stem from correctly downgrading from E5 to E3 and segmenting frontline workers, rather than solely pursuing minor infrastructural discounts.
Are you ready to streamline your Azure costs? The Turbo360 Cost Analyzer provides the insights and automation you need to manage Azure expenditure effectively.
Share this content:
Discover more from Qureshi
Subscribe to get the latest posts sent to your email.
