Azure Hybrid Benefit and User CALs
I have a client who is looking at moving to Azure. They are intrigued by the cost saving of using their Windows Server licenses through the Hybrid Benefit. It is very clear that there is a nice cost saving with that model. The question that no one has been able to answer is about Windows User CAL requirements using this licensing model. I have found this page: https://azure.microsoft.com/en-us/pricing/licensing-faq It states:
Does a customer need Windows Server Client Access Licenses (CALs) to connect to a Windows Server image that is running in Azure Virtual Machines?
No. Windows Server CALs are not required for accessing Windows Server running in the Azure environment because the access rights are included in the per-minute charge for the Virtual Machines. Use of Windows Server on-premises (whether in a VHD or otherwise) requires obtaining a separate license and is subject to the normal licensing requirements for use of software on-premises.
It does discuss the CALs, but is not clear as to the Hybrid Benefit model. My client requires a clearly defined document stating the requirements.
It is true that Windows Server in Azure does not require Windows Server CALs (RDS CAL, AD RMS CALs are still required if using these workloads)
The official document the customer is looking for is the product terms at https://www.microsoft.com/en-gb/Licensing/product-licensing/products
For his Windows Server software license + SA the use rights and Hybrid Use Benefits are documented there, and this document is part of his licensing contract (If he has Win server + SA he has e.g. an Open License contract, MPSA or EA where the Product Terms are referenced).
That said, it is true that the CAL requirements are not described very good in there - generally it is said that runnning Windows Server in Azure is governed by the use terms for Azure, and those Use terms do not describe any requirements for CALs when Server is deployed in Azure.
How Azure Hybrid Benefits can be applied, e.g. how any cores you can use, that you are allowed to use Datacenter Edition even if you only have WS Standard license + SA is well described in the Product terms
Often rulings are only described indirectly, e.g. by the lack of a documented requirement that you need a certain license. Product Terms rarely does document things like "you are not allowed" or "your are not required", it normally only documents what is required.
Hope this helps - unfortunately the whole aspect of licensing is a bit complicated 🙂
What if the scenario is that we are going to have all servers in Azure except for one small AD/DC onsite on a physical server, just to authenticate users locally and for redundancy. No applications or files shares locally just AD/DC. So in this instance do we still have to pay for CALs since we have this one server still onsite which technically most all users will talk to for AD authentication when they login? Very unfortunate if we do since an onsite DC almost always makes sense to still have.
If user access a Windows Server they need to have a CAL. This also applies to scenarios where they authenticate with AD, even when users/devices are just receiving a IP address from DHCP service on Windows Server the license terms say that a CAL is required.
If the users are only synced from this local AD to AzureAD via AAD Connect, but the users never access the server directly, no CAL is required, this is also stated explicitly in the licensing terms.
The question what kind of redundancy should be achieved here if there is no workload on the local server. So if internet connection works, no redundancy is needed. If Internet connection fails, the user can't work anyway wince no Apps/files are available to them. So For this scenario it does not really make sense to have an on-premises DC, it would not offer additional redundancy.
This sounds like a scenario where it would make more sense to use AzureAD join instead of traditional domain join for the on-premises clients. So no local DC is required for login, thus no server is required - and then also no CAL.
Dear Microsoft Team,
In case we want to set up a Microsoft AD on Azure Hosted VM and then set up ReadOnly Domain Controller (RODC) in local environment, do we still need CALS?
As long as users access the RODC directly or indirectly for any purpose, yes.
You can find the official, binding terms in the Product Terms
document site, any exceptions from CAL requirements are mentioned there: https://www.microsoft.com/licensing/terms - having a RODC is not documented as exception from CAL requirement
Why are you building it this way? You could AzureAD join the local clients, and use AzureAD Domain Services for domain-joined VMs in Azure if you still have those.
Thanks A lot JanoschUlmer.
We are building Microsoft server - DC and ADC on Azure VMs platform and setting secured network connectivity between Azure VM and local network. The reason is going with this set up is to avoid dependecy on local network and also control Internet Traffic.
If we go with AzureAD join option then all users will be routed to Azure VM and which we don't want it..
We want the authentication process should be done locally with RODC (ReadOnly Domain Controller)
So we don't need to purchase CALS in this scenario? Right? Please confirm
Using AzureADJoin nothing gets routed to an AzureVM, the user will authenticate directly with AzureAD service and there is no dependency on any local network component - Internet connectivity is the only prerequisite. This would be a longer discussion though, I'm sceptic on the value of forced tunneling for internet traffic via Azure & a VPN because this has so much dependencies, increases the latency and often little value in terms of a holistic security, I would more focus on a zero trust security approach where device & identities are checked & secured - with AAD join you can get there much faster. My 2cts... 🙂
To your question - as I mentioned above, according to the Product Terms customer has to buy & assign Windows CALs for local devices/users, since they will access a Windows Server. It does not matter if it is a RODC, a full DC or no DC at all. If they access a server, they need a CAL.
Thanks for your immediate reply.
One of the major concern is that Group policies are not supported in Azure AD joined devices as they are not connected to on-premises Active Directory. And thats makes us think on this Hybrid setup.
If you have any more information on this or any solution, then pls share here.
Yes Group Policies are not supported.
Luckily Group Policies are not needed anymore 🙂
Azure AD Join makes it easy to directly switch to MDM based management which allows better control of the device in a mobile environment, and reduces costs because you don't need Windows Server-based DC, no VPNs and you can control (MDM) policies regardless of the device location - and you can control all kinds of devices with a single MDM solution like Intune, not only Windows .
Of course this a provocative statement - if MDM-based management is better for the customer depends on a few additional factors. It is is huge change from management perspective, but also a great opportunity.
MDM-based management, like the one available via Intune allows you to not only push a configuration to a device, but control if the configuration was applied and then define access rules to services based on the device condition. And the majority of policies available via GPO can also be set on Windows via MDM (via configuration service providers) + better options for app deployment.
All I says - it is worth evaluating this. Anything specific you want to do with GPOs not possible with MDM?
if you need more information you can also open an advisory ticket with Technical PreSales & Deployment Services team - https://aka.ms/tpdmsform (The team I'm working in). You need to havs action pack or competencies on Silver or Gold level though.
On the topic - here's an article that I wrote recently: https://rcpmag.com/blogs/guest-blog/2020/06/virtual-hosters-part-3.aspx
Using Azure Hybrid Benefit and getting Windows Server on CSP is really a great way to reduce cost big time. This is game-changer and I see that the cost is now the same running VMs on Azure than in a legacy datacenter. And we all know where the future lies!
Basically, the same rules apply to Windows Server instances deployed through Azure Hybrid Benefit into an Azure hosted virtual environment as does to a standard Windows Svr Azure instance, no CAL is needed to access the VMs.
Whilst this may no be documented overly well (I only managed to find the single source you have referenced earlier) it is documented on an official website. Bear in mind, no company in the world would overly advertise such a fact, Microsoft is no different.
Hope this helps.