Hero Banner

Reseller Discussions

The Cloud Solution Provider program puts the partner in the center of the customer relationship – learn more

Visitor 1

Azure Hybrid Benefit and User CALs

I have a client who is looking at moving to Azure.  They are intrigued by the cost saving of using their Windows Server licenses through the Hybrid Benefit.  It is very clear that there is a nice cost saving with that model.  The question that no one has been able to answer is about Windows User CAL requirements using this licensing model.  I have found this page:  https://azure.microsoft.com/en-us/pricing/licensing-faq  It states:

Does a customer need Windows Server Client Access Licenses (CALs) to connect to a Windows Server image that is running in Azure Virtual Machines?

No. Windows Server CALs are not required for accessing Windows Server running in the Azure environment because the access rights are included in the per-minute charge for the Virtual Machines. Use of Windows Server on-premises (whether in a VHD or otherwise) requires obtaining a separate license and is subject to the normal licensing requirements for use of software on-premises.

It does discuss the CALs, but is not clear as to the Hybrid Benefit model.  My client requires a clearly defined document stating the requirements.

Thanks.  -John



Using AzureADJoin nothing gets routed to an AzureVM, the user will authenticate directly with AzureAD service and there is no dependency on any local network component - Internet connectivity is the only prerequisite. This would be a longer discussion though, I'm sceptic on the value of forced tunneling for internet traffic via Azure & a VPN because this has so much dependencies, increases the latency and often little value in terms of a holistic security, I would more focus on a zero trust security approach where device & identities are checked & secured - with AAD join you can get there much faster. My 2cts... 🙂


To your question - as I mentioned above, according to the Product Terms customer has to buy & assign Windows CALs for local devices/users, since they will access a Windows Server. It does not matter if it is a RODC, a full DC or no DC at all. If they access a server, they need a CAL.



Kind regards, Janosch
Receive consultations via Technical Presales and Deployment Services team
Level 1 Contributor

Thanks for your immediate reply.


One of the major concern is that Group policies are not supported in Azure AD joined devices as they are not connected to on-premises Active Directory. And thats makes us think on this Hybrid setup.

If you have any more information on this or any solution, then pls share here.




Yes Group Policies are not supported. 


Luckily Group Policies are not needed anymore 🙂

Azure AD Join makes it easy to directly switch to MDM based management which allows better control of the device in a mobile environment, and reduces costs because you don't need Windows Server-based DC, no VPNs and you can control (MDM) policies regardless of the device location - and you can control all kinds of devices with a single MDM solution like Intune, not only Windows .


Of course this a provocative statement - if MDM-based management is better for the customer depends on a few additional factors. It is is huge change from management perspective, but also a great opportunity. 

MDM-based management, like the one available via Intune allows you to not only push a configuration to a device, but control if the configuration was applied and then define access rules to services based on the device condition. And the majority of policies available via GPO can also be set on Windows via MDM (via configuration service providers) + better options for app deployment. 

All I says - it is worth evaluating this. Anything specific you want to do with GPOs not possible with MDM?


if you need more information you can also open an advisory ticket with Technical PreSales & Deployment Services team - https://aka.ms/tpdmsform (The team I'm working in). You need to havs action pack or competencies on Silver or Gold level though.


Kind regards, Janosch
Receive consultations via Technical Presales and Deployment Services team

On the topic - here's an article that I wrote recently: https://rcpmag.com/blogs/guest-blog/2020/06/virtual-hosters-part-3.aspx


Using Azure Hybrid Benefit and getting Windows Server on CSP is really a great way to reduce cost big time. This is game-changer and I see that the cost is now the same running VMs on Azure than in a legacy datacenter. And we all know where the future lies!


Regards, Per


Hi John,

Basically, the same rules apply to Windows Server instances deployed through Azure Hybrid Benefit into an Azure hosted virtual environment as does to a standard Windows Svr Azure instance, no CAL is needed to access the VMs.

Whilst this may no be documented overly well (I only managed to find the single source you have referenced earlier) it is documented on an official website. Bear in mind, no company in the world would overly advertise such a fact, Microsoft is no different.

Hope this helps.