Azure Hybrid Benefit and User CALs
I have a client who is looking at moving to Azure. They are intrigued by the cost saving of using their Windows Server licenses through the Hybrid Benefit. It is very clear that there is a nice cost saving with that model. The question that no one has been able to answer is about Windows User CAL requirements using this licensing model. I have found this page: https://azure.microsoft.com/en-us/pricing/licensing-faq It states:
Does a customer need Windows Server Client Access Licenses (CALs) to connect to a Windows Server image that is running in Azure Virtual Machines?
No. Windows Server CALs are not required for accessing Windows Server running in the Azure environment because the access rights are included in the per-minute charge for the Virtual Machines. Use of Windows Server on-premises (whether in a VHD or otherwise) requires obtaining a separate license and is subject to the normal licensing requirements for use of software on-premises.
It does discuss the CALs, but is not clear as to the Hybrid Benefit model. My client requires a clearly defined document stating the requirements.
Hi Tafuu, you can philosophically look at it in different ways. My position is that it is great that you won’t need any CALs and that will reduce cost going forward. I appreciate that your customer got 200 CALs that won’t be of any use but overall, the move to Azure will bring great rewards going forward. Regards, Per
It is true that Windows Server in Azure does not require Windows Server CALs (RDS CAL, AD RMS CALs are still required if using these workloads)
The official document the customer is looking for is the product terms at https://www.microsoft.com/en-gb/Licensing/product-licensing/products
For his Windows Server software license + SA the use rights and Hybrid Use Benefits are documented there, and this document is part of his licensing contract (If he has Win server + SA he has e.g. an Open License contract, MPSA or EA where the Product Terms are referenced).
That said, it is true that the CAL requirements are not described very good in there - generally it is said that runnning Windows Server in Azure is governed by the use terms for Azure, and those Use terms do not describe any requirements for CALs when Server is deployed in Azure.
How Azure Hybrid Benefits can be applied, e.g. how any cores you can use, that you are allowed to use Datacenter Edition even if you only have WS Standard license + SA is well described in the Product terms
Often rulings are only described indirectly, e.g. by the lack of a documented requirement that you need a certain license. Product Terms rarely does document things like "you are not allowed" or "your are not required", it normally only documents what is required.
Hope this helps - unfortunately the whole aspect of licensing is a bit complicated 🙂
Do customers need a Windows Server CAL plus SA, which making use of the Azure Hybrid Use Benefit? Pleae note: In this case the customer has moved all of his Windows Server Workload to Azure (no on Premise Windows Server).
It is not described in the PT or in other sources like Azure Hybrid Use Benefit FAQ.
Use Case Example:
Customer has moved all his Windows Server Workloads to Azure with Azure Hybrid Use Benefit and is using M365 E3 and RDS.
Some of the Users do only need O365 E3 instead of M365 E3 (accessing via RDS on Windows Server) via Thin Client.
Before moving to Azure they had to license the M365 E3 Bundle for all Users due to License requirements of Windows Server CAL and EMS (in EA) plus RDS Cal.
We would like to recommend the customer now to:
Make use of Azure Virtual Desktop for the M365 E3 User, and therefor not to renew the RDS CAL SA by switching from RDS Sessions to Azure Virtual Desktop.
And for the O365 E3 standalone User which are using Thin Clients to switch them from M365 E3 to O365 E3 Licensing within a separate Profile in EA, and confirm that for this users no Windows Server CAL or EMS is needed for the access to Windows Server in Azure with Azure Hybrid Use Benefit.
Would you support this?
@SwisscomChamp : As per the ProductTerms usage of Software provided with Azure falls under the Azure Use terms, and since there is no requirements documented to license access to Windows Server with a Windows CAL, the answer is no - no Windows CAL required. This is the same as when licensing Windows Server on an Azure VM with PAYG pricing, also there no Windows Server CAL is required.
RDS CALs would be required when RDS role is accessed only.
I do not understand why the plan is to switch users from M365E3 to O365E3 - why are those not also using AVD, and thus using the M365 license to access Windows virtual desktops, not requiring additional RDS CALs and SA for Windows Server-based hosts. Or is the plan to use O365E3 + Windows 10/11 E3 licenses? Usually I would expect that AAD Premium Features or mobile device management features could still be required for those, so using the same m365 E3 license would make more sense to me.
Thank you @JanoschUlmer much appreciated.
Today they are all using M365 E3 for Windows Server based Hosts in Azure plus licensing RDS CAL SAs in the EA.
There are several reasons for the current situation. Today they have some M365E3 Users which do not use EMS or Windows OS at all.
These are standalone O365E3 Users which are using RDS only.
Considering that, it would make sense to license these Users with an O365 E3 license plus RDS CAL SA (no Windows Server CAL needed for Windows Server Based Host in Azure) and the M365 E3 Users to migrate to Azure Virtual Desktop and to not renew the RDS CAL SA.
Hope this makes more sense to you.
@SwisscomChamp : If the users are using RDS, they use Windows. What I meant, that instead of buying RDS CAL+SA, they could also use the Windows license from M365E3 to access a virtual desktop. And for an enterprise customer I would expect they would want to leverage some of the securityx features like Conditional access, which then requires EM+S as well. To me it still seems M365E3 would provide the better value, even though users might not use Windows Clients locally.
And note that if you are not using AVD, you need to pay for the Windows Server OS instance of a traditional RDS server (Windows Host OS license as PAYG or hybrid benefit), so I would strongly recommend to go for AVD, even when you need to stick to Windows Server based RDS.
We can discuss in more detail directly, simply open a consultation request with Technical Presales & Deployment Services Team: https://aka.ms/technicalservices
Can I just clarify, if we have a WS Standard license + SA for an on-premise server, and we decommission that server to migrate its functions to an Azure VM running a datacenter licence, we can use the hybrid benefit on the existing WS Standard licence for this?
Hi @Coriron - in this article you'll find more details about how to leverage Azure Hybrid Benefit and to maximize the outcome: Virtual Hosters Part 3: Reduce Azure Costs to Beat Traditional Hosting -- Redmond Channel Partner (rcpmag.com)
What if the scenario is that we are going to have all servers in Azure except for one small AD/DC onsite on a physical server, just to authenticate users locally and for redundancy. No applications or files shares locally just AD/DC. So in this instance do we still have to pay for CALs since we have this one server still onsite which technically most all users will talk to for AD authentication when they login? Very unfortunate if we do since an onsite DC almost always makes sense to still have.
If user access a Windows Server they need to have a CAL. This also applies to scenarios where they authenticate with AD, even when users/devices are just receiving a IP address from DHCP service on Windows Server the license terms say that a CAL is required.
If the users are only synced from this local AD to AzureAD via AAD Connect, but the users never access the server directly, no CAL is required, this is also stated explicitly in the licensing terms.
The question what kind of redundancy should be achieved here if there is no workload on the local server. So if internet connection works, no redundancy is needed. If Internet connection fails, the user can't work anyway wince no Apps/files are available to them. So For this scenario it does not really make sense to have an on-premises DC, it would not offer additional redundancy.
This sounds like a scenario where it would make more sense to use AzureAD join instead of traditional domain join for the on-premises clients. So no local DC is required for login, thus no server is required - and then also no CAL.
Dear Microsoft Team,
In case we want to set up a Microsoft AD on Azure Hosted VM and then set up ReadOnly Domain Controller (RODC) in local environment, do we still need CALS?
As long as users access the RODC directly or indirectly for any purpose, yes.
You can find the official, binding terms in the Product Terms
document site, any exceptions from CAL requirements are mentioned there: https://www.microsoft.com/licensing/terms - having a RODC is not documented as exception from CAL requirement
Why are you building it this way? You could AzureAD join the local clients, and use AzureAD Domain Services for domain-joined VMs in Azure if you still have those.
Thanks A lot JanoschUlmer.
We are building Microsoft server - DC and ADC on Azure VMs platform and setting secured network connectivity between Azure VM and local network. The reason is going with this set up is to avoid dependecy on local network and also control Internet Traffic.
If we go with AzureAD join option then all users will be routed to Azure VM and which we don't want it..
We want the authentication process should be done locally with RODC (ReadOnly Domain Controller)
So we don't need to purchase CALS in this scenario? Right? Please confirm
Using AzureADJoin nothing gets routed to an AzureVM, the user will authenticate directly with AzureAD service and there is no dependency on any local network component - Internet connectivity is the only prerequisite. This would be a longer discussion though, I'm sceptic on the value of forced tunneling for internet traffic via Azure & a VPN because this has so much dependencies, increases the latency and often little value in terms of a holistic security, I would more focus on a zero trust security approach where device & identities are checked & secured - with AAD join you can get there much faster. My 2cts... 🙂
To your question - as I mentioned above, according to the Product Terms customer has to buy & assign Windows CALs for local devices/users, since they will access a Windows Server. It does not matter if it is a RODC, a full DC or no DC at all. If they access a server, they need a CAL.
Thanks for your immediate reply.
One of the major concern is that Group policies are not supported in Azure AD joined devices as they are not connected to on-premises Active Directory. And thats makes us think on this Hybrid setup.
If you have any more information on this or any solution, then pls share here.
Yes Group Policies are not supported.
Luckily Group Policies are not needed anymore 🙂
Azure AD Join makes it easy to directly switch to MDM based management which allows better control of the device in a mobile environment, and reduces costs because you don't need Windows Server-based DC, no VPNs and you can control (MDM) policies regardless of the device location - and you can control all kinds of devices with a single MDM solution like Intune, not only Windows .
Of course this a provocative statement - if MDM-based management is better for the customer depends on a few additional factors. It is is huge change from management perspective, but also a great opportunity.
MDM-based management, like the one available via Intune allows you to not only push a configuration to a device, but control if the configuration was applied and then define access rules to services based on the device condition. And the majority of policies available via GPO can also be set on Windows via MDM (via configuration service providers) + better options for app deployment.
All I says - it is worth evaluating this. Anything specific you want to do with GPOs not possible with MDM?
if you need more information you can also open an advisory ticket with Technical PreSales & Deployment Services team - https://aka.ms/tpdmsform (The team I'm working in). You need to havs action pack or competencies on Silver or Gold level though.
On the topic - here's an article that I wrote recently: https://rcpmag.com/blogs/guest-blog/2020/06/virtual-hosters-part-3.aspx
Using Azure Hybrid Benefit and getting Windows Server on CSP is really a great way to reduce cost big time. This is game-changer and I see that the cost is now the same running VMs on Azure than in a legacy datacenter. And we all know where the future lies!