Skip to main content

Entra ID Licensing

 

Note: Entra ID licensing is in the pilot phase and is not yet available for all axes4 products.

 

What is Entra ID licensing?

Entra ID licensing allows axes4 products to be licensed without any communication to axes4 servers. axes4 does not have any access to the Azure environment or the Entra ID directory of its customers.

The clients on which an axes4 product runs must be members of an Azure Entra ID domain. A Windows Active Directory infrastructure (in-house) is not compatible; we provide separate Active Directory licensing for this.

Operating principle

The program folder of the axes4 license manager contains a Json file which contains the following information, among other things:

  • Azure Tenant ID
  • Object ID of an Entra ID group, which contains the licensed users
  • Number of licensed users
  • Expiration date of the license

The file has the naming scheme LicenseToken_...json.

The registry of a client computer also contains the following information:

axes4 products periodically check the following points:

  1. Can the current user log in to the Entra ID of the specified tenant?
  2. Is the current user a member of the specified Entra ID group?
  3. Does the number of users in the Entra ID group match the number of users in the license?
  4. Is the current date within the validity period of the license?

If all four conditions are met, the axes4 products are activated – otherwise they run in demo mode.

How to proceed using axesWord as an example

  • The organization purchases a license for Entra ID licensing from axes4.
  • The admin creates an App Registration on Azure
  • The admin creates a new Entra ID group (example: “axesWord Users”) and adds the Entra ID users who use axesWord to this group.
  • The admin informs axes4 of the Azure Tenant ID and the Object ID of the Entra ID group. He receives a license token file and distributes it to the clients that use axesWord using a deployment tool (such as InTune).
  • The admin adjusts the registry value for the license manager and the Azure App Registration on the clients.

Technical details

Azure App Registration

The license routine of the axes4 products must have certain permissions in order to perform the check in the Entra ID. These authorizations are configured in an Azure App Registration.

The client ID of the app registration must be entered in the client registry.

Please create and configure the App Registration according to the detailed instructions.

Azure Entra ID Group

The users to be licensed are managed in an Azure Entra ID group.

Create a group in your Entra ID and add the desired users to this group. Tell axes4 the Object ID of this group and the Tenant ID of your Azure directory.

Deploying the license token file

Using the Tenant ID and the Object ID, axes4 creates a license token file (Json file) with the data described above and sends this file to the licensees.

This file must be distributed to the axes4 License Manager program folder of the clients using a deployment tool (such as InTune). By default, the path is

C:\Program Files\axes4 License Manager

Modification of the registry value for the license manager and the App Registration

To activate Entra ID licensing, a registry value must be set for one of the following keys (with descending priority during processing):

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\axes4\Licensing\Manager
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\axes4\Licensing\Manager
Computer\HKEY_CURRENT_USER\Software\Policies\axes4\Licensing\Manager
Computer\HKEY_CURRENT_USER\Software\axes4\Licensing\Manager

Within these keys, the license manager searches for a string value with the name ActiveConnections and the value entraId.

The client ID of the app registration must also be stored in the registry. To do this, create a string value with the name EntraIdClientId. Enter the client ID of your app registration as the value of the string value.

Screenshot of the Windows Registry Editor with two highlighted string values. The first is 'ActiveConnections' and has the value 'entraId', the second is 'EntraIdClientId' and has a random GUID value.

 

Random check of the number of licensed users

The check of the number of members in the Entra ID group is not performant on the part of Entra ID. In order to conserve resources, this check is only carried out sporadically depending on the number of users.

Exceeding the number of licensed users

If the Entra ID group contains more members than specified in the license token file and if the random algorithm selects a client to count the group members, this one client will not be licensed. If the number of group members remains too high, this happens in the same way for subsequent clients. All other clients are not affected.

Flat licenses

Entra ID licensing includes the option of issuing flat licenses if an organization wishes to license all of its employees. There are two options:

Tenant Flat

The system only checks whether a user belongs to the correct Entra ID. The check for membership in an Entra ID group is omitted.

Group Flat

The system checks whether a user belongs to the correct Entra ID and whether the user is a member of the specified Entra ID group. An admin can use this group membership to control who receives a license. With Group Flat, the license manager does not check how many users are in the Entra ID group.

Configuration of the App Registration

  1. Enter “App Registrations” in the search field of the Azure Portal and call up the corresponding widget.

  2. Click New Registration.Screenshot of the Azure portal. In the App Registrations widget, the New registration button is highlighted.

  3. Enter any name, select Single Tenant, no Redirect URI and no Admin Consent.
    Screenshot of the Azure portal. In the Register an application widget, the Name, Single tenant, Redirect URI, and Grant admin consent sections are highlighted.

  4. Copy the Client ID of the Registration app to the clipboard and record it in a note in the meantime.
    Screenshot of the Azure portal. In the App Registrations widget, the Application (client) ID section is highlighted.

  5. Navigate to Authentication in the navigation bar and click Add a platform
    Screenshot of the Azure portal. In the 'App Registrations' widget, the 'Authentication' navigation item and the 'Add a platform' button are highlighted.

  6. Choose Mobile and desktop applications
    Screenshot of the Azure portal. In the 'Configure platforms' widget, the 'Mobile and desktop applications' button is highlighted.

  7. Enter the following value in the Custom redirect URIs field:
    ms-appx-web://microsoft.aad.brokerplugin/Client ID
    Replace Client ID with the value you entered in step 4 and click Configure
    Screenshot of the Azure portal. In the Configure Desktop + devices widget, the Custom redirect URIs text box is highlighted.

  8. Navigate to API permissions and click on Add a permission
    Screenshot of the Azure portal. In the 'App Registrations' widget, the navigation item 'API permissions' and the 'Add a permission' button are highlighted.

  9. Choose Microsoft Graph
    Screenshot of the Azure portal. In the 'Request API permission' widget, the 'Microsoft Graph' button is highlighted.

  10. Choose Delegated permissions
    Screenshot of the Azure portal. In the 'Request API permission' widget, the 'Delegated permissions' button is highlighted.

  11. Scroll to the GroupMember section and select GroupMember.Read.All
    alt GroupMember.Read.All' checkbox is highlighted."

  12. Scroll to the User chapter. Select User.Read and click on Add permissions
    Note: the User.Read permission is normally set by default.
    alt User.Read' is highlighted."
  13. Click Grant admin consent for Directory
    Screenshot of the Azure portal. In the App registrations widget, the 'Grant admin consent for directory' button is highlighted.

  14. Click Yes to confirm
    Screenshot of the Azure portal. In the 'Grant admin consent confirmation' dialog, the 'Yes' button is highlighted.

This completes the configuration.