Note: Entra ID licensing is in the pilot phase and is not yet available for all axes4 products.
What is Entra ID licensing?
Entra ID licensing allows axes4 products to be licensed without any communication to axes4 servers. axes4 does not have any access to the Azure environment or the Entra ID directory of its customers.
The clients on which an axes4 product runs must be members of an Azure Entra ID domain. A Windows Active Directory infrastructure (in-house) is not compatible; we provide separate Active Directory licensing for this.
Operating principle
The program folder of the axes4 license manager contains a Json file which contains the following information, among other things:
- Azure Tenant ID
- Object ID of an Entra ID group, which contains the licensed users
- Number of licensed users
- Expiration date of the license
The file has the naming scheme LicenseToken_...json.
The registry of a client computer also contains the following information:
- The type of licensing scheme (in this case entraId)
- The Client ID of an Azure App Registration
axes4 products periodically check the following points:
- Can the current user log in to the Entra ID of the specified tenant?
- Is the current user a member of the specified Entra ID group?
- Does the number of users in the Entra ID group match the number of users in the license?
- Is the current date within the validity period of the license?
If all four conditions are met, the axes4 products are activated – otherwise they run in demo mode.
How to proceed using axesWord as an example
- The organization purchases a license for Entra ID licensing from axes4.
- The admin creates an App Registration on Azure
- The admin creates a new Entra ID group (example: “axesWord Users”) and adds the Entra ID users who use axesWord to this group.
- The admin informs axes4 of the Azure Tenant ID and the Object ID of the Entra ID group. He receives a license token file and distributes it to the clients that use axesWord using a deployment tool (such as InTune).
- The admin adjusts the registry value for the license manager and the Azure App Registration on the clients.
Technical details
Azure App Registration
The license routine of the axes4 products must have certain permissions in order to perform the check in the Entra ID. These authorizations are configured in an Azure App Registration.
The client ID of the app registration must be entered in the client registry.
Please create and configure the App Registration according to the detailed instructions.
Azure Entra ID Group
The users to be licensed are managed in an Azure Entra ID group.
Create a group in your Entra ID and add the desired users to this group. Tell axes4 the Object ID of this group and the Tenant ID of your Azure directory.
Deploying the license token file
Using the Tenant ID and the Object ID, axes4 creates a license token file (Json file) with the data described above and sends this file to the licensees.
This file must be distributed to the axes4 License Manager program folder of the clients using a deployment tool (such as InTune). By default, the path is
C:\Program Files\axes4 License Manager
Modification of the registry value for the license manager and the App Registration
To activate Entra ID licensing, a registry value must be set for one of the following keys (with descending priority during processing):
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\axes4\Licensing\Manager
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\axes4\Licensing\Manager
Computer\HKEY_CURRENT_USER\Software\Policies\axes4\Licensing\Manager
Computer\HKEY_CURRENT_USER\Software\axes4\Licensing\Manager
Within these keys, the license manager searches for a string value with the name ActiveConnections and the value entraId.
The client ID of the app registration must also be stored in the registry. To do this, create a string value with the name EntraIdClientId. Enter the client ID of your app registration as the value of the string value.
Random check of the number of licensed users
The check of the number of members in the Entra ID group is not performant on the part of Entra ID. In order to conserve resources, this check is only carried out sporadically depending on the number of users.
Exceeding the number of licensed users
If the Entra ID group contains more members than specified in the license token file and if the random algorithm selects a client to count the group members, this one client will not be licensed. If the number of group members remains too high, this happens in the same way for subsequent clients. All other clients are not affected.
Flat licenses
Entra ID licensing includes the option of issuing flat licenses if an organization wishes to license all of its employees. There are two options:
Tenant Flat
The system only checks whether a user belongs to the correct Entra ID. The check for membership in an Entra ID group is omitted.
Group Flat
The system checks whether a user belongs to the correct Entra ID and whether the user is a member of the specified Entra ID group. An admin can use this group membership to control who receives a license. With Group Flat, the license manager does not check how many users are in the Entra ID group.
Configuration of the App Registration
- Enter “App Registrations” in the search field of the Azure Portal and call up the corresponding widget.
- Click New Registration.
- Enter any name, select Single Tenant, no Redirect URI and no Admin Consent.
- Copy the Client ID of the Registration app to the clipboard and record it in a note in the meantime.
- Navigate to Authentication in the navigation bar and click Add a platform
- Choose Mobile and desktop applications
- Enter the following value in the Custom redirect URIs field:
ms-appx-web://microsoft.aad.brokerplugin/Client ID
Replace Client ID with the value you entered in step 4 and click Configure
- Navigate to API permissions and click on Add a permission
- Choose Microsoft Graph
- Choose Delegated permissions
- Scroll to the GroupMember section and select GroupMember.Read.All
GroupMember.Read.All' checkbox is highlighted."
- Scroll to the User chapter. Select User.Read and click on Add permissions
Note: the User.Read permission is normally set by default.
User.Read' is highlighted." - Click Grant admin consent for Directory
- Click Yes to confirm
This completes the configuration.