First of all, we here at PolicyPak don’t want to charge you twice. If a machine is joined to On-Prem AD and also joined to Azure AD (called Hybrid Azure AD joined)… then you should only have to pay for the machine one time. Here’s Microsoft’s diagram below (borrowed from https://docs.microsoft.com/en-us/azure/active-directory/devices/concept-azure-ad-join-hybrid ).
In this case, if you had exactly ONE machine like this you would need to:
We recommend you don’t deliver the same PolicyPak settings from BOTH Group Policy or MDM. But you might want to enable the ability to get those licenses from both sources, then transition away from Group Policy to MDM over time.
Knowing you’ll have some machines:
How do you dial in exactly how many computers to license? We’ll go over this same math again at the end, but here’s the gist. Let’s pretend you had the following numbers (which we will explain more in this document below):
To correctly pay for each computer ONE time you would pay for:
Final number for purchase.. where each machine is licensed ONCE:
Grand total: 1,250 computers
There is no “easy button” for this, but it is a straightforward procedure.
Typically, you do this with the PolicyPak on-prem licensing tool (preferred), or if you need to, you can use PowerShell. Some example Powershell commands to count on-prem machines can be found at this KB: https://kb.policypak.com/kb/article/246-my-organization-doesnt-permit-me-to-run-the-lt-policypak-licensing-tool-or-provide-the-xml-information-it-produces-what-are-my-other-options/
In Azure you can use Devices | All Devices then look at the Join Type. You should see four possible fields:
The problem is that you cannot count each type with this interface unless you have a mere handful of machines. Instead you need to use Powershell and have it do the counting for you.
Start out by installing the Azure AD module. Details are here: https://docs.microsoft.com/en-us/powershell/azure/install-az-ps?view=azps-4.4.0
Here’s a copy of the command:
if ($PSVersionTable.PSEdition -eq 'Desktop' -and (Get-Module -Name AzureRM -ListAvailable)) {
Write-Warning -Message ('Az module not installed. Having both the AzureRM and ' + 'Az modules installed at the same time is not supported.')
} else {
Install-Module -Name Az -AllowClobber -Scope CurrentUser
}
Here’s the result.
Start out with the Connect-AZAccount cmdlet (not shown). You will get prompted for credientals the first time.
The command should finish and return you with a result like this.
Then use the connect-azuread command and provide credentials again, for a second time.
Results of connection are then seen here.
You can then list all Windows 10 devices with the following command.
Get-AzureADDevice -all $true | select displayname, DeviceOSType, DeviceTrustType
To count Azure AD joined machines, run the first command.
Get-AzureADDevice -All $true | Where-Object {$_.DeviceTrustType -eq "AzureAd"} | measure
To count your Hybrid Azure AD joined machines, run this command.
Get-AzureADDevice -All $true | Where-Object {$_.DeviceTrustType -eq "ServerAd"} | measure
Results examples are seen here.
Let’s pretend you got the following numbers:
To correctly pay for each computer ONE time you would pay for:
Final number for purchase.. where each machine is licensed ONCE:
Grand total: 1,250 computers