Microsoft Workloads on AWS

How to set up Microsoft Office on Amazon EC2

Amazon Web Services (AWS) recently announced the general availability of Microsoft Office, along with Remote Desktop Service Subscriber Access License (RDS SAL), as license included offerings on Amazon Elastic Compute Cloud (Amazon EC2) instances.

Empowering employees to work from anywhere with many different devices is at the core of many of our customers’ IT strategy. Providing the proper hardware to remote workers is a balance between delighting employees and investing the right amount of money. If you under-invest, it is likely you will have to replace the hardware soon. If you over-invest, you will most likely pay for underutilized hardware.

Besides the right hardware, remote workers also need productivity tools to carry out their daily tasks. By using license-included Microsoft Office software on Amazon EC2 instances, users can carry out their productivity work in AWS using a highly available and secure environment. All they need is an internet connection, any laptop or desktop, and their credentials in order to continue their work, regardless of their current location.

With this new offering, you can purchase fully compliant AWS-provided licenses of Microsoft Office and Remote Desktop Services with a per-user subscription fee and assign them to your productivity users. You can provision instances based on your needs using preconfigured Amazon Machine Images (AMIs) provided by AWS. You can start instances when your users need them and scale up or down as needed, helping to optimize cost.

This offering is made possible by the new user-based subscriptions feature of AWS License Manager. AWS License Manager supports up to 2 concurrent users per Amazon EC2 instance. Let’s review the steps needed to set up your license-included Microsoft Office software on an Amazon EC2 instance.

Prerequisites

To use the license-included Microsoft Office on Amazon EC2, you must set up AWS Directory Service for Microsoft Active Directory (AWS Managed Microsoft AD) . For more information on creating an AWS Managed Microsoft AD, see AWS Managed Microsoft AD prerequisites and Create your AWS Managed Microsoft AD directory in the AWS Directory Service User Guide. Your users must be managed by AWS Managed Microsoft AD. Besides this, you need to:

  1. Enable DNS hostnames and DNS resolution for your Amazon Virtual Private Cloud (VPC).
  2. Configure DNS forwarding for any additional VPCs to the AWS Managed Microsoft AD you register for user-based subscriptions. You can use Amazon Route 53 or another DNS service for DNS forwarding. For more information, see the blog post Integrating your Directory Service’s DNS resolution with Amazon Route 53 Resolvers.
  3. The instances providing user-based subscriptions must be configured to communicate with AWS Systems Manager. There are two ways to achieve this: grant the instances providing user-based subscriptions outbound internet access or configure Systems Manager VPC endpoints. For more information, see Setting up Systems Manager for EC2 instances in the AWS Systems Manager User Guide.
  4. Ensure that the instances launched to provide user-based subscriptions with Microsoft Office have a route to the subnet where the VPC endpoints are provisioned.
  5. Identify or create a security group for your VPC endpoints that permits inbound TCP port 1688 connectivity.
  6. Identify or create a security group for the instances launched to provide user-based subscriptions that permits inbound TCP port 3389 connectivity from your approved connection sources. The security group should also permit outbound TCP port 1688 connectivity to reach the VPC endpoints.
  7. Have an instance profile role attached to instances providing the user-based subscription products that allow for the resource to be managed by Systems Manager. For more information, see Create an IAM instance profile for Systems Manager in the AWS Systems Manager User Guide.
  8. Provision the users that will access Microsoft Office on Amazon EC2 in your AWS Managed Microsoft AD directory.

The license-included Microsoft Office on Amazon EC2 offering relies on Microsoft Windows Server 2022, Microsoft Office LTSC Professional Plus 2021, and Microsoft Windows Remote Desktop Services subscriptions, which use a per-user licensing model. You need to carefully audit how many users have an Office subscription and on which Amazon EC2 instances they are using these subscriptions. The new user-based subscriptions feature in License Manager leverages AWS Managed Microsoft AD to track users and license-included Microsoft Office software on Amazon EC2 instances.

Walkthrough

To use Microsoft Office on Amazon EC2, you will need to complete the following steps:

  • Configure License Manager.
  • Subscribe to an Office LTSC Professional Plus 2021 and a Windows Remote Desktop Services product in the AWS Marketplace.
  • Launch an Amazon EC2 instance with a user-based subscription.
  • Connect to the instance with user credentials managed by AWS Managed Microsoft AD.

Step 1: Configure License Manager

Using Microsoft Office is possible with the new License Manager user-based subscriptions feature. It enables License Manager to use AWS Managed Microsoft AD to track and provide product licenses for specific users.

  • License Manager can associate Microsoft Office subscriptions only to users that exist in your AWS Managed Microsoft AD.
  • Each Amazon EC2 instance you create with license-included Microsoft Office is automatically joined to your AWS Managed Microsoft AD domain.
  • License Manager allows you to associate one or more users with an AWS-provided Office LTSC Professional Plus 2021 subscription to  license-included Microsoft Office software on an Amazon EC2 instance.
  • License Manager uses your AWS Managed Microsoft AD to ensure that only associated users can connect to license-included Microsoft Office software on Amazon EC2 instances.

First, you will configure License Manager to use a specific AWS Managed Microsoft AD directory.

  1. Open the License Manager console and choose Settings in the navigation pane.

AWS Management Console snippet of the License Manager Settings section

Figure 1: License Manager settings page

The first time you use this feature, you will be asked to create a service-linked role for User-based subscriptions in your account. Select I agree to give AWS License Manager permission to create a service-linked role in my account. Then choose Create.

AWS Management Console snippet of the Create a service-linked role for User-based subscriptions popup

Figure 2: Create a service-linked role popup message

  1. In the AWS Managed Microsoft Directory section, choose Configure. For AWS Managed Microsoft Active Directory name and ID, select the AWS Managed Microsoft AD directory that you want License Manager to use. For Product name and ID, select “Office Professional Plus.”
    1. Next, choose the VPC that your Microsoft Office AWS instances will be launched into. The VPC that you choose to configure will have at least one subnet specified in which to provision VPC endpoints. The VPC endpoints are required for reaching activation servers for Microsoft Office products.
    2. You will then be presented with a list of subnets that belong to the VPC you created in the previous task. Select the subnets that you want to launch your Microsoft Office AWS instances into to provision VPC endpoints.
  2. Next, you need to select the security group that allows inbound traffic on TCP port 1688, which you created as part of the prerequisites. This security group configuration allows your instances providing user-based subscriptions to communicate with activation servers and remain in compliance.

Once you have selected the VPC, subnets and security groups, choose Configure.

AWS Management Console snippet of the Configure Active Directory option

Figure 3: License Manager Configure Active Directory option

  1. Wait until a message indicating that the configuration has completed appears. This may take several minutes.

Step 2: Subscribe to the Office LTSC Professional Plus 2021 product in the AWS Marketplace

Next, you need to subscribe to the Microsoft Office and Remote Desktop Services products provided by AWS in the AWS Marketplace. You only need to subscribe to each product once to use it.

  1. In the License Manager navigation pane, choose Products.

License Manager Products section

Figure 4: License Manager Products section

  1. Under “Products” select “Office Professional Plus” and choose View details.

AWS Management Console snippet of the Office Professional Plus product details section

Figure 5: License Manager Office Professional Plus product details

  1. Choose View in AWS Marketplace.
  2. Review the information and choose Continue to Subscribe. Review and validate by choosing Subscribe.

Figure 6: AWS Marketplace Office LTSC Professional Plus section

  1. You will then be redirected to the License Manager console where the “Office Professional Plus” AWS Marketplace subscription status shows as Active.

AWS Management Console snippet of the License Manager Products section

Figure 7: License Manager Products section

Step 3: Subscribe to the Remote Desktop Services SAL product

Since your users will access Microsoft Office on Amazon EC2 through Remote Desktop Services, you will need to associate Microsoft Remote Desktop Service Subscriber Access Licenses (SAL) in order to comply with Microsoft licensing terms.
To make this association, subscribe to the “Win Remote Desktop Services SAL” product in the AWS Marketplace.

Going forward, each time you assign a Microsoft Office license to your users, it will automatically assign them a “Win Remote Desktop Services SAL” license as well.

  1. In the License Manager Products page, select “Remote Desktop Services SAL” and choose View details.
  2. In the Remote Desktop Services SAL page, choose View in AWS Marketplace.

AWS Management Console snippet of the Remote Desktop Services SAL product section

Figure 8: License Manager Remote Desktop Services SAL product details

  1. Review the information and choose Continue to Subscribe. Review and validate by choosing Subscribe.

AWS Management Console snippet of the AWS Marketplace Win Remote Desktop Services SAL section

Figure 9: AWS Marketplace Remote Desktop Services SAL section

  1. You will then be redirected to the License Manager console where both the “Office Professional Plus” and “Remote Desktop Services SAL” AWS Marketplace subscription statuses show as Active.

AWS Management Console snippet of the License Manager Products section

Figure 10: License Manager Products section

  1. If you choose Dashboard in the navigation pane, a summary of subscribed users to user-based subscriptions will be displayed. You can view all user-based subscription products supported by License Manager in this list, even if you have not subscribed to that product.

AWS Management Console snippet of the License Manager Dashboard section

Figure 11: License Manager Dashboard

Step 4: Launch a new Amazon EC2 instance

Now that License Manager User-based subscriptions feature has been set up, you can create a license-included Microsoft Office on Amazon EC2 instance using the preconfigured AMI. You can launch the creation of this instance both from the AWS Marketplace Subscriptions console or from the Amazon EC2 console. Here is how you can launch from the Amazon EC2 console:

  1. Navigate to the Amazon EC2 console and choose Launch Instance.
  2. Enter a name for your instance.
  3. Enter “Office LTSC Professional Plus 2021” in the search box in the Application and OS Images (Amazon Machine Image)
  4. In the Results pane, choose Select, and then Continue onto the next screen.

AWS Management Console snippet of the Amazon EC2 AMI Catalog section

Figure 12: Amazon EC2 AMI Catalog

  1. On the next screen, Confirm changes to validate the change to the security group configuration and the IAM role.
  2. On the Launch an instance screen, update the following:
    Instance type – Select a Nitro-based instance that is not Graviton-based.
    Choose Edit on Network settings. For VPC, select a VPC that you configured in Step 1. For Security group, select the security group that you created as part of the prerequisites. It must permit inbound TCP port 3389 (RDP) connectivity from your approved connection sources. The security group should also permit outbound TCP port 1688 connectivity to reach the VPC endpoints that were created as part of Step 1.
  3. Expand the Advanced details section and select Choose an existing IAM role from your account, and choose an IAM role that allows Systems Manager functionality.

Once the new instance has launched, you can connect to it and start using Microsoft Office.

Step 5: Subscribe & associate users to your Microsoft Office Amazon EC2 instance

  1. In the License Manager console, navigate to User association and choose Subscribe & associate users.

AWS Management Console snippet of the License Manager User association section

Figure 13: License Manager User association

  1. Enter a username and the domain name and choose Subscribe & associate users.

AWS Management Console snippet of the License Manager Subscribe & associate users option

Figure 14: License Manager Subscribe & associate users

  1. After a few seconds, a message is displayed that the user was associated successfully with the instance.

AWS Management Console snippet of the License Manager User association section

Figure 15: License Manager User association

In the License Manager console, navigate to Products. You can now see that your user is subscribed to Office Professional Plus and Remote Desktop Services SAL.

AWS Management Console snippet of the License Manager Products section

Figure 16: License Manager Products

Using Microsoft Office

  1. You can connect to your Amazon EC2 instances by using remote desktop (RDP). There are two ways to connect using RDP: either connect using your remote desktop client or connect using the remote desktop feature of AWS Systems Manager Fleet Manager.
  2. When asked for user credentials, use the user’s credentials from the AWS Microsoft Managed AD.
  3. Once logged into the Amazon EC2 instance, you can open and use all Microsoft Office applications.

AWS Management Console snippet of the Fleet Manager remote desktop session

Figure 17: Fleet Manager remote desktop session

Cleaning up

To avoid incurring future charges, you will need to follow the steps in the documentation to remove unneeded resources.

  1. Disassociate users and then unsubscribe these users.
  2. Terminate Amazon EC2 instances.
  3. Remove AWS Managed Microsoft AD from License Manager.
  4. Delete VPC endpoints.

Conclusion

In this blog post, I have introduced the new user-based, license-included Microsoft Office offering on AWS. With this new offering, customers can provision a fully-compliant virtual machine on Amazon EC2, with Amazon-provided licenses for Microsoft Office LTSC Professional Plus 2021. Using the new instances, customers can provision user productivity environments on-demand and scale them, according to their development needs. For additional information on how to set up and use Microsoft Office on AWS, you can read this user guide and CLI documentation.

AWS can help you assess how your company can get the most out of cloud. Join the millions of AWS customers that trust us to migrate and modernize their most important applications in the cloud. To learn more on modernizing Windows Server or SQL Server, visit Windows on AWSContact us to start your modernization journey today.

Andreas Panagopoulos

Andreas Panagopoulos

Andreas is a Senior Specialist Solutions Architect for Migration and Modernization at Amazon Web Services. He has more than 20 years of experience on Microsoft technologies, Systems Security, Identity, Datacenter Migrations, and Enterprise Architecture. He is passionate about helping customers migrate to, and realize the full benefits of the cloud.