Simplify AWS License Manager user subscription management by sharing AWS Managed Microsoft Active Directory

In this blog, we’re going to show you how AWS License Manager can leverage the directory sharing feature available from AWS Directory Services for AWS Managed Microsoft Active Directory (AWS Managed Microsoft AD) to centrally manage user subscriptions services while using multiple Amazon Web Services (AWS) accounts.

AWS License Manager offers you user-based subscriptions for Microsoft Remote Desktop Services (RDS), Microsoft Office, and Microsoft Visual Studio. Amazon provides licenses that have a per-user subscription fee with no long-term licensing commitments. These subscription services let AWS customers adjust their user subscriptions easily to meet their application needs.

AWS Managed Microsoft AD provides a fully managed Active Directory service in the AWS Cloud. AWS manages the domain controller hosts, recovery, Active Directory replication, snapshots, and updates, which allows you to easily run Active Directory aware workloads while focusing on user management activities. AWS License Manager integrates with AWS Managed Microsoft AD for user subscription services and requires AWS Managed Microsoft AD as a prerequisite for Microsoft Office and Visual Studio.

AWS License Manager supports AWS Microsoft Managed AD directory sharing, which allows your AWS Managed AD directory to be referenced by other AWS accounts. With directory sharing, you can centrally manage your AWS License Manager user subscriptions across multiple AWS accounts.

Directory sharing with AWS Managed Microsoft AD

When using AWS Managed Microsoft AD directory sharing, the directory owner is the AWS account holder that owns the originating directory in the shared directory relationship.

A directory consumer is a secondary account with whom the directory owner shares the AWS Managed Microsoft AD directory. For additional information on directory sharing, view the AWS Directory Service administration guide.

Figure 1. Sharing an AWS Managed Microsoft AD

Combining AWS Managed Microsoft AD directory sharing with AWS License Manager

When using the directory sharing feature of AWS Managed Microsoft AD, AWS License Manager shares Visual Studio and Microsoft Office licenses from the directory owner account to directory consumer accounts. The directory owner account will manage the user subscriptions for the secondary AWS accounts. This hub-and-spoke model creates centralized management of user subscriptions, reducing redundant Active Directory deployments and infrastructure costs.

Figure 2. Combining AWS Managed Microsoft AD directory sharing with AWS License Manager

Prerequisites

AWS Managed Microsoft AD must be configured in the directory owner account. This directory will be shared with consumer accounts and contain the AD user accounts necessary to log into the Amazon Elastic Compute Cloud (Amazon EC2) instances after they subscribe.

AWS Organizations is necessary for sharing licensing grants between accounts. The directory owner account and directory consumer accounts must be part of the same AWS Organization.

Network connectivity needs to be enabled between the directory owner account Virtual Private Cloud (VPC) and all directory consumer account VPCs. When deploying Visual Studio or Microsoft Office AMIs in the consumer accounts, they will need to be joined to the AWS Managed Microsoft AD domain. Also, they will need to authenticate with the domain controllers in the directory owner account. This includes but is not limited to:

• VPC Peering or AWS Transit Gateway connectivity
• Routes to and from each VPC
• Security Groups and Network Access Control Lists inbound/outbound rules
• DNS resolution

The License Manager user-based subscriptions role must be enabled. The console will ask to create this service-linked role the first time you visit the User-based subscriptions page in AWS License Manager.

Figure 3: Create a service-linked role popup message

AWS Marketplace subscriptions must be activated in the directory owner account to the required License Manager products in AWS Marketplace.

• Visual Studio Professional 2022
• Visual Studio Enterprise 2022
• Office LTSC Professional Plus 2021

Microsoft Remote Desktop Services must be configured in the directory owner account. You can use Microsoft RDS in combination with Visual Studio or Microsoft Office by installing the RD Session Host. For more information on how to configure Microsoft RDS with AWS License Manager, see the how-to blog.

Walkthrough

Step 1: Share the AWS Managed Microsoft AD with directory consumer accounts

1. In the directory owner account, browse to the AWS Directory Services console.
2. Select your directory, then choose the Actions button, then choose Share directory.
3. Select the AWS accounts within your AWS Organization to be directory consumer accounts, then choose Share.
4. In the directory consumer account(s), browse to the AWS Directory Services console.
5. In the left pane, under Active Directory, choose Directories shared with me.
6. Select the directory and then choose Review.
7. Choose “I agree to pay an additional fee,” then choose Accept.

Step 2: Grant licenses to directory consumer accounts

1. In the directory owner account, browse to the AWS License Manager console.
2. In the left pane, choose Granted licenses.
3. On the Aggregated licenses tab, choose the License ID for the product you want to share with the secondary account.
   • At the top of the page, you’ll receive a warning about configuring the appropriate IAM permissions for licensing grants. Choose configure permissions to open a new window for the AWS Marketplace.
   • Under the AWS License Manager integration section, choose View settings details.
   • Select the checkboxes for Enable trusted access across your organization and AWS Marketplace license management service-linked role for this account, then choose Create integration.
   • Once the status changes to Successfully created, close the AWS Marketplace window.
     
     Figure 4: AWS Marketplace IAM settings for AWS License Manager integration
4. Under the Grants section, choose Create grant.
5. Enter a grant name, then enter the AWS Account ID for a directory consumer account, then choose Create grant.

Step 3: Accept granted licenses in directory consumer accounts

1. In the directory consumer account, browse to the AWS License Manager console.
2. In the left pane, choose Granted licenses.
3. On the Aggregated licenses tab, choose the License ID for the product, then choose Activate license.
4. You’ll receive a message “When activating this grant, do you want to replace active grants?” Select Yes and then choose Activate.
5. The grant status will change to Processing and then will change to Active after approximately 5 minutes.

Once completed successfully, you will see the Marketplace subscription status for the product(s) show as Subscribed. The Microsoft Remote Desktop Services product will have a status of Not Required, because the RD Licensing servers will be used from the directory owner account.

Figure 5: Marketplace subscription status changes

Step 4: Register Active Directory in the directory owner account

1. In the directory owner account, browse to the AWS License Manager User based subscription console.
2. Select the product you want to share with directory consumer accounts.
3. Choose Register Active Directory.
4. Under Active Directory, select your AWS Managed Active Directory directory.
5. Finish by selecting the VPC, subnets, and security group, then choose Register.
   • See the following links for additional product configuration details:
     • How to set up Microsoft Office on Amazon EC2
     • How to set up Microsoft Visual Studio on Amazon EC2

The registration process takes approximately 10 minutes to complete. Once AD registration completes successfully in the directory owner account, begin following the same process in the directory consumer accounts.

Step 5: Register Active Directory in the directory consumer accounts

1. In the directory consumer account, browse to the AWS License Manager User based subscription console.
2. Select the product name being shared from the directory owner account.
3. Choose Register Active Directory.
4. The shared directory will now be selectable from the drop-down list in the AWS Active Directory section, noted with the (Shared) suffix after the directory ID.
   Figure 6: Active Directory registration for Microsoft Office Professional Plus
5. Finish by selecting the VPC, subnets, and security group, then choose Register.

Step 5: Deploy Product Amazon Machine Images (AMIs)

Before you launch an Amazon EC2 instance, you must first create an Identity and Access Management (IAM) Role to be assigned to the Amazon EC2 instance during creation.

1. In the directory consumer account, browse to the IAM console.
2. In the left pane, choose Roles, then choose Create role.
3. In the Trusted entity type section, select AWS service. In the Use case section, select EC2, then choose Next.
4. Add permissions for AmazonSSMManagedInstanceCore, then choose Next.
5. Give the role a name, then choose Create role.To use Microsoft Office or Visual Studio on Amazon EC2, you’ll need to use the specific AMIs that come with the software installed. These AMIs are not available as part of the Quick Start AMIs; they’re only available from the AWS Marketplace.
6. In the directory consumer account, browse to the Amazon EC2 console.
7. Choose Launch instance.
8. Under the Application and OS Images section, choose Browse more AMIs.
9. Select the AWS Marketplace AMIs tab, then use the search function for the product name. For example, “Office LTSC Professional Plus 2021”.
   Figure 7: AWS Marketplace AMI for Microsoft Office Professional Plus
   
10. Choose Select, then choose Subscribe now in the pop-up window, then Confirm changes.
11. Provide the EC2 instance with a Name, then select an Instance type and Key pair.
12. Edit the Network settings section to select the VPC, subnet, and an existing security group that has network connectivity to the AWS Managed Microsoft AD in the owner account, as noted in the Prerequisite section.
13. Expand Advanced details. In the IAM instance profile section, select Choose an existing IAM role from your account, then select the IAM instance profile you created from the dropdown list, then choose Launch instance.

Figure 8: Assigning the IAM instance profile

The newly launched Amazon EC2 instance will go through a series of health checks. If your instance changes to the Terminated status, it means it failed a health check. If this happens, you should review the prerequisites to verify network connectivity between your AWS accounts.

Step 6: Subscribe and associate users

The directory owner account will centrally manage user subscriptions for all directory consumer accounts. By doing so, the directory owner account will also own the subscription costs from all directory consumer accounts.

1. In the directory owner account, browse to the AWS License Manager User based subscription console.
2. Select the product where you want to subscribe users.
3. Under the Users section, choose Subscribe users.
4. Add each user’s logon name into the User name field, then choose Subscribe. This process will take approximately 5 minutes to complete.
5. User association can be configured from the directory consumer or directory owner accounts. To associate users, in the left pane of the AWS License Manager console, choose User association.
6. Select the instance, then choose Associate users.
7. Add each user’s logon name into the User name field*, then choose Associate users.
   *The User name field is case sensitive and can display errors if it doesn’t exactly match the Subscribed user name in step 6-4.

You should now be able to log into the Amazon EC2 instance in the directory consumer account using a subscribed AD user.

Rollback Options

Disassociate and unsubscribe users

1. From the directory owner account, browse to the AWS License Manager User based subscription console.
2. In the left pane, choose User association.
3. Select the instance the user is associated with, then choose View details.
4. Select the user account, then choose Disassociate users, and then choose Disassociate users in the pop-up window.
5. Select the Product name where you want to unsubscribe users.
6. In the top right corner, choose View in Settings.
7. Under the Users section, select a user, then choose Unsubscribe users.
8. Confirm the changes, then choose Unsubscribe.

Deregister Active Directory

1. From the directory consumer account, browse to the AWS License Manager User based subscription console.
2. Select the Product name where you want to deregister Active Directory.
3. In the top right corner, choose View in Settings.
4. Under the Active Directory section, choose Deregister Active Directory.
5. In the pop-up window, choose Deregister.

Unshare the AWS Managed Microsoft AD directory

1. From the directory consumer account, browse to the AWS Directory Services console.
2. In the left pane, under Active Directory, choose Directories shared with me.
3. Select the directory and then choose Delete.
4. In the pop-up window, confirm the deletion and then choose Delete.

Deactivate license grants

1. From the directory consumer account, browse to the AWS License Manager console.
2. In the left pane, choose Granted licenses.
3. Choose the License ID of the granted license you want to deactivate.
4. In the top right corner, choose Deactivate license.
5. Follow the prompts to confirm, then choose Deactivate.

Conclusion

In this blog, we have reviewed how AWS Managed Microsoft Active Directory can be shared to multiple AWS accounts to simplify and centralize user management for AWS License Manager user subscription services. To get started, visit https://aws.amazon.com/license-manager/.