Monday, June 1, 2015

Restrict Office Web Apps Edit License within a AD Group

Requirement: SharePoint 2013 Office Web Apps "Edit in Browser" feature needs to be limited to users who has Microsoft Office Volume license.

Solution: License Enforcement in Office Web Apps 2013
The overall idea for the solution is: Create a new security group in AD, Add users to it - who are allowed to use edit option in Office web Apps. From SharePoint, Enable user licensing and map this AD group with the "Office Web Apps Edit" license.

Step 1: Create a AD Security Group
Login to your domain controller, Create new security group to hold users who are allowed to use Edit feature in office Web Apps. Add members to it. Here is mine: OWA Editors!

office web apps edit in browser

Step 2: Configure OWA and SharePoint to Enforce Licensing:
Login to your Office Web Apps Server, Create a new Office Web Apps Farm with "EditingEnabled" Switch.
New-OfficeWebAppsFarm -InternalUrl "" -ExternalUrl "" -CertificateName "Crescent Hosting Certificate" -AllowHTTP -SSLOffLoaded -EditingEnabled

For Existing OWA Farms, Set Editing Enabled Switch:
Set-OfficeWebAppsFarm -EditingEnabled

From SharePoint Server, Enable User licensing Enforcement and Add new Mapping: 
Check whether the licensing enforcement is enabled with the cmdlet: Get-SPUserLicensing , If its false, Enable it with:
Once its enabled, verify the licenses created:
This should return user licenses:Enterprise, Standard, Project, OfficeWebAppsEdit, etc.
 office web apps edit license

Now, you can map the AD security group with the Office Web Apps Edit license:
$LicenseMapping = New-SPUserLicenseMapping -SecurityGroup "OWA Editors" –License OfficeWebAppsEdit
$LicenseMapping | Add-SPUserLicenseMapping

Users who are member of the AD group "OWA Editors" will get "Edit" options from Office Web Apps. Rest gets only "View" option.

Office Web Apps with View Option:
 office web apps 2013 edit in browser

Office Web Apps with Editing Option enabled:
sharepoint 2013 office web apps edit in browser
Important: Adding users to AD Security group will not take effect immediately!
This is by design! When you add/remove users to the dedicated AD group, it doesn't take effect immediately, because SharePoint does this sync in every 10 hours! To overcome, you can change these time intervals as in : SharePoint - Active Directory Security Group Membership Sync Problem and Solution
Same approach applies when you want to restrict users from using SharePoint 2013 Enterprise license!

You might also like:
SharePoint Usage Reports
Usage reports, collaboration and audit for SharePoint.
Document SharePoint Farm
Automatically generate SharePoint documentation.

Check out these SharePoint products:

No comments :

Post a Comment

Please Login and comment to get your questions answered!

You might also like:

Related Posts Plugin for WordPress, Blogger...