Restrict Office Web Apps Edit License within a AD Group

Requirement: SharePoint 2013 Office Web Apps “Edit in Browser” feature needs to be limited to Microsoft Office Volume license users.

Solution: License Enforcement in Office Web Apps 2013

The overall idea for the solution is: Create a new security group in AD, Add users to it – who are allowed to use the edit option in Office web Apps. From SharePoint, Enable user licensing and map this AD group with the “Office Web Apps Edit” license.

Step 1: Create an AD Security Group

Login to your domain controller, create a new security group to hold users who can use the Edit feature in office Web Apps. Add members to it. Here is mine: OWA Editors!

office web apps edit in browser

Step 2: Configure OWA and SharePoint to Enforce Licensing:

Log in to your Office Web Apps Server, create a new Office Web Apps Farm with the “-EditingEnabled” switch.

New-OfficeWebAppsFarm -InternalUrl "https://was.crescent.com" -ExternalUrl "https://was.crescent.com" -CertificateName "Crescent Hosting Certificate" -AllowHTTP -SSLOffLoaded -EditingEnabled

For Existing OWA Farms, Set Editing Enabled Switch:

Set-OfficeWebAppsFarm -EditingEnabled

From SharePoint Server, Enable User licensing Enforcement and Add a new mapping: 
Check whether the licensing enforcement is enabled with the cmdlet: Get-SPUserLicensing. If it is false, enable it with:

Enable-SPUserLicensing

Once it’s enabled, verify the licenses created:

Get-SPUserLicense

This should return user licenses: Enterprise, Standard, Project, OfficeWebAppsEdit, etc.

 office web apps edit license

Now, you can map the AD security group with the Office Web Apps Edit license:

$LicenseMapping = New-SPUserLicenseMapping -SecurityGroup "OWA Editors" -License OfficeWebAppsEdit
$LicenseMapping | Add-SPUserLicenseMapping

Result:

Users who are members of the AD group “OWA Editors” will get “Edit” options from Office Web Apps, and the rest gets only the “View” option.

Office Web Apps with View Option:

 office web apps 2013 edit in browser

Office Web Apps with Editing Option enabled:
sharepoint 2013 office web apps edit in browser

Important: Adding users to the AD Security group will not take effect immediately!
This is by design! When you add/remove users to the dedicated AD group, it doesn’t take effect immediately because SharePoint sync every 10 hours! To overcome, you can change these time intervals as in: SharePoint – Active Directory Security Group Membership Sync Problem and Solution

Same approach applies when you want to restrict users from using SharePoint 2013 Enterprise license!

Salaudeen Rajack

Salaudeen Rajack is a SharePoint Architect with Two decades of SharePoint Experience. He loves sharing his knowledge and experiences with the SharePoint community, through his real-world articles!

One thought on “Restrict Office Web Apps Edit License within a AD Group

Leave a Reply