Restrict Office Web Apps Edit License within a AD Group
Requirement: SharePoint 2013 Office Web Apps “Edit in Browser” feature needs to be limited to Microsoft Office Volume license users.
Solution: License Enforcement in Office Web Apps 2013
The overall idea for the solution is: Create a new security group in AD, Add users to it – who are allowed to use the edit option in Office web Apps. From SharePoint, Enable user licensing and map this AD group with the “Office Web Apps Edit” license.
Step 1: Create an AD Security Group
Login to your domain controller, create a new security group to hold users who can use the Edit feature in office Web Apps. Add members to it. Here is mine: OWA Editors!
Step 2: Configure OWA and SharePoint to Enforce Licensing:
Log in to your Office Web Apps Server, create a new Office Web Apps Farm with the “-EditingEnabled” switch.
New-OfficeWebAppsFarm -InternalUrl "https://was.crescent.com" -ExternalUrl "https://was.crescent.com" -CertificateName "Crescent Hosting Certificate" -AllowHTTP -SSLOffLoaded -EditingEnabled
For Existing OWA Farms, Set Editing Enabled Switch:
From SharePoint Server, Enable User licensing Enforcement and Add a new mapping:
Check whether the licensing enforcement is enabled with the cmdlet: Get-SPUserLicensing. If it is false, enable it with:
Once it’s enabled, verify the licenses created:
This should return user licenses: Enterprise, Standard, Project, OfficeWebAppsEdit, etc.
Now, you can map the AD security group with the Office Web Apps Edit license:
$LicenseMapping = New-SPUserLicenseMapping -SecurityGroup "OWA Editors" -License OfficeWebAppsEdit $LicenseMapping | Add-SPUserLicenseMapping
Users who are members of the AD group “OWA Editors” will get “Edit” options from Office Web Apps, and the rest gets only the “View” option.
Office Web Apps with View Option:
Office Web Apps with Editing Option enabled:
Important: Adding users to the AD Security group will not take effect immediately!
This is by design! When you add/remove users to the dedicated AD group, it doesn’t take effect immediately because SharePoint sync every 10 hours! To overcome, you can change these time intervals as in: SharePoint – Active Directory Security Group Membership Sync Problem and Solution
One thought on “Restrict Office Web Apps Edit License within a AD Group”