How to effectively manage and assign AVD licenses to minimise waste

Azure Virtual Desktop is one of the most cost-effective ways to deliver managed desktops at scale, but only if you get the licensing right. In practice, I’ve seen organisations running AVD deployments where 30–40% of their monthly licensing bill is pure waste: the wrong tier assigned to the wrong users, stale accounts from employees who left six months ago, and expensive E5 licences handed out like confetti because nobody questioned whether E3 would do the job.

This guide is written from the trenches. It covers everything from the foundational rules of AVD licensing eligibility, through to the KQL queries and Entra ID automation that will let you reclaim wasted spend on autopilot.

AVD licensing fundamentals: What you’re actually paying for

Before optimising, you need to understand the two distinct layers of AVD cost: user entitlement licences (who can access AVD) and infrastructure costs (the VMs, storage, and networking behind it). Most organisations conflate these and optimise the wrong one. This guide focuses on the user licence layer, which is almost always the bigger opportunity.

Which licences grant internal AVD access?

Microsoft grants Azure Virtual Desktop access rights as part of the following subscriptions:

The Windows multi-session rule you cannot ignore

Windows 10 and Windows 11 Enterprise multi-session editions are exclusive to Azure Virtual Desktop. You cannot run them legally on any other platform, not in on-premises Hyper-V, not in other clouds. This is a hard licensing boundary. If your host pools run multi-session OS images, confirm you’re running them in AVD and not an unauthorised environment before any compliance audit.

RDS CALs vs AVD: where organisations waste money

Remote Desktop Services Client Access Licences (RDS CALs) are not required when your session hosts run Windows 10 or Windows 11 Enterprise multi-session. Your M365 E3/E5 or Windows Enterprise per-user licence already provides the VDA entitlement needed. RDS CALs are only required when session hosts run Windows Server, and many organisations carry both unnecessarily because they migrated from an RDS-on-Server setup to AVD on client OS without auditing their CAL inventory.

Common compliance trap: ISVs using SPLA RDS SAL licences on Azure must transition before September 30, 2025. After that date, SPLA RDS SAL licensing on Azure is no longer available. If your organisation has ISV tenants on this model, prioritise migration now.

External users: Per-User Access Pricing

If you’re streaming apps or desktops to users who don’t have M365 licences (e.g., contractors, customers, or external partners), Microsoft provides a separate Per-User Access Pricing model. Two tiers exist: “Apps” (RemoteApp only) and “Desktops + Apps” (full desktop access). Critical note: these licences grant AVD access rights only; they do not include Office, Defender, or Intune. External users must be on a separate enrolled subscription from internal users to prevent double-billing.

Choosing the right license tier for each user type

The single biggest source of licence waste I encounter is flat-rate E5 assignment. Every user gets E5 because it’s the top SKU, someone approved it once, and nobody has revisited it since. Here’s a practical breakdown of what each tier actually delivers for an AVD user and who genuinely needs it.

The F3 opportunity: Microsoft 365 F3 at ~$8/user/month grants full Azure Virtual Desktop access rights. If your organisation has a population of shift workers, warehouse operatives, retail staff, or healthcare frontline workers who need AVD access but do not work a standard 9-to-5 knowledge-worker day; F3 is your lever. Moving 500 users from E3 to F3 saves approximately $28/user/month × 500 = $14,000/month, $168,000/year. The F3 eligibility rule: the user must be a frontline worker who does not primarily work from a desktop environment.

Do you really need E5 for everyone?

E5 is genuinely valuable, but only for specific roles. The features that differentiate E5 from E3 are: Microsoft Defender XDR Plan 2, Microsoft Purview Advanced Compliance, Insider Risk Management, Communication Compliance, Advanced Audit, and eDiscovery. Ask yourself: does a warehouse operative using AVD to access a line-of-business app need Insider Risk Management? Almost certainly not. A practical rule of thumb: fewer than 20% of users in most AVD deployments have a genuine business need for E5. The remainder can be served by E3 without any functional loss.

Smart license assignment: Groups, Dynamics, and Automation

Manual per-user licence assignment is how waste begins. As soon as you’re assigning licences individually, you lose the ability to enforce policy at scale and you create gaps in offboarding. The right architecture is always group-based.

Group-based licensing in Entra ID

Microsoft Entra ID (formerly Azure AD) supports assigning licences to security groups, so every member of the group inherits the licence automatically. As of September 2024, group-based licence assignment is managed exclusively through the Microsoft 365 Admin Center. The Entra portal no longer handles licence assignment. Key constraints to know:

• Group-based licensing does not support nested groups; only direct first-level members are licensed
• Licence conflicts are reported in the admin centre and must be resolved manually
• Removing a user from a licensed group immediately revokes the licence (with a grace period for active sessions)

Dynamic groups for automated tier assignment

Entra ID P1 (included in M365 E3) enables dynamic membership groups, i.e. groups whose members are determined by rules evaluated against user attributes. This is the engine behind automated licence assignment. Example rules:

// Frontline workers → F3 licence group
(user.department -eq "Frontline") or (user.jobTitle -contains "Associate")
// Standard knowledge workers → E3 licence group
(user.department -ne "Frontline") and (user.userType -eq "Member")
// Power users requiring E5 → must be explicitly approved
(user.extensionAttribute1 -eq "E5Approved")

With these rules in place, a new hire added with the correct department attribute is automatically placed in the right licensed group, with no manual ticket, no forgotten assignment. And when an employee transfers from Frontline to a knowledge-worker role, their department attribute update triggers an automatic licence tier change.

Entra ID P1 requirement: Dynamic groups require Entra ID P1 per unique user who is a member of the dynamic group. This is already included in M365 E3 and E5, so there is no additional cost if your primary user population already holds E3.

Bulk assignment via Microsoft Graph PowerShell

For one-time migrations or batch corrections, Microsoft Graph PowerShell provides the most scalable approach. You can export current licence assignments, compare against active usage, and push corrections in bulk, far faster than the admin centre UI for deployments over 200 users.

Detecting waste before it compounds

You cannot optimise what you cannot see. Most organisations discover their licence waste during a quarterly business review, which means they’ve been paying for it for months. Here are the four detection tools that matter most.

1. AVD diagnostics + Log analytics (WVD tables)

Azure Virtual Desktop natively integrates with Log Analytics through diagnostic settings on your host pools and workspaces. All AVD tables are prefixed with WVD. The most important for licence optimisation is WVDConnections, which logs every user connection with timestamps.

Run this KQL query to identify users who hold licences but haven’t connected to AVD in the past 30 days:

WVDConnections
| where TimeGenerated > ago(90d)
| summarize lastConnection=max(TimeGenerated) by UserName
| where lastConnection < ago(30d)
| order by lastConnection asc

Any user in this result set is a candidate for licence review. Cross-reference against Entra ID sign-in logs to confirm whether they’re active in other M365 workloads before removing their AVD group membership.

2. Microsoft 365 usage analytics

The Microsoft 365 Admin Center provides a 12-month usage analytics report (under Reports > Usage) that shows per-user app adoption. The Tenant Office Licenses table is particularly useful: it flags users who are assigned licences but barely using the M365 apps included in them. Users who haven’t opened Word, Excel, Teams, or Outlook in 60+ days are strong candidates for licence review or downgrade.

3. Entra ID Sign-in logs

Entra ID sign-in logs (available for 30 days with P1/P2, 7 days on free tier) give you a full picture of user authentication activity across all apps, including AVD. Filter by application name Windows Virtual Desktop or by the specific app registrations in your tenant. Users with zero sign-in events in 60 days should trigger an automated review.

4. Azure monitor workbooks for AVD insights

Azure Virtual Desktop Insights provides pre-built Azure Monitor Workbooks covering session activity, connection reliability, and host performance. While the out-of-box workbooks don’t directly visualise licence assignment, you can build a custom workbook that joins WVDConnections data with a CSV export of your current licence assignments to create a combined licence utilisation view.

Pre-requisite check: AVD Diagnostics only works if diagnostic settings are enabled on your host pools and workspaces. Navigate to each host pool in the Azure portal → Diagnostic settings → Add diagnostic setting → select WVDConnections, WVDErrors, WVDManagement → route to your Log Analytics workspace. This is commonly missed in older deployments.

Cost optimisation techniques that actually move the needle

Layer 1: Licence tier right-sizing

Run a usage report for every user currently on E5. For each one, ask: has this user triggered any of the E5-exclusive workloads in the last 90 days? (Insider Risk alerts, Advanced eDiscovery holds, Defender P2 incidents, Communication Compliance policies.) If the answer is no, the user is a candidate for E3. The cost delta is ~$21/user/month, so on a 200-user E5 → E3 conversion, that’s $50,400/year returned to budget.

Layer 2: Frontline worker segmentation

Work with HR or Active Directory to identify users whose role classification qualifies as frontline. If they access AVD primarily to use a single line-of-business application, F3 at ~$8/month delivers the entitlement they need at a fraction of the E3 cost. Document the eligibility decision, as Microsoft audit rights apply, and you need a defensible record that F3 users genuinely meet the frontline worker definition.

Layer 3: FSLogix is already included: stop paying for it

FSLogix profile containers are included at no extra cost in M365 E3/E5, A3/A5, F1/F3, Business Premium, and Windows 10/11 Enterprise E3/E5. If your organisation purchased standalone FSLogix licences before migrating to one of these SKUs, you are paying for something you already own. The only separate cost for FSLogix is the Azure Files or Azure NetApp Files storage that hosts the profile containers; the software licence itself is bundled.

Layer 4: Shared Computer Activation: mandatory, not optional

When multiple users share a session host (pooled host pools), Microsoft 365 Apps for Enterprise must be configured with Shared Computer Activation (SCA). Without it, each Office installation attempts to tie to a single-user licence, causing activation errors and forcing users onto limited-functionality mode. SCA ensures each signing user’s M365 licence is validated at session start. Enable it via Group Policy: Computer Configuration > Policies > Administrative Templates > Microsoft Office 2016 (Machine) > Licensing Settings > Use shared computer activation.

Layer 5: Infrastructure licence optimisation (separate from user licences)

While this guide focuses on user licences, two infrastructure levers are worth flagging for completeness:

• Azure Hybrid Benefit: If your session hosts run Windows Server and you hold on-premises Windows Server licences with Software Assurance, Hybrid Benefit reduces the OS component of VM cost by 40–50%. The minimum is 8-core licences per VM even if the VM has fewer cores.
• Reserved Instances: For session hosts that run continuously (personal host pools, always-on pooled environments), 1-year Reserved Instances save 30–35% on compute versus pay-as-you-go. 3-year reservations save up to 72%. Combined with Hybrid Benefit, total VM cost reduction can reach 80%.

Separate your budgets: User licence spend (M365 subscriptions) and infrastructure spend (VM compute) belong in separate budget lines. Many organisations only optimise one because they model them together. The best AVD FinOps posture tracks and reviews them independently on different cadences.

Governance, access reviews, and automated offboarding

Detection and manual clean-up are not enough on their own. Without governance automation, the waste regenerates every quarter as new starters are over-licensed and leavers are forgotten. The goal is a system where licence hygiene maintains itself.

Entra ID access reviews

Entra ID Governance access reviews allow you to schedule recurring reviews of group membership, including your licence assignment groups. Configure quarterly reviews owned by the direct manager of each group member. If a manager doesn’t respond within the review window, you can configure auto-deny to remove the user from the group (and revoke the licence). This turns licence hygiene from a manual audit into an automated accountability loop.

Licensing note: Access reviews require Entra ID Governance (or the Entra ID Suite) per reviewed user. For most AVD deployments where users already hold E3 or E5 (which includes Entra P1), you will need to evaluate whether the additional Governance licence cost is justified by the savings recovered; it typically is for deployments over 300 users.

Lifecycle workflows for automated offboarding

Microsoft Entra Lifecycle Workflows, released to general availability in 2023, allow you to trigger automated sequences of tasks when specific user attributes change. The most important for licence management is the leaver workflow: when employeeLeaveDateTime is set in Entra ID (or when an HR system pushes the departure date via provisioning), Lifecycle Workflows can automatically:

• Remove the user from all licence assignment groups
• Disable the user account
• Revoke active sessions
• Remove AVD app group assignments

This eliminates the “forgotten leaver” problem, the most common single source of ongoing licence waste. Users no longer need an IT ticket to be offboarded; the process runs automatically on their last day.

Inactivity-based automation

Lifecycle Workflows also support inactivity triggers, meaning workflows that fire after a user hasn’t signed in for a configurable number of days (30, 60, or 90 days). You can configure these to: flag the user to their manager for review, move them to a restricted licence group, or disable the account pending confirmation. This catches the “on extended leave” edge case that pure departure-date workflows miss.

• Quarterly Access Reviews: Manager-owned reviews of licence group membership. Auto-revoke for non-responses. Catches role changes and forgotten transfers.
• Leaver Lifecycle Workflows: Automatic licence removal on employeeLeaveDateTime. Zero manual steps, zero forgotten licences from leavers.
• Monthly Usage Reports: Scheduled review of M365 Usage Analytics + WVDConnections data. Flags inactive users for manager review before the next billing cycle.
• Budget Alerts: Set Microsoft Cost Management budgets on your M365 subscription with 80% and 100% threshold alerts. Catches unexpected licence additions early.

The five most expensive licensing mistakes and how to avoid them

Mistake 1: Assigning E5 as the default SKU
E5 is ~$21/month more than E3. On a 500-user deployment where only 80 users genuinely need E5’s advanced security features, assigning E5 to everyone wastes $420/month × 420 users = $176,400/year. Fix: audit E5-exclusive feature usage in Purview compliance portal and Defender XDR. Any user with zero advanced feature activity in 90 days is an E3 candidate.

Mistake 2: Not removing licences when users leave
In a 500-person organisation with 15% annual turnover, 75 leavers per year leave licences active for an average of 3 months before IT catches up. At $36/user/month (E3) × 75 users × 3 months average exposure = $8,100/year in direct waste, plus compliance risk. Fix: implement Lifecycle Workflows with automatic group removal on departure date.

Mistake 3: Not leveraging F3 for frontline workers
Organisations often default all employees to E3 regardless of role. Frontline workers who access AVD for a single LOB application need F3 at most. The $28/user/month delta is significant at scale. Fix: work with HR to tag frontline workers in Active Directory by department or job title. Assign F3 via dynamic group rule.

Mistake 4: Buying RDS CALs for Windows 10/11 environments
Legacy RDS deployments used Windows Server hosts and required per-user or per-device CALs. When organisations migrate to AVD on Windows 10/11 Enterprise multi-session, the CAL requirement disappears, but the CAL purchases often don’t stop. The M365 or Windows Enterprise per-user licence already provides the VDA entitlement. Fix: audit host pool OS versions. If all hosts are client OS, RDS CALs are not required and can be removed from renewal.

Mistake 5: Over-buying standalone Entra ID P2
Entra ID P1 (included in E3) supports dynamic groups, conditional access, and self-service password reset, all features that cover the majority of AVD governance requirements. Entra P2 adds Privileged Identity Management (PIM) and risk-based access, which is genuinely valuable, but only for environments with a mature identity governance programme. Many organisations buy standalone P2 licences for all users when E3’s bundled P1 would suffice for 70% of them. Fix: identify the specific P2 features in use. If PIM and risk-based conditional access aren’t configured, P2 is not delivering value.

Your 30-day licence optimisation action plan

Here’s a structured sequence to move from your current state to a governed, optimised AVD licence model in 30 days.

1. Enable AVD diagnostics (Days 1–2): If not already enabled, configure diagnostic settings on every host pool and workspace to send WVDConnections, WVDErrors, and WVDManagement data to a Log Analytics workspace. This is the data foundation for everything else.
2. Run the inactive user query (Days 3–5): Execute the WVDConnections KQL query above to identify users with no AVD connections in 30+ days. Cross-reference with Entra sign-in logs. Build a list of candidates for licence review.
3. Audit E5 assignments (Days 5–10): Export all E5-assigned users from M365 Admin Center. For each user, check Purview compliance portal and Defender XDR for any activity against E5-exclusive features in the past 90 days. Categorise as genuine E5 need vs. E3-sufficient.
4. Identify frontline worker population (Days 8–12): Coordinate with HR to produce a list of users meeting the frontline worker definition. Confirm they hold appropriate department/job title attributes in Entra ID. Design the F3 dynamic group rule.
5. Implement group-based licensing structure (Days 10–18): Create three security groups: T360-LIC-F3, T360-LIC-E3, T360-LIC-E5 (or equivalent naming). Configure dynamic rules for F3 and E3. Keep E5 as a managed/manual group requiring approval. Migrate users in batches, validating no service disruption before proceeding.
6. Configure Lifecycle Workflows for leavers (Days 15–22): Build a leaver workflow triggered by employeeLeaveDateTime that removes users from all T360-LIC-* groups and disables the account. Test with a test user before production rollout. Confirm HR feeds departure dates to Entra ID.
7. Schedule quarterly access reviews (Days 20–25): Configure Entra ID Governance access reviews for each licence group, owned by direct managers, running quarterly. Set auto-deny for non-responses after 14-day review window.
8. Set up ongoing monitoring (Days 25–30): Create a scheduled Logic App or Azure Automation runbook to run the inactive user KQL query monthly and email results to the IT admin team. Add a Microsoft Cost Management budget alert on your M365 subscription for 90% threshold notification.

Key takeaways

• AVD entitlement is included in M365 E3, E5, F3, Business Premium, and Windows Enterprise per-user licences; no separate AVD licence exists for internal users.
• Windows 10/11 Enterprise multi-session hosts do not require RDS CALs; RDS CALs only apply to Windows Server hosts.
• F3 at ~$8/user/month is a legitimate AVD licence for frontline workers, the most overlooked cost reduction lever in mixed-workforce deployments.
• FSLogix is already included in E3/E5/F3 at no extra cost; if you’re paying separately, you’re double-paying.
• Group-based licensing with dynamic Entra ID groups is the only scalable approach to licence assignment. Manual per-user assignment creates the conditions for waste.
• Lifecycle Workflows are the permanent fix for the leaver problem: one-time configuration, zero ongoing manual effort.
• The biggest gains come from E5-to-E3 right-sizing and F3 segmentation, not from chasing small-percentage infra discounts.