How to Manage and Assign Licenses to Minimize Waste in AVD

Quick Answer:  Azure Virtual Desktop is included at no additional cost in Microsoft 365 E3, E5, Business Premium, F3, and several other plans. To minimize license waste: (1) Audit which assigned users are actively logging into AVD using Entra ID sign-in logs and AVD Insights session data. (2) Remove licenses from users with zero AVD sessions in the past 30 days. (3) Switch to group-based licensing in Microsoft Entra ID to automate assignment and removal based on group membership. (4) Run a monthly license reconciliation report using the Microsoft 365 Admin Center's Usage Reports. Unmanaged AVD licensing commonly wastes 15–30% of allocated licenses on inactive or departed users.

Which Licenses Include Azure Virtual Desktop?

Azure Virtual Desktop is not a standalone paid service for most organizations — the right to use AVD is bundled into Microsoft 365 and Windows licenses that many enterprises already own. Understanding your entitlements is the first step to eliminating unnecessary spend on redundant licensing.

Key Insight:  Many organizations purchasing M365 E1 or Business Basic separately add a standalone AVD or Windows license — paying $7–14/user/month extra — when upgrading to M365 E3 ($36/user) would be cheaper and provide additional security and productivity value. Always model the full license stack before choosing an AVD-specific add-on.

The License Waste Problem in AVD

License waste in AVD environments falls into three categories, all of which are measurable and addressable:

Step 1 — Audit Current AVD License Usage

Start by running a usage audit that shows, for each licensed user, whether they have actually connected to AVD in the past 30 days. You need two data sources: Microsoft 365 Admin Center Usage Reports for license assignment data, and AVD Insights (Azure Monitor) for actual session data.

Pull AVD Session Data via Azure Monitor Logs

// Kusto query — AVD Insights workspace

// Returns unique users who connected to AVD in last 30 days

WVDConnections

| where TimeGenerated > ago(30d)

| where State == "Connected"

| summarize LastConnection = max(TimeGenerated) by UserName

| project UserName, LastConnection

| order by LastConnection desc

Export this query result and cross-reference it against your full list of M365 licensed users. Any user with an M365 E3/E5 license who does not appear in the AVD connection log is a candidate for license review — either they don't need AVD access, or they need to be onboarded.

Pull License Assignment Data via Microsoft Graph API

# PowerShell — Get all users with M365 E3 assigned

$e3SkuId = "05e9a617-0261-4cee-bb44-138d3ef5d965" # M365 E3 GUID

Get-MgUser -Filter "assignedLicenses/any(x:x/skuId eq $e3SkuId)" `

-Property "DisplayName,UserPrincipalName,SignInActivity" `

-All | Select-Object DisplayName, UserPrincipalName, `

@{N='LastSignIn';E={$_.SignInActivity.LastSignInDateTime}}

Step 2 — Implement Group-Based Licensing

Group-based licensing in Microsoft Entra ID is the most effective mechanism for eliminating license sprawl in AVD environments. Instead of assigning licenses directly to individual users, you assign licenses to security groups — and Entra ID automatically grants or revokes licenses as users join or leave those groups.

This approach integrates directly with HR-driven user lifecycle management: when a user is deprovisioned from their department group, their AVD license is automatically removed — no manual cleanup required.

Setting Up Group-Based Licensing for AVD

• Create security groups reflecting AVD user cohorts: grp-avd-finance, grp-avd-hr, grp-avd-contractors

• In Entra ID → Groups → [group name] → Licenses, assign the appropriate M365 license (E3, F3, Business Premium)

• Enable or disable specific service plans within the license — for example, disable Exchange Online for contractor users who don't need email but do need AVD access

• Configure dynamic group membership rulesbased on department attributes so users are automatically added to the right AVD group when their profile is created

• Set up Entra ID Access Reviewsquarterly to validate group membership — any member without a business justification is removed

Dynamic Group Rule Example (Finance AVD Users)

// Entra ID Dynamic Group Membership Rule

// Auto-adds Finance dept employees to AVD group

(user.department -eq "Finance") and

(user.accountEnabled -eq true) and

(user.employeeType -ne "Contractor")

Step 3 — Track License Utilization Monthly

A monthly license review prevents waste from accumulating. The Microsoft 365 Admin Center's Usage Reports (under Reports → Usage → Microsoft 365 Apps usage) show last-activity dates for every licensed user across all M365 services including Windows activation. Users with no activity for 30+ days across all services are strong candidates for license removal.

Step 4 — Right-License by User Persona

Not all AVD users need the same license tier. Mapping personas to the minimum required license eliminates systematic over-licensing:

Automating License Lifecycle with Entra Lifecycle Workflows

Microsoft Entra Lifecycle Workflows (available in Entra ID P2 / M365 E5) automate license assignment and removal as part of the employee joiner-mover-leaver process. This eliminates the manual reconciliation work that most IT teams do monthly.

• Joiner workflow— When a new employee is provisioned in HR, automatically add them to the appropriate AVD group (granting the M365 license) based on department attribute

• Mover workflow— When an employee changes department, move them between AVD groups — updating license type if the new role requires a different tier

• Leaver workflow— When an employee is terminated, immediately remove AVD group membership, revoking the license and deallocating any personal host VM within the same workflow