Shared Computer support Office365 and Citrix with AD PTA

One of the issues that has been with delivering Office 365 on a non-persistent Citrix environment is how to manage licensing and activation. Previously we needed to have a ADFS infrastructure in place with Group Policy to allow “Automatic Activation with federated credentials” to allow for seamless activation without the end-user to need to do enter any type of information. This was needed because when a user logs onto a XenApp host and starts Office they will need to login with their Azure AD credential. This process would generate a license token that was bound to that machine the user was logged into. If the user then switched to another virtual machine the next day they would need to repeat the process there.

During Ignite, Microsoft announced that Azure AD Connect PTA (pass-trough authentication) was now generally available. This provides seamless sso authentication against Office365 without then need to setup an ADFS infrastructure. This makes a lot of sense for small businesses who doesn’t want to have the complexity with ADFS just to get automatic activation and or authentication for Office365.

However AD Connect PTA had one issue for Office365 was that
1: It does not work together with “Automatic Activation with federated credentials” policy
2: The user is required to type in their UPN to get authenticated.
This makes the authentication process a bit simpler but the license token was still machine bound and therefore a user would need to repeat the process the next day.

However! With Version 1704 of Office365 you now have the ability to setup licensing token roaming. This allows us too configure the licensing token to roam with the user’s profile or be located on a shared folder on the network.

To configure licensing token roaming, you can use either the Office 2016 Deployment Tool or Group Policy, or you can use Registry Editor to edit the registry. Whichever method you choose, you need to provide a folder location that is unique to the user. The folder location can either be part of the user’s roaming profile or a shared folder on the network. Office needs to be able to write to that folder location. If you’re using a shared folder on the network, be aware that network latency problems can adversely impact the time it takes to open Office.

If you’re using Group Policy, download the most current Office 2016 Administrative Template files (ADMX/ADML) which can be found here –>
and enable the “Specify the location to save the licensing token used by shared computer activation” policy setting. This policy setting is found under Computer Configuration\Policies\Administrative Templates\Microsoft Office 2016 (Machine)\Licensing Settings.


Now this together with Azure AD PTA the user is now required to type their username once, a token is generated and is cached on a network drive, allowing for a better end user experience.

Leave a Reply

Scroll to Top