Conditional Access licensing requirement

Matthew Swenson 21 Reputation points
2021-02-19T20:22:16.463+00:00

This Microsoft article (https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy-all-users-mfa) describes how to configure Conditional Access to require MFA for all users. This Microsoft article (https://learn.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-azure-mfa) lists the following conditional access prerequisite: "A working Azure AD tenant with at least an Azure AD Premium P1 or trial license enabled."

What happens to users with an Azure AD Free or Azure AD Office 365 Apps license (https://azure.microsoft.com/en-us/pricing/details/active-directory/)? Are they affected by that Conditional Access policy? Do you need at least one Azure AD Premium P1 license in your tenant, which can be the case if you're doing information gathering of cloud apps in use for Cloud App Security, or does every user affected by a Conditional Access policy need Azure AD Premium P1 or P2?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,443 questions
0 comments

7 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Matthew Swenson 21 Reputation points
    2021-02-19T21:03:10.723+00:00

    Microsoft seems to give mixed signals. On the one hand Microsoft has guides on how to use Conditional Access to require MFA for administrators, Azure management, and all users as well as block legacy authentication (https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-policy-common). On the other hand a document says you need Azure AD Premium P1. It's uncommon for a user account with an Azure AD administrator role assigned to it to be a licensed user. Best practice is to have a separate user accounts for end user tasks and administrator tasks.

    Let's say a small tenant has 10% Azure AD Free users (users with admin role typically), 40% Azure AD Office 365 Apps users, and 50% Azure AD Premium P1 licenses. Would I need to create a group with just the Azure AD Premium P1 licensed users and scope the Conditional Access policy to include that group and exclude all others? If I wanted MFA enabled for the Azure AD Office 365 Apps users I would have to go into the Multi-Factor Authentication screen and manually enable it on those users.

    3 people found this answer helpful.
    0 comments
  2. Pa_D 1,071 Reputation points
    2021-02-19T20:33:29.477+00:00

    We had to go through this confusion too.
    Even though it may be possible to run the show with just 1 premium license. It is strictly against Microsoft compliance policy. Microsoft does audit on the usage, there by we will end up paying for additional premium features we used.

    Ideally, every user should be assigned premium license if you are going to use that feature.

    1 person found this answer helpful.
    0 comments
  3. Marilee Turscak-MSFT 33,801 Reputation points Microsoft Employee
    2022-03-11T01:28:51.38+00:00

    Hi @Matthew Swenson ,

    Question summary
    Is a Premium P1 license required for all users who have Conditional Access policies applied to them?

    Answer
    Yes, the requirement is that the license is applied to all users who make use of the feature. Azure AD has always been licensed per user and this applies to all Azure AD features. A proper license is required if a user benefits directly or indirectly from any feature covered by that license.

    Please see the overall Azure AD Pricing/Licensing doc found here:

    https://azure.microsoft.com/en-us/pricing/details/active-directory/

    The documentation also says, "Using this feature requires an Azure AD Premium P1 license", which means that it's required for any user who makes use of the feature. I do agree though that this could possibly be interpreted as needing one license. For that reason, I reached out to one of the content authors to see if the language could be updated.

    Feel free to reach out to your licensing vendor of choice for further clarification or have
    a conversation with the [Billing team][1], though.

    1 person found this answer helpful.
    0 comments
  4. JD 1 Reputation point
    2022-01-07T12:18:44.067+00:00

    Agreed, this is all very unclear.

    "A working Azure AD tenant with at least an Azure AD Premium P1 or trial license enabled."
    P1 and P2 are tenant level features so having just one of those appears to enable all those features for everybody in the tenant.

    To me 'at least an Azure AD Premium P1' means having just one, but a different interpretation would be one per user.
    Then is it supposed to be the person configuring the feature, or the person consuming the feature?
    I think I know what the answer is but have not found anything officially written down about this.

    If you look at PIM which needs a P2, they spell it out in more detail, and give examples

    "It's uncommon for a user account with an Azure AD administrator role assigned to it to be a licensed user.
    Best practice is to have a separate user accounts for end user tasks and administrator tasks."

    Personally I would say there is a subtle difference between a 'licensed user' and a 'licensed account'.
    For example, 1x user could have several accounts for different purposes: general use, administration, testing, etc.
    Currently there is no technical way to do that, and in my testing, unlicensed accounts do appear to get some features but not others.

    "Let's say a small tenant has 10% Azure AD Free users (users with admin role typically), 40% Azure AD Office 365 Apps users, and 50% Azure AD Premium P1 licenses. Would I need to create a group with just the Azure AD Premium P1 licensed users and scope the Conditional Access policy to include that group and exclude all others? If I wanted MFA enabled for the Azure AD Office 365 Apps users I would have to go into the Multi-Factor Authentication screen and manually enable it on those users."

    I guess the intention in that scenario would be to use Security Defaults

    • Requiring all users to register for Azure AD Multi-Factor Authentication.
    • Requiring administrators to do multi-factor authentication.
    • Blocking legacy authentication protocols.
    • Requiring users to do multi-factor authentication when necessary.
    • Protecting privileged activities like access to the Azure portal.

    Hope this helps in some way!

  5. Boyan Biandov 1 Reputation point
    2022-02-22T14:44:59.897+00:00

    Already, so to "make it work" we only need 1 Azure AD Premium P1 - that's clear and easy to test. Black & white, you can't enable CA without at lease 1 Azure AD Premium P1 on the tenant.

    However I'm still fuzzy on whether each user consuming CA (such as CA controlled MFA) also needs a license.

    Yes it does work without all users having it but that isn't a good test just as it isn't a good test with InTune device licensing - Microsoft seems to have these "honor system" situations where things work but one isn't sure about what licensing will make one's environment kosher?

    Any more concrete ideas on having to purchase Azure AD Premium P1 for ALL users accessing conditional access feature such as MFA?

    0 comments