Conditional Access licensing requirement

Question

This Microsoft article (https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy-all-users-mfa) describes how to configure Conditional Access to require MFA for all users. This Microsoft article (https://learn.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-azure-mfa) lists the following conditional access prerequisite: "A working Azure AD tenant with at least an Azure AD Premium P1 or trial license enabled."

What happens to users with an Azure AD Free or Azure AD Office 365 Apps license (https://azure.microsoft.com/en-us/pricing/details/active-directory/)? Are they affected by that Conditional Access policy? Do you need at least one Azure AD Premium P1 license in your tenant, which can be the case if you're doing information gathering of cloud apps in use for Cloud App Security, or does every user affected by a Conditional Access policy need Azure AD Premium P1 or P2?

Answer 1

I see clearly in a test tenant that CA policies are being applied to users who do not have an AAD P1 license.

So from a technical perspective users do not need AAD P1 to be processed by a CA policy.

From a license compliance perspective, I am uncertain here. I read MS docs and nothing is clear. Prereqs are: "A working Azure AD tenant with Azure AD Premium".

It could be the case that some features in CA will not process without the user having a proper license. The test I did was a simple call for MFA.

Rgrds.

Answer 2

Hi,

I understand the licensing prerequisites, but on a technical side, what happens if I configure a conditional access policy on a tenant without any Azure AD Premium license ?

Will the policy be applied ? Or not ?
On the CAP portal, there is no warning regarding total miss of AADP? licenses.

Thank you

Answer 3

Hi @Matthew Swenson ,

Question summary
Is a Premium P1 license required for all users who have Conditional Access policies applied to them?

Answer
Yes, the requirement is that the license is applied to all users who make use of the feature. Azure AD has always been licensed per user and this applies to all Azure AD features. A proper license is required if a user benefits directly or indirectly from any feature covered by that license.

Please see the overall Azure AD Pricing/Licensing doc found here:

https://azure.microsoft.com/en-us/pricing/details/active-directory/

The documentation also says, "Using this feature requires an Azure AD Premium P1 license", which means that it's required for any user who makes use of the feature. I do agree though that this could possibly be interpreted as needing one license. For that reason, I reached out to one of the content authors to see if the language could be updated.

Feel free to reach out to your licensing vendor of choice for further clarification or have
a conversation with the [Billing team][1], though.

Answer 4

Already, so to "make it work" we only need 1 Azure AD Premium P1 - that's clear and easy to test. Black & white, you can't enable CA without at lease 1 Azure AD Premium P1 on the tenant.

However I'm still fuzzy on whether each user consuming CA (such as CA controlled MFA) also needs a license.

Yes it does work without all users having it but that isn't a good test just as it isn't a good test with InTune device licensing - Microsoft seems to have these "honor system" situations where things work but one isn't sure about what licensing will make one's environment kosher?

Any more concrete ideas on having to purchase Azure AD Premium P1 for ALL users accessing conditional access feature such as MFA?

Answer 5

Agreed, this is all very unclear.

"A working Azure AD tenant with at least an Azure AD Premium P1 or trial license enabled."
P1 and P2 are tenant level features so having just one of those appears to enable all those features for everybody in the tenant.

To me 'at least an Azure AD Premium P1' means having just one, but a different interpretation would be one per user.
Then is it supposed to be the person configuring the feature, or the person consuming the feature?
I think I know what the answer is but have not found anything officially written down about this.

If you look at PIM which needs a P2, they spell it out in more detail, and give examples

"It's uncommon for a user account with an Azure AD administrator role assigned to it to be a licensed user.
Best practice is to have a separate user accounts for end user tasks and administrator tasks."

Personally I would say there is a subtle difference between a 'licensed user' and a 'licensed account'.
For example, 1x user could have several accounts for different purposes: general use, administration, testing, etc.
Currently there is no technical way to do that, and in my testing, unlicensed accounts do appear to get some features but not others.

"Let's say a small tenant has 10% Azure AD Free users (users with admin role typically), 40% Azure AD Office 365 Apps users, and 50% Azure AD Premium P1 licenses. Would I need to create a group with just the Azure AD Premium P1 licensed users and scope the Conditional Access policy to include that group and exclude all others? If I wanted MFA enabled for the Azure AD Office 365 Apps users I would have to go into the Multi-Factor Authentication screen and manually enable it on those users."

I guess the intention in that scenario would be to use Security Defaults

• Requiring all users to register for Azure AD Multi-Factor Authentication.
• Requiring administrators to do multi-factor authentication.
• Blocking legacy authentication protocols.
• Requiring users to do multi-factor authentication when necessary.
• Protecting privileged activities like access to the Azure portal.

Hope this helps in some way!