Agreed, this is all very unclear.
"A working Azure AD tenant with at least an Azure AD Premium P1 or trial license enabled."
P1 and P2 are tenant level features so having just one of those appears to enable all those features for everybody in the tenant.
To me 'at least an Azure AD Premium P1' means having just one, but a different interpretation would be one per user.
Then is it supposed to be the person configuring the feature, or the person consuming the feature?
I think I know what the answer is but have not found anything officially written down about this.
If you look at PIM which needs a P2, they spell it out in more detail, and give examples
"It's uncommon for a user account with an Azure AD administrator role assigned to it to be a licensed user.
Best practice is to have a separate user accounts for end user tasks and administrator tasks."
Personally I would say there is a subtle difference between a 'licensed user' and a 'licensed account'.
For example, 1x user could have several accounts for different purposes: general use, administration, testing, etc.
Currently there is no technical way to do that, and in my testing, unlicensed accounts do appear to get some features but not others.
"Let's say a small tenant has 10% Azure AD Free users (users with admin role typically), 40% Azure AD Office 365 Apps users, and 50% Azure AD Premium P1 licenses. Would I need to create a group with just the Azure AD Premium P1 licensed users and scope the Conditional Access policy to include that group and exclude all others? If I wanted MFA enabled for the Azure AD Office 365 Apps users I would have to go into the Multi-Factor Authentication screen and manually enable it on those users."
I guess the intention in that scenario would be to use Security Defaults
- Requiring all users to register for Azure AD Multi-Factor Authentication.
- Requiring administrators to do multi-factor authentication.
- Blocking legacy authentication protocols.
- Requiring users to do multi-factor authentication when necessary.
- Protecting privileged activities like access to the Azure portal.
Hope this helps in some way!