question

SirA-7372 avatar image
0 Votes"
SirA-7372 asked ·

How is Azure AD licensing enforced?

Our environment has Azure AD P2 license.

I created a test user, but did not explicitly assign that user an Azure AD P2 license. I created a Conditional Access policy for that user only, and set MFA as required.

I was able to use the MFA feature for that user just fine. Security Defaults are off, only the above mentioned Conditional Access policy has been configured.

In the documentation about SSPR it says that SSPR is licensed per-user. I turned on SSPR for all users, and was able to use SSPR for the test user mentioned above, again without explicitly assigning an Azure AD P2 license to that user.

Does this mean that Azure AD licenses are not enforced, but rather you need to assign licenses to users (for particular features) to stay compliant?

Or does it mean that once Azure AD P2 license is enabled on Azure AD, all features of P2 automatically becomes available for all users, and there is no need to explicitly assign licenses to users?

azure-active-directoryazure-ad-multi-factor-authentication
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

michev avatar image
0 Votes"
michev answered ·

Microsoft does NOT enforce licensing requirements in code for many of its cloud services, which is not the same as not needing licenses of course. While certain functionalities might/will work, you are still in violation of the licensing agreement and can get into trouble, pending an audit.

· 1 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thank you, that was precisely the answer I was looking for. You need to assign licenses to users to stay compliant, but the licenses are not enforced. Obviously when you use a product, you need to stay compliant with respect to licensing, that goes without saying. But I also needed to understand why something that's not supposed to work from a technical point of view, was still working.

0 Votes 0 ·
MarileeTurscak-MSFT avatar image
0 Votes"
MarileeTurscak-MSFT answered ·

Hi SirA,

Yes, as you state it is billed and licensed per user. I would suggest speaking to your licensing vendor of choice and reading the license agreement if you need additional clarification. Your agreement also contains the answers to those questions. https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-licensing#available-versions-of-azure-multi-factor-authentication

Your licensing rep would be the best person to talk to, but if you would prefer to discuss over email you can also reach me at AzCommunity@microsoft.com.

· 1 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi Marilee,

I do understand that its billed and licensed per user. But what I want to know is how licensing is enforced.

Because as I stated in my post, I'm able to use SSPR and MFA for a test user, without assigning any Azure AD P1/P2 license to that user.

So the question is, why am I able to use these features for that test user, without explicitly assigning P1/P2 license to that user? Shouldn't the user be blocked from using those features, since no license has been assigned to that user?

I'm not looking at this from a licensing perspective, but rather a technical one. :)

0 Votes 0 ·
thgibard avatar image
0 Votes"
thgibard answered ·

Is your tenant is newly activated ? You can have trial licences on every tenant for a few days.
Why no go in Azure Active Directory to check that are the licences activated to the concerned test user you're working on ? If needed, you can add a screenshot directly on your post question.
If you go on portal.azure.com then Azure Active Directory, then Licences - you will be able to see the licences that are available in your Tenant.

·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.