Conditional Access licensing requirement

Question

This Microsoft article (https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy-all-users-mfa) describes how to configure Conditional Access to require MFA for all users. This Microsoft article (https://learn.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-azure-mfa) lists the following conditional access prerequisite: "A working Azure AD tenant with at least an Azure AD Premium P1 or trial license enabled."

What happens to users with an Azure AD Free or Azure AD Office 365 Apps license (https://azure.microsoft.com/en-us/pricing/details/active-directory/)? Are they affected by that Conditional Access policy? Do you need at least one Azure AD Premium P1 license in your tenant, which can be the case if you're doing information gathering of cloud apps in use for Cloud App Security, or does every user affected by a Conditional Access policy need Azure AD Premium P1 or P2?

Answer 1

Hi,

I understand the licensing prerequisites, but on a technical side, what happens if I configure a conditional access policy on a tenant without any Azure AD Premium license ?

Will the policy be applied ? Or not ?
On the CAP portal, there is no warning regarding total miss of AADP? licenses.

Thank you

Answer 2

I see clearly in a test tenant that CA policies are being applied to users who do not have an AAD P1 license.

So from a technical perspective users do not need AAD P1 to be processed by a CA policy.

From a license compliance perspective, I am uncertain here. I read MS docs and nothing is clear. Prereqs are: "A working Azure AD tenant with Azure AD Premium".

It could be the case that some features in CA will not process without the user having a proper license. The test I did was a simple call for MFA.

Rgrds.