question

RhysAmbler avatar image
0 Votes"
RhysAmbler asked RhysAmbler answered

Consolidating to single directory from free using security defaults and paid using conditional access

A mission critical app registers only a single Tenant ID and all users (paid and volunteer) must be under that tenant (I work in a nonprofit organisation).
A new board directive requires us to maintain existing Conditional Access for staff and change to enforce MFA for volunteers. We cannot afford to license volunteers with AAD premium to enable MFA under conditional access.
Security Defaults can enable MFA on free tier accounts but cannot be enabled while Conditional Access is in place for any users.

Simplest is to accept the security provided by security defaults and apply to all users. However, that has been rejected.

I only have limited access so I cannot test.

My thought is to use a new directory with Security Defaults and invite users from the original directory who are secured by Conditional Access:
1 Start by creating a new directory
2 Enable Security Defaults on the new directory
3 Add all Volunteers to the new directory
4 Invite all Staff from the original directory
5 Delete all non-staff from the original directory
Then we have two directories: the original is a subset with Staff secured by existing conditional access, and the new is a superset with Volunteers secured by MFA under Security Defaults and as guests Staff (secured by conditional access in the original directory).
If we register the Tenant ID of the new directory with the app, then we meet all criteria albeit with an ugly split in the management for the admin, but at least under a single tenancy.

Can anyone suggest a better method either via B2C or another method? is there a flaw with my plan?

azure-ad-b2cazure-ad-identity-governance
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

amanpreetsingh-msft avatar image
0 Votes"
amanpreetsingh-msft answered amanpreetsingh-msft commented

Hi @RhysAmbler-4820 • Thank you for reaching out.

As you have mentioned, Security Defaults cannot be enabled when Conditional Access is already in place. You can certainly go with the plan that you have. However, I just want to add a few points about AAD Premium licensing for Guest/External users.

  • Earlier there was only one licensing model for External users, which was 1:5 ratio billing model, which required 1 AAD Premium license for 5 guest users.

  • Now there is another model available, which is MAU-based billing model. When you link subscription by navigating to Azure Active Directory > External Identities > Linked subscriptions, you automatically get switched from1:5 billing model to MAU-based model. In this case, your first 50,000 MAUs per month are free for both Premium P1 and Premium P2 features. In case, there are more than 50000 MAUs, you will be charged $0.00325/Monthly Active User (for P1) and $0.01625/Monthly Active User (for P2).


Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @RhysAmbler-4820 • Just checking if you have any further question.

0 Votes 0 ·
RhysAmbler avatar image
0 Votes"
RhysAmbler answered

Hi amanpreetsingh,
Apologies - I only work part time and this has slipped.
The MAU license model will be more than adequate for us. Thanks for showing me.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

RhysAmbler avatar image
0 Votes"
RhysAmbler answered

Hi amanpreetsingh,
Apologies - I only work part time and this has slipped.
The MAU license model will be more than adequate for us. Thanks for showing me.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.