question

MnnikesMarc-3655 avatar image
0 Votes"
MnnikesMarc-3655 asked ·

Azure AD prevent login user without liense

Hello,

users are synchronized with local AD for Exchange hybrid GAL. We hae users without Office365 or other Cloud license.

this users can login to cloud websites like www.office.com (only myapps are visible).

But we want to prevent that users without license can login to cloud websites.

Only users with active office365 license should be possible to login.

Can we configure this?

thank you

azure-active-directory
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

amanpreetsingh-msft avatar image
0 Votes"
amanpreetsingh-msft answered ·

@MnnikesMarc-3655 Unfortunately, there is no direct way to do this. However, in order to prevent unlicensed users form login to cloud apps, you can use Conditional Access policy. If you are using Group Based Licensing (GBL), you can add the group to Conditional Access policy with rule like All Users except member of the group that you are using for GBL should be blocked for All Cloud Apps.

If you are not using GBL, you may consider using it, as assigning licenses at the individual user level, can make large-scale management difficult. This will help you achieving the requirement that you have described.

Note: Conditional Access is a premium feature and would require Azure AD Premium P1/P2 license.


Please "Accept as answer" wherever the information provided helps you to help others in the community.

· 2 · Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello,

thank you for reply.

So, we need for every user (with and without office 365 license) an Azure AD P1 license?

This would incease cost dramatically.

Regards

0 Votes 0 · ·

Hi, thanks for the suggestion. If we want to block users from a certain group, should those users also need to have P1 license just because they are part of the conditional access policy?

0 Votes 0 · ·
michev avatar image
0 Votes"
michev answered ·

Why don't you simply block those users via the corresponding controls in the portal (or the BlockCredential parameter in PowerShell)? It's easy enough to list them...

· Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MnnikesMarc-3655 avatar image
0 Votes"
MnnikesMarc-3655 answered ·

Hello michev,

thank you for your answer. Which controls do you mean in the portal?

The "sign in blocked" was overwritten after next Azure AD synchronisation, when i remember correctly.

Regards

· 3 · Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Right, but you can customize the sync rules to block specific users. Some companies for example populate one of the custromattributeXX with the O365 license value, so you can configure a rule that does the block part based on the presence of said attribute.

1 Vote 1 · ·

Hello,

thank you very much, we will try.

0 Votes 0 · ·

Did you ever get this to work?

0 Votes 0 · ·