Forum Discussion

Ammar Hasayen's avatar
Ammar Hasayen
Iron Contributor
Oct 17, 2017

Identity Protection - Risk Based Conditional Access Licensing

I have an enteprise with thousands of users with EMS E3 licenses.  The finanance department is a critical space, and they have 500 people working on that department.

 

They want to purchase EMS E5 license and assign them to those 500 critical users, to take advantage of the conditiional access with risked based protection.

 

Is this possible? I mean will purchasing 500 EMS E5 licenses for those users, willl enable risk based conditional access for them?

  • SamiLamppu's avatar
    SamiLamppu
    Brass Contributor

    Hi,

    Regarding my experience It should work with Conditional Access policy and targeting policy to group which contains users who has EMS E5 license.

     

    Risk based signing was not visible in our tenant until we bought EMS E5 licences. Below are pictures from tenant before and after EMS E5 license was purchased.

     

    • Ammar Hasayen's avatar
      Ammar Hasayen
      Iron Contributor

      Thank you for your reply. Ya the risk based factor appears for me too.

       

      Microsoft announced that this will not work unless all users have AAD P2 license (part of EMS E5), and that if portion of the users have that license, conditional access with risk based will not work.

       

      I would love if MS could say something here and help us figure this out.

      • SamiLamppu's avatar
        SamiLamppu
        Brass Contributor

        For curiosity I tested this scenario with CA policy so that only my test user had EMS E5 (P2) license and other users had EMS E3 (P1). Regarding tests made today risk based CA policy seems to be working as expected. Tested with Tor browser to get risk based mechanism to work immediately with following options at policy:

        - grant access with MFA

        - Block access totally options

         

         

        But I agree, if it's officially announced that all users needs AAD P2 license opinion from Microsoft would be helpful.

         

Resources