Forum Discussion

Nick_Beacroft's avatar
Nick_Beacroft
Steel Contributor
Jun 08, 2023

User classed as internal or external for Azure AD P2.

A customer has two tenants. Their main corporate tenant (A), and a separate tenant (B) they use for other purposes and want to keep this way.   Some users from the main corporate tenant (A) acces...
Azure AD
BizApps
Nick_Beacroft's avatar
Nick_Beacroft
Steel Contributor
Jun 12, 2023

Hi LicensingConcierge1 


Yes there are still questions. Please understand I am referring specifically about users in tenant (A) accessing resources in tenant (B) as external (guest) users.  Note also that the customer owns both tenants. External users would be activating PIM roles to manage Azure resources.

 

Rahul mentions this "they might not require an assigned Azure AD P2 license in the separate tenant (B) if they are only accessing resources there as guests." and also comments that I should engage with a Microsoft or a licensing specialist who can provide guidance. Hence my follow up question.

 

In this case, are the users from tenant (A) classed as external in tenant (B) and can these external users benefit from the full AAD P2 features, according to this document?

Pricing - Active Directory External Identities | Microsoft Azure

 

Thanks,

Nick

 

 

LicensingConcierge1's avatar
LicensingConcierge1
Former Employee
Jun 13, 2023

Nick_Beacroft 

 

Where Azure AD P2, specifically PIM is concerned, are the (A) users classed as external and therefore do not require an assigned AAD P2 license?

 

As stated in my initial reply to your post, to use Privileged Identity Management (PIM) in Azure Active Directory (Azure AD), part of Microsoft Entra, each tenant must have a valid license. Licenses must also be assigned to the administrators and relevant users.  Here is the link that I originally provided for your convenience - License requirements to use Privileged Identity Management - Microsoft Entra | Microsoft Learn

 

This is because for Azure resource roles in Privileged Identity Management (PIM), only a subscription administrator, a resource Owner, or a resource User Access administrator can manage assignments for other administrators. Users who are Privileged Role Administrators, Security Administrators, or Security Readers don't by default have access to view assignments to Azure resource roles in Privileged Identity Management.  What is Privileged Identity Management? - Microsoft Entra | Microsoft Learn

 

 

 

"Please understand I am referring specifically about users in tenant (A) accessing resources in tenant (B) as external (guest) users.  Note also that the customer owns both tenants."

Yes, I understand that you have multiple tenants under the same organization.

 

"In this case, are the users from tenant (A) classed as external in tenant (B) and can these external users benefit from the full AAD P2 features, according to this document?

Pricing - Active Directory External Identities | Microsoft Azure"

 

External Identities is a set of capabilities that enables organizations to secure and manage any external user, including customers and partners. 

 

 

The link that you provided in your post contains documentation about B2B Collaboration capability of Azure AD External Identities, where you can invite guest users to collaborate with your organization, but you should carefully review the details to understand what B2B Collaboration provides as the information does not mention PIM.

 

Here is how I found the documentation using your link:

 

 

 

 

 

 

 

 

Resource: please find addt'l links on the tree to the left of the webpage:

 

 

 

If this (or someone else's) reply answers your question, please Accept as the solution to help the other members find it more quickly. Otherwise, please let me know if you need further assistance on this topic.


Regards,

Microsoft CSP Licensing Concierge