Forum Discussion
Microsoft E5 fetaures
Is there a comprehensive overview of all features which come available if we purchase E5 licenses? Of course, a high-level overview can be found here (Microsoft 365 E5 | Advanced Security 365 | Micro...
>>It is required to have every user licensed in the tenant. Is that (still) true?
Yes. 100%.
Yes. 100%.
Hmm, based on the information within : Microsoft 365 Tenant-Level Services
Licensing Guidance
It seems, I can scope the capability to only licensed users
quote "Azure Active Directory Identity Protection
Azure Active Directory Identity Protection (AADIP) is a feature of the Azure Active Directory Premium P2 that enables you
to detect potential vulnerabilities affecting your organization’s identities, configure automated responses to detected
suspicious actions that are related to your organization’s identities and investigate suspicious incidents and take
appropriate action to resolve them.
Who is entitled to the service?
Licensed users of Enterprise Mobility + Security E5, Microsoft 365 E5, Microsoft 365 E5 Security, and Azure Active Directory
Premium Plan 2 are entitled to receive the benefit of AADIP.
How is a user benefiting from the service?
SecOps analysts and security professionals benefit from having consolidated views of flagged users and risk events based on machine learning algorithms. End users benefit from the automatic protection provided through risk-based Conditional Access and the improved security posture provided by acting on vulnerabilities.
How is the service provisioned/deployed?
By default, AADIP features are enabled at the tenant-level for all users within the tenant. For information on configuring AADIP, refer to https://docs.microsoft.com/azure/active-directory/identity-protection/enable
How can the service be applied to only users in the tenant that are licensed for the service?
Admins can scope AADIP by assigning risk policies that define the level for password resets and allowing access for licensed users only. Follow the instructions here for scoping AADIP deployments: Configure the sign-in risk policy"
The question is : while I can scope the use of risk-based conditional access to only users that are licensed, the requirements seem I need a license for all the TENANT users for Azure AD P2, as risk calculation is performed for all users in the tenant.
This creates confusion as well it feels like cross-selling practices or even forced selling practices.
Licensing Guidance
It seems, I can scope the capability to only licensed users
quote "Azure Active Directory Identity Protection
Azure Active Directory Identity Protection (AADIP) is a feature of the Azure Active Directory Premium P2 that enables you
to detect potential vulnerabilities affecting your organization’s identities, configure automated responses to detected
suspicious actions that are related to your organization’s identities and investigate suspicious incidents and take
appropriate action to resolve them.
Who is entitled to the service?
Licensed users of Enterprise Mobility + Security E5, Microsoft 365 E5, Microsoft 365 E5 Security, and Azure Active Directory
Premium Plan 2 are entitled to receive the benefit of AADIP.
How is a user benefiting from the service?
SecOps analysts and security professionals benefit from having consolidated views of flagged users and risk events based on machine learning algorithms. End users benefit from the automatic protection provided through risk-based Conditional Access and the improved security posture provided by acting on vulnerabilities.
How is the service provisioned/deployed?
By default, AADIP features are enabled at the tenant-level for all users within the tenant. For information on configuring AADIP, refer to https://docs.microsoft.com/azure/active-directory/identity-protection/enable
How can the service be applied to only users in the tenant that are licensed for the service?
Admins can scope AADIP by assigning risk policies that define the level for password resets and allowing access for licensed users only. Follow the instructions here for scoping AADIP deployments: Configure the sign-in risk policy"
The question is : while I can scope the use of risk-based conditional access to only users that are licensed, the requirements seem I need a license for all the TENANT users for Azure AD P2, as risk calculation is performed for all users in the tenant.
This creates confusion as well it feels like cross-selling practices or even forced selling practices.
- In short, any user who derives ANY benefits from the features of the service requires a license.
- Due to this, users' telemetry will be analyzed as the telemetry of every user in the tenant is received by Microsoft 365 defender. How do I automatically filter out all incidents created for nonlicensed users? (even if the incidents are true positives and valuable), As I'm not allowed to use it for the users that are not licensed, as then they derive a benefit. But it is not possible for us to buy E5 for all users. Or am I required to license them for AAD P2? Or, the opposite, do not use risk-based conditional access?
From a legal/compliance point of view, it seems I'm forced to at least purchase AAD P2 for the whole tenant. But that is my personal interpretation