Entra Private Access Licensing

Hi, let me explain the situation in a simple way. The Entra ID P1/P2 licenses, along with the Private Access license, are sufficient for the Private Access functionality. However, if you want to use the MS Defender app on an iPad, the device requires a license that covers mobile endpoint protection. In your case, the user also has an Office 365 E3 license, but this does not include the mobile Defender features.

When you try to sign into MS Defender on the iPad, you get the invalid license error because the mobile-specific license is missing (for example, Microsoft Defender for Endpoint Plan 2, which is often included with Microsoft 365 E5 or available as an add-on).

To resolve the issue, you should assign a license that covers Microsoft Defender for Endpoint on mobile devices and ensure that all the enrollment prerequisites (such as integration with Intune, if necessary) are met.